Solved Does any one have a EdgeRouter 4 online and can test L2TP
-
same result from Windows.
ubnt@ubnt:~$ sudo swanctl --log 10[NET] received packet: from 172.58.140.188[41967] to 68.XXX.XXX.XXX[500] (408 bytes) 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01 10[IKE] received MS NT5 ISAKMPOAKLEY vendor ID 10[IKE] received NAT-T (RFC 3947) vendor ID 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 10[IKE] received FRAGMENTATION vendor ID 10[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 10[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 10[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52 10[IKE] 172.58.140.188 is initiating a Main Mode IKE_SA 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 10[IKE] no proposal found 10[ENC] generating INFORMATIONAL_V1 request 119528409 [ N(NO_PROP) ] 10[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.58.140.188[41967] (56 bytes)
-
@jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:
KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C
Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.
-
@pchiodo said in Does any one have a EdgeRouter 4 online and can test L2TP:
@jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:
KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C
Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.
Right, but with L2TP on EdgeOS, you do not get to specify proposals. It is hard coded.
-
The big list is what my device is offering. Here is the trimmed list of only AES_CBC_256 proposals
07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,This is what the ER4 is saying it can do
07[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256There is no match.
-
THis is highly annoying. I'm going to have to seutp PPTP temporarily if I cannot fiugre this out.
Thread on the UBNT forums with more details.
https://community.ubnt.com/t5/EdgeRouter/Unable-to-use-L2TP-on-ER4/td-p/2308935
-
On a whim, I added a propsal 2 to the IKE and ESP groups.
Look what happened.
08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256I now have a second option..
It did not match, but it is there now. So now, just to setup a proposal that matches.This does not explain why my current router already works and uses a different proposal.
-
Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.
set vpn ipsec esp-group aciesp proposal 3 encryption aes256 set vpn ipsec esp-group aciesp proposal 3 hash sha256 set vpn ipsec ike-group aciesp proposal 3 dh-group 14 set vpn ipsec ike-group aciesp proposal 3 encryption aes256 set vpn ipsec ike-group aciesp proposal 3 hash sha256 -
@jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:
Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.
set vpn ipsec esp-group aciesp proposal 3 encryption aes256 set vpn ipsec esp-group aciesp proposal 3 hash sha256 set vpn ipsec ike-group aciesp proposal 3 dh-group 14 set vpn ipsec ike-group aciesp proposal 3 encryption aes256 set vpn ipsec ike-group aciesp proposal 3 hash sha256Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.
-
@bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:
Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.
Just part of the cipher choice algorithm.
Changing from DH 19 to 20 and then to 14 affects the last part of the IKE cipher
For example, if oyu have these settings for IKE
proposal 1 { dh-group 19 encryption aes256 hash sha1 }You will get this as the available cipher for the specific proposal depending on the DH group specified.
DH 19: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 DH 20: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384 DH 14: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048A little about DH Groups
- group1—768-bit Modular Exponential (MODP) algorithm.
- group2—1024-bit MODP algorithm.
- group5—1536-bit MODP algorithm.
- group14—2048-bit MODP algorithm.
- group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.
- group20—384-bit random ECP groups algorithm.
-
@bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:
Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.
It worked prior to changing to DH 14 on my iPhone.
I had to add a proposal with DH 14 for Windows 10 to work.
