Does any one have a EdgeRouter 4 online and can test L2TP


  • Service Provider

    I recently put a couple ER4 into service. Everything has been working great with them until I tried to setup the L2TP VPN.

    It will not connect from my iPhone or laptop. I'm spinning up a Windows instance to test from.

    The same L2TP configuration works on an ERL but not the ER4
    Both units are on firmware 1.10.1

    This is the configuration (minus the ike/esp and ipsec site-to-site). I have no firewall rules in place as the auto rule has always worked for me.

    set vpn ipsec auto-firewall-nat-exclude enable
    set vpn ipsec ipsec-interfaces interface eth0
    set vpn l2tp remote-access authentication local-users username SOMEUSERHERE password 'SOMEPWDHERE'
    set vpn l2tp remote-access authentication mode local
    set vpn l2tp remote-access client-ip-pool start 10.1.1.240
    set vpn l2tp remote-access client-ip-pool stop 10.1.1.249
    set vpn l2tp remote-access dns-servers server-1 10.1.1.4
    set vpn l2tp remote-access idle 1800
    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SOMEPSKHERE
    set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
    set vpn l2tp remote-access ipsec-settings lifetime 3600
    set vpn l2tp remote-access mtu 1400
    set vpn l2tp remote-access outside-address 68.XXX.XXX.XXX
    

    When I attempt to connect from both my iPhone and my laptop (Fedora 27 + Cinnamon Desktop) I see this in the ER4 log.

    [email protected]:~$ sudo swanctl --log
    07[NET] received packet: from 172.58.140.188[30078] to 68.XXX.XXX.XXX[500] (792 bytes)
    07[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
    07[IKE] received DPD vendor ID
    07[IKE] received FRAGMENTATION vendor ID
    07[IKE] received NAT-T (RFC 3947) vendor ID
    07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    07[IKE] 172.58.140.188 is initiating a Main Mode IKE_SA
    07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    07[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
    07[IKE] no proposal found
    07[ENC] generating INFORMATIONAL_V1 request 4166533214 [ N(NO_PROP) ]
    07[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.58.140.188[30078] (56 bytes)
    

    When I successfully connect from both my iPhone and my laptop (Fedora 27 + Cinnamon Desktop) I see this in the ERL log.

    [email protected]:~$ sudo swanctl --log 
    02[NET] received packet: from 172.56.13.217[60096] to 68.XXX.XXX.XXX[500] (788 bytes)
    02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
    02[IKE] received NAT-T (RFC 3947) vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    02[IKE] received FRAGMENTATION vendor ID
    02[IKE] received DPD vendor ID
    02[IKE] 172.56.13.217 is initiating a Main Mode IKE_SA
    02[ENC] generating ID_PROT response 0 [ SA V V V ]
    02[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.56.13.217[60096] (136 bytes)
    04[NET] received packet: from 172.56.13.217[60096] to 68.XXX.XXX.XXX[500] (380 bytes)
    04[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    04[IKE] local host is behind NAT, sending keep alives
    04[IKE] remote host is behind NAT
    04[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    04[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.56.13.217[60096] (396 bytes)
    05[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (108 bytes)
    05[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    05[CFG] looking for pre-shared key peer configs matching 68.XXX.XXX.XXX...172.56.13.217[0.0.0.0]
    05[CFG] selected peer config "remote-access"
    05[IKE] IKE_SA remote-access[4] established between 68.XXX.XXX.XXX[68.XXX.XXX.XXX]...172.56.13.217[0.0.0.0]
    05[ENC] generating ID_PROT response 0 [ ID HASH ]
    05[NET] sending packet: from 68.XXX.XXX.XXX[4500] to 172.56.13.217[30397] (92 bytes)
    06[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (348 bytes)
    06[ENC] parsed QUICK_MODE request 4062267838 [ HASH SA No ID ID NAT-OA NAT-OA ]
    06[IKE] received 3600s lifetime, configured 0s
    06[ENC] generating QUICK_MODE response 4062267838 [ HASH SA No ID ID NAT-OA NAT-OA ]
    06[NET] sending packet: from 68.XXX.XXX.XXX[4500] to 172.56.13.217[30397] (204 bytes)
    15[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (76 bytes)
    15[ENC] parsed QUICK_MODE request 4062267838 [ HASH ]
    15[IKE] CHILD_SA remote-access{16} established with SPIs c62824b5_i 05759e1a_o and TS 68.XXX.XXX.XXX/32[udp/l2f] === 172.56.13.217/32[udp/62480] 
    05[KNL] 10.255.255.0 appeared on ppp0
    06[KNL] 10.255.255.0 disappeared from ppp0
    11[KNL] 10.255.255.0 appeared on ppp0
    04[KNL] interface l2tp0 activated
    05[KNL] interface l2tp0 deactivated
    09[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (92 bytes)
    09[ENC] parsed INFORMATIONAL_V1 request 2052356178 [ HASH D ]
    09[IKE] received DELETE for ESP CHILD_SA with SPI 05759e1a
    13[KNL] 10.255.255.0 disappeared from l2tp0
    09[IKE] closing CHILD_SA remote-access{16} with SPIs c62824b5_i (1485 bytes) 05759e1a_o (2451 bytes) and TS 68.XXX.XXX.XXX/32[udp/l2f] === 172.56.13.217/32[udp/62480] 
    06[NET] received packet: from 172.56.13.217[30397] to 68.XXX.XXX.XXX[4500] (108 bytes)
    06[ENC] parsed INFORMATIONAL_V1 request 2939857785 [ HASH D ]
    06[IKE] received DELETE for IKE_SA remote-access[4]
    06[IKE] deleting IKE_SA remote-access[4] between 68.XXX.XXX.XXX[68.XXX.XXX.XXX]...172.56.13.217[0.0.0.0]
    

    The log just shows main mode starting..

    [email protected]:~$ show vpn log tail
    Apr  7 20:40:12 14[IKE] <4313> 172.56.13.217 is initiating a Main Mode IKE_SA
    Apr  7 20:40:15 07[IKE] <4314> 172.56.13.217 is initiating a Main Mode IKE_SA
    Apr  7 20:40:18 13[IKE] <4315> 172.56.13.217 is initiating a Main Mode IKE_SA
    Apr  7 20:40:22 11[IKE] <4316> 172.56.13.217 is initiating a Main Mode IKE_SA
    

  • Service Provider

    same result from Windows.

    [email protected]:~$ sudo swanctl --log
    10[NET] received packet: from 172.58.140.188[41967] to 68.XXX.XXX.XXX[500] (408 bytes)
    10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
    10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
    10[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
    10[IKE] received NAT-T (RFC 3947) vendor ID
    10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    10[IKE] received FRAGMENTATION vendor ID
    10[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    10[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    10[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    10[IKE] 172.58.140.188 is initiating a Main Mode IKE_SA
    10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
    10[IKE] no proposal found
    10[ENC] generating INFORMATIONAL_V1 request 119528409 [ N(NO_PROP) ]
    10[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.58.140.188[41967] (56 bytes)
    

    0_1523156828798_d3c89f5c-cef7-467d-b9b5-65fe2fb619f8-image.png



  • @jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

    KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C

    Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.


  • Service Provider

    @pchiodo said in Does any one have a EdgeRouter 4 online and can test L2TP:

    @jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

    KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C

    Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.

    Right, but with L2TP on EdgeOS, you do not get to specify proposals. It is hard coded.


  • Service Provider

    The big list is what my device is offering. Here is the trimmed list of only AES_CBC_256 proposals

    07[CFG] received proposals: 
    IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
    IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, 
    IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
    IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, 
    IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, 
    IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
    

    This is what the ER4 is saying it can do

    07[CFG] configured proposals: 
    IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
    

    There is no match.


  • Service Provider

    THis is highly annoying. I'm going to have to seutp PPTP temporarily if I cannot fiugre this out.

    Thread on the UBNT forums with more details.

    https://community.ubnt.com/t5/EdgeRouter/Unable-to-use-L2TP-on-ER4/td-p/2308935


  • Service Provider

    On a whim, I added a propsal 2 to the IKE and ESP groups.

    Look what happened.

    08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    

    I now have a second option..
    It did not match, but it is there now. So now, just to setup a proposal that matches.

    This does not explain why my current router already works and uses a different proposal.


  • Service Provider

    Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.

    set vpn ipsec esp-group aciesp proposal 3 encryption aes256
    set vpn ipsec esp-group aciesp proposal 3 hash sha256
    set vpn ipsec ike-group aciesp proposal 3 dh-group 14
    set vpn ipsec ike-group aciesp proposal 3 encryption aes256
    set vpn ipsec ike-group aciesp proposal 3 hash sha256
    


  • @jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

    Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.

    set vpn ipsec esp-group aciesp proposal 3 encryption aes256
    set vpn ipsec esp-group aciesp proposal 3 hash sha256
    set vpn ipsec ike-group aciesp proposal 3 dh-group 14
    set vpn ipsec ike-group aciesp proposal 3 encryption aes256
    set vpn ipsec ike-group aciesp proposal 3 hash sha256
    

    Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.


  • Service Provider

    @bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

    Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

    Just part of the cipher choice algorithm.

    Changing from DH 19 to 20 and then to 14 affects the last part of the IKE cipher

    For example, if oyu have these settings for IKE

                proposal 1 {
                    dh-group 19
                    encryption aes256
                    hash sha1
                }
    

    You will get this as the available cipher for the specific proposal depending on the DH group specified.

    DH 19: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
    DH 20: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
    DH 14: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    

    A little about DH Groups

    • group1—768-bit Modular Exponential (MODP) algorithm.
    • group2—1024-bit MODP algorithm.
    • group5—1536-bit MODP algorithm.
    • group14—2048-bit MODP algorithm.
    • group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.
    • group20—384-bit random ECP groups algorithm.

  • Service Provider

    @bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

    Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

    It worked prior to changing to DH 14 on my iPhone.

    I had to add a proposal with DH 14 for Windows 10 to work.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.