Solved Does any one have a EdgeRouter 4 online and can test L2TP

JaredBusch

I recently put a couple ER4 into service. Everything has been working great with them until I tried to setup the L2TP VPN.

It will not connect from my iPhone or laptop. I'm spinning up a Windows instance to test from.

The same L2TP configuration works on an ERL but not the ER4
Both units are on firmware 1.10.1

This is the configuration (minus the ike/esp and ipsec site-to-site). I have no firewall rules in place as the auto rule has always worked for me.

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec ipsec-interfaces interface eth0
set vpn l2tp remote-access authentication local-users username SOMEUSERHERE password 'SOMEPWDHERE'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 10.1.1.240
set vpn l2tp remote-access client-ip-pool stop 10.1.1.249
set vpn l2tp remote-access dns-servers server-1 10.1.1.4
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SOMEPSKHERE
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access ipsec-settings lifetime 3600
set vpn l2tp remote-access mtu 1400
set vpn l2tp remote-access outside-address 68.XXX.XXX.XXX

When I attempt to connect from both my iPhone and my laptop (Fedora 27 + Cinnamon Desktop) I see this in the ER4 log.

ubnt@ubnt:~$ sudo swanctl --log
07[NET] received packet: from 172.58.140.188[30078] to 68.XXX.XXX.XXX[500] (792 bytes)
07[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
07[IKE] received DPD vendor ID
07[IKE] received FRAGMENTATION vendor ID
07[IKE] received NAT-T (RFC 3947) vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
07[IKE] 172.58.140.188 is initiating a Main Mode IKE_SA
07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
07[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
07[IKE] no proposal found
07[ENC] generating INFORMATIONAL_V1 request 4166533214 [ N(NO_PROP) ]
07[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.58.140.188[30078] (56 bytes)

When I successfully connect from both my iPhone and my laptop (Fedora 27 + Cinnamon Desktop) I see this in the ERL log.

ubnt@ubnt:~$ sudo swanctl --log 
02[NET] received packet: from 172.56.13.217[60096] to 68.XXX.XXX.XXX[500] (788 bytes)
02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
02[IKE] received NAT-T (RFC 3947) vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
02[IKE] received FRAGMENTATION vendor ID
02[IKE] received DPD vendor ID
02[IKE] 172.56.13.217 is initiating a Main Mode IKE_SA
02[ENC] generating ID_PROT response 0 [ SA V V V ]
02[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.56.13.217[60096] (136 bytes)
04[NET] received packet: from 172.56.13.217[60096] to 68.XXX.XXX.XXX[500] (380 bytes)
04[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
04[IKE] local host is behind NAT, sending keep alives
04[IKE] remote host is behind NAT
04[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
04[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.56.13.217[60096] (396 bytes)
05[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (108 bytes)
05[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
05[CFG] looking for pre-shared key peer configs matching 68.XXX.XXX.XXX...172.56.13.217[0.0.0.0]
05[CFG] selected peer config "remote-access"
05[IKE] IKE_SA remote-access[4] established between 68.XXX.XXX.XXX[68.XXX.XXX.XXX]...172.56.13.217[0.0.0.0]
05[ENC] generating ID_PROT response 0 [ ID HASH ]
05[NET] sending packet: from 68.XXX.XXX.XXX[4500] to 172.56.13.217[30397] (92 bytes)
06[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (348 bytes)
06[ENC] parsed QUICK_MODE request 4062267838 [ HASH SA No ID ID NAT-OA NAT-OA ]
06[IKE] received 3600s lifetime, configured 0s
06[ENC] generating QUICK_MODE response 4062267838 [ HASH SA No ID ID NAT-OA NAT-OA ]
06[NET] sending packet: from 68.XXX.XXX.XXX[4500] to 172.56.13.217[30397] (204 bytes)
15[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (76 bytes)
15[ENC] parsed QUICK_MODE request 4062267838 [ HASH ]
15[IKE] CHILD_SA remote-access{16} established with SPIs c62824b5_i 05759e1a_o and TS 68.XXX.XXX.XXX/32[udp/l2f] === 172.56.13.217/32[udp/62480] 
05[KNL] 10.255.255.0 appeared on ppp0
06[KNL] 10.255.255.0 disappeared from ppp0
11[KNL] 10.255.255.0 appeared on ppp0
04[KNL] interface l2tp0 activated
05[KNL] interface l2tp0 deactivated
09[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (92 bytes)
09[ENC] parsed INFORMATIONAL_V1 request 2052356178 [ HASH D ]
09[IKE] received DELETE for ESP CHILD_SA with SPI 05759e1a
13[KNL] 10.255.255.0 disappeared from l2tp0
09[IKE] closing CHILD_SA remote-access{16} with SPIs c62824b5_i (1485 bytes) 05759e1a_o (2451 bytes) and TS 68.XXX.XXX.XXX/32[udp/l2f] === 172.56.13.217/32[udp/62480] 
06[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (108 bytes)
06[ENC] parsed INFORMATIONAL_V1 request 2939857785 [ HASH D ]
06[IKE] received DELETE for IKE_SA remote-access[4]
06[IKE] deleting IKE_SA remote-access[4] between 68.XXX.XXX.XXX[68.XXX.XXX.XXX]...172.56.13.217[0.0.0.0]

The log just shows main mode starting..

ubnt@ubnt:~$ show vpn log tail
Apr  7 20:40:12 14[IKE] <4313> 172.56.13.217 is initiating a Main Mode IKE_SA
Apr  7 20:40:15 07[IKE] <4314> 172.56.13.217 is initiating a Main Mode IKE_SA
Apr  7 20:40:18 13[IKE] <4315> 172.56.13.217 is initiating a Main Mode IKE_SA
Apr  7 20:40:22 11[IKE] <4316> 172.56.13.217 is initiating a Main Mode IKE_SA

JaredBusch

Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.

set vpn ipsec esp-group aciesp proposal 3 encryption aes256
set vpn ipsec esp-group aciesp proposal 3 hash sha256
set vpn ipsec ike-group aciesp proposal 3 dh-group 14
set vpn ipsec ike-group aciesp proposal 3 encryption aes256
set vpn ipsec ike-group aciesp proposal 3 hash sha256

JaredBusch

same result from Windows.

ubnt@ubnt:~$ sudo swanctl --log
10[NET] received packet: from 172.58.140.188[41967] to 68.XXX.XXX.XXX[500] (408 bytes)
10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
10[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
10[IKE] received NAT-T (RFC 3947) vendor ID
10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
10[IKE] received FRAGMENTATION vendor ID
10[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
10[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
10[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
10[IKE] 172.58.140.188 is initiating a Main Mode IKE_SA
10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
10[IKE] no proposal found
10[ENC] generating INFORMATIONAL_V1 request 119528409 [ N(NO_PROP) ]
10[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.58.140.188[41967] (56 bytes)

pchiodo

@jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C

Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.

JaredBusch

@pchiodo said in Does any one have a EdgeRouter 4 online and can test L2TP:

@jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C

Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.

Right, but with L2TP on EdgeOS, you do not get to specify proposals. It is hard coded.

JaredBusch

The big list is what my device is offering. Here is the trimmed list of only AES_CBC_256 proposals

07[CFG] received proposals: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, 
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 

This is what the ER4 is saying it can do

07[CFG] configured proposals: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256

There is no match.

JaredBusch

THis is highly annoying. I'm going to have to seutp PPTP temporarily if I cannot fiugre this out.

Thread on the UBNT forums with more details.

https://community.ubnt.com/t5/EdgeRouter/Unable-to-use-L2TP-on-ER4/td-p/2308935

JaredBusch

On a whim, I added a propsal 2 to the IKE and ESP groups.

Look what happened.

08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256

I now have a second option..
It did not match, but it is there now. So now, just to setup a proposal that matches.

This does not explain why my current router already works and uses a different proposal.

JaredBusch

Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.

set vpn ipsec esp-group aciesp proposal 3 encryption aes256
set vpn ipsec esp-group aciesp proposal 3 hash sha256
set vpn ipsec ike-group aciesp proposal 3 dh-group 14
set vpn ipsec ike-group aciesp proposal 3 encryption aes256
set vpn ipsec ike-group aciesp proposal 3 hash sha256

bbigford

@jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.

set vpn ipsec esp-group aciesp proposal 3 encryption aes256
set vpn ipsec esp-group aciesp proposal 3 hash sha256
set vpn ipsec ike-group aciesp proposal 3 dh-group 14
set vpn ipsec ike-group aciesp proposal 3 encryption aes256
set vpn ipsec ike-group aciesp proposal 3 hash sha256

Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

JaredBusch

@bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

Just part of the cipher choice algorithm.

Changing from DH 19 to 20 and then to 14 affects the last part of the IKE cipher

For example, if oyu have these settings for IKE

            proposal 1 {
                dh-group 19
                encryption aes256
                hash sha1
            }

You will get this as the available cipher for the specific proposal depending on the DH group specified.

DH 19: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
DH 20: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
DH 14: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

A little about DH Groups

• group1—768-bit Modular Exponential (MODP) algorithm.
• group2—1024-bit MODP algorithm.
• group5—1536-bit MODP algorithm.
• group14—2048-bit MODP algorithm.
• group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.
• group20—384-bit random ECP groups algorithm.

JaredBusch

@bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

It worked prior to changing to DH 14 on my iPhone.

I had to add a proposal with DH 14 for Windows 10 to work.