Community discussions

MikroTik App
 
jo2jo
Forum Veteran
Forum Veteran
Topic Author
Posts: 971
Joined: Fri May 26, 2006 1:25 am

IPsec/L2TP - opening a 2nd connection kills 1st one

Sat Sep 17, 2016 10:13 pm

I just upgraded to iOS 10 and thus lost PPTP VPN support, so i was forced to setup IPsec / L2tp on my (data-center) collocated mikrotik VPN server so that i could again have VPN on my iPhone. I also have a mikrotik at my home as my main router (as well as mikrotiks at many other locations of mine, all with Client L2TP vpns connecting to collocated Mikrotik VPN server). All the Mikrotik L2tp client VPns are *non* IPsec connections (they just use MPPE 128 bit encryption and MS-CHAP2 auth , which is fine for their type of traffic).

The issue im having is: if on my iPHONE i open my IPsec/L2TP VPn , it will knock off (or otherwise disable/disconnect) that specific locations's mikrotik's L2TP Client VPN until about 20 minutes after i close the iPhone's L2TP / IPSEC VPN.

Im pretty sure ive identified the issue/cause of this (screen shot below), it is these dynamically generated IPsec policies , they get dynamically generated with the public IP (as DST-Address) of the location where my iPhone is opening its VPN from upon the iPhone connecting (this same IP / location is also where i have the mikrotik running non IPsec L2TP which gets disconnected).

the problem is i cant manually remove this dynamically created rule. (ROS give error: "Couldnt remove IPsec Policy <IP - IP> - cannot remove dynamically generated policy (6).


what do i do about this? or is there a way to change the timeout on these dynamically generated IPsec polices such that once the iphone disconnets, prehaps the rule will timeout and thus my mikrotik can then re-establish its L2TP client connecction? (or is there a better way?)

thanks
v_VPN] /ip ipsec policy> pr
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all 
       proposal=default template=yes 

 1  D  src-address=6X.19X.XX8.X7/32 src-port=any dst-address=68.1X.XX.23X/32 
       dst-port=any protocol=udp action=encrypt level=require 
       ipsec-protocols=esp tunnel=no sa-src-address=6X.19X.XX8.X7 
       sa-dst-address=68.1X.XX.23X priority=2 
[admin@v_VPN] /ip ipsec policy> 
:beep :beep :beep
 
User avatar
razavim
Trainer
Trainer
Posts: 99
Joined: Sun Sep 27, 2015 1:43 pm
Location: Turkey
Contact:

Re: IPsec/L2TP - opening a 2nd connection kills 1st one

Sat Sep 17, 2016 11:39 pm

if you see dynamically created policy then click copy and hit apply and then it will be static

Sent from my SM-N910C using Tapatalk
MikroTik Trainer
Drone Developer
Artificial Intelligence(Deep Neural Network)
 
jo2jo
Forum Veteran
Forum Veteran
Topic Author
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Re: IPsec/L2TP - opening a 2nd connection kills 1st one

Sun Sep 18, 2016 1:03 pm

if you see dynamically created policy then click copy and hit apply and then it will be static
?? i think your not understanding my issue, its the dynamic policy (on the remote Mikrotik VPN server ) that is causing my local mikrotik router's L2TP client *(NOT L2TP/IPsec, just L2TP)* interface to drop... and i can't remove the dynamic policy because i get the error in winbox saying you cant delete a dynamic policy.

even though i woudl still like to know why this issue is happening (and i know there have to be more people out there with this same issue, or perhaps NOW there will be more people with this same issue since iOS 10 dropped PPTP vpn support, so iOS 10 users have to move their iOS VPNs over to IPsec which makes this issue occur).

i have found a temporary fix / solution- Luckily i have a few extra Public IP addresses on the remote Mikrotik VPN server, so as long as i have my iphone's L2TP/IPsec vpn client connect to a different Public IP address, than *THAT* public IP address has a dynamic policy created for it, and thus it does not interfear with or cause the local mikrotik router's non IPsec L2TP client interface to drop (ie, the Local Mikrotik router's connects via L2TP (non ipsec) to 63.34.23.21 , while the iPhone connects with L2TP/IPsec to 63.34.23.22 and thus 63.34.23.22 gets added as a dynamic IPsec Policy , not 63.34.23.21 ).

To be a bit more clear, it appears that you can *not* have a L2TP Client AND a L2TP/IPsec client both connecting to the same VPN server (same public IP address) , while they are both at the same location (ie both devcies coming from the same public IP address) - as *if* you try to do this, the non IPsec L2TP connection will drop and wont be able to re-connect until the L2TP/IPsec connection is closed and enough time has elapsed for the dynamic policy to timeout (or otherwise be automatically removed)
:beep :beep :beep
 
pe1chl
Forum Guru
Forum Guru
Posts: 6320
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPsec/L2TP - opening a 2nd connection kills 1st one

Sun Sep 18, 2016 1:50 pm

Your problem is that you try to setup two different VPN tunnels using the same protocol but different
encryption level between the same IP address pair at the same time. This is not possible, at least not
when doing it this way. You may be able to work around this by using OpenVPN for your primary VPN
so L2TP/IPsec is available for your Phone VPN at the same time. This being a completely different
protocol, they won't interfere. Alternatively you could use GRE or IP tunnel without encryption for your
primary VPN, but then you will have no encryption at all and no authentication other than the source
address of the connection. Others can spoof packets as if they originate from your network.
 
jo2jo
Forum Veteran
Forum Veteran
Topic Author
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Re: IPsec/L2TP - opening a 2nd connection kills 1st one

Sun Sep 18, 2016 7:06 pm

Thanks for the reply. I understand what you are saying and totally agree. However I can say with certainty he that I have mixed every type of VPN Micro chipped supports in the exact same scenario with success, in some cases multiples of each VPN with success. It's only once I've added the IP sec with L2TP and specifically the dynamic peer entry that this situation has come up.

Additionally, it's come up in such a way that even once I close the IPsec/L2 TP client VPN I'm *still unable to connect * until the dynamic pier automatically removes itself (why am I not able to manually remove the dynamic peer after all the connections are closed?, the entry is clearly there in winbox, but there is no way to remove it neither via the terminal nor winbox - until it times out on it's own) .

I thought about switching tunnel/VPN protocols (between the Mikrotiks), however the performance is nowhere near what I see on with non-IPsec L2TP tunnel, and I do require encryption on this link (even if it's MPPE-128) - I think the slower performance of the other VPN protocols is a routerOS specific issue/problem (there are several forum threads and web articles pointing out weak vpn permeable metrics on Even v6.35 ROS as well)-both sides of this link are powerful CPUs/router boards and the Internet connections between the two are very fast (1gbit on the vpn server side w rb1200 and 300d 50mbit up on rb2011 on the client side) with about 30-45 ms of round trip latency on the link.

Does anyone know why we are unable to manually remove the dynamicly generated IPsec peers?
:beep :beep :beep
 
pe1chl
Forum Guru
Forum Guru
Posts: 6320
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPsec/L2TP - opening a 2nd connection kills 1st one

Sun Sep 18, 2016 9:05 pm

You have to understand that L2TP and L2TP/IPsec are handled the same way, with the exception that L2TP/IPsec
puts a separate IPsec layer between the L2TP and the network that says that all L2TP traffic is to be encrypted.
That layer cannot know which of the two L2TP sessions it is handling, so it is not possible to have those two
in parallel. The dynamic creation of IPsec policies is an option, you can do your own static IPsec profile when
you remove the IPsec secret from the L2TP spec and create one yourself. However, it will not solve the dual
concurrent problem.
Your solution of allocating a different IP address at one end is probably the best.
 
mily2002
just joined
Posts: 1
Joined: Mon Sep 19, 2016 4:40 am

Re: IPsec/L2TP - opening a 2nd connection kills 1st one

Mon Sep 19, 2016 4:45 am

Dear,
I have the same issues.

First issue: In the same network(the same public IP), when use L2TP/IPSEC, only one device can connect to the L2TP/IPSEC SERVER.

Second issue: After the device disconnect, the dynamically generated IPsec policy still active until about 20 minutes after the device disconnect.

Please help~
 
pe1chl
Forum Guru
Forum Guru
Posts: 6320
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPsec/L2TP - opening a 2nd connection kills 1st one

Mon Sep 19, 2016 4:04 pm

It may be that the issue with dynamic policies not immediately deleted is fixed in Version 6.37rc38.
Other than that, you have to realize that NAT is not without its limitations. Most VPN protocols have
problems with multiple VPN connections from the same source IP address, and this includes multiple
clients behind the same NAT. It is better to use IPv6 instead of NAT.

Who is online

Users browsing this forum: bandini981, MSN [Bot], ovidiu, scyld, Trezona and 136 guests