ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Solved Does any one have a EdgeRouter 4 online and can test L2TP

    IT Discussion
    edgerouter edgeos 1.10.1 er4 erl ubnt ubiquiti l2tp
    3
    11
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by JaredBusch

      same result from Windows.

      ubnt@ubnt:~$ sudo swanctl --log
      10[NET] received packet: from 172.58.140.188[41967] to 68.XXX.XXX.XXX[500] (408 bytes)
      10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
      10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
      10[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
      10[IKE] received NAT-T (RFC 3947) vendor ID
      10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      10[IKE] received FRAGMENTATION vendor ID
      10[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
      10[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
      10[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
      10[IKE] 172.58.140.188 is initiating a Main Mode IKE_SA
      10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
      10[IKE] no proposal found
      10[ENC] generating INFORMATIONAL_V1 request 119528409 [ N(NO_PROP) ]
      10[NET] sending packet: from 68.XXX.XXX.XXX[500] to 172.58.140.188[41967] (56 bytes)
      

      0_1523156828798_d3c89f5c-cef7-467d-b9b5-65fe2fb619f8-image.png

      1 Reply Last reply Reply Quote 1
      • pchiodoP
        pchiodo
        last edited by

        @jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

        KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C

        Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @pchiodo
          last edited by

          @pchiodo said in Does any one have a EdgeRouter 4 online and can test L2TP:

          @jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

          KE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_C

          Just from a cursory look, it appears you are missing some required proposals. The first one sent appears to be matched, but the others do not.

          Right, but with L2TP on EdgeOS, you do not get to specify proposals. It is hard coded.

          1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch
            last edited by

            The big list is what my device is offering. Here is the trimmed list of only AES_CBC_256 proposals

            07[CFG] received proposals: 
            IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
            IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, 
            IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
            IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, 
            IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536, 
            IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
            

            This is what the ER4 is saying it can do

            07[CFG] configured proposals: 
            IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
            

            There is no match.

            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch
              last edited by

              THis is highly annoying. I'm going to have to seutp PPTP temporarily if I cannot fiugre this out.

              Thread on the UBNT forums with more details.

              https://community.ubnt.com/t5/EdgeRouter/Unable-to-use-L2TP-on-ER4/td-p/2308935

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch
                last edited by JaredBusch

                On a whim, I added a propsal 2 to the IKE and ESP groups.

                Look what happened.

                08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
                

                I now have a second option..
                It did not match, but it is there now. So now, just to setup a proposal that matches.

                This does not explain why my current router already works and uses a different proposal.

                1 Reply Last reply Reply Quote 1
                • JaredBuschJ
                  JaredBusch
                  last edited by

                  Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.

                  set vpn ipsec esp-group aciesp proposal 3 encryption aes256
                  set vpn ipsec esp-group aciesp proposal 3 hash sha256
                  set vpn ipsec ike-group aciesp proposal 3 dh-group 14
                  set vpn ipsec ike-group aciesp proposal 3 encryption aes256
                  set vpn ipsec ike-group aciesp proposal 3 hash sha256
                  
                  bbigfordB 1 Reply Last reply Reply Quote 2
                  • bbigfordB
                    bbigford @JaredBusch
                    last edited by

                    @jaredbusch said in Does any one have a EdgeRouter 4 online and can test L2TP:

                    Changed (well added a proposal) the DH group form 19 to 14 and boom it all works.

                    set vpn ipsec esp-group aciesp proposal 3 encryption aes256
                    set vpn ipsec esp-group aciesp proposal 3 hash sha256
                    set vpn ipsec ike-group aciesp proposal 3 dh-group 14
                    set vpn ipsec ike-group aciesp proposal 3 encryption aes256
                    set vpn ipsec ike-group aciesp proposal 3 hash sha256
                    

                    Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

                    JaredBuschJ 2 Replies Last reply Reply Quote 1
                    • JaredBuschJ
                      JaredBusch @bbigford
                      last edited by

                      @bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

                      Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

                      Just part of the cipher choice algorithm.

                      Changing from DH 19 to 20 and then to 14 affects the last part of the IKE cipher

                      For example, if oyu have these settings for IKE

                                  proposal 1 {
                                      dh-group 19
                                      encryption aes256
                                      hash sha1
                                  }
                      

                      You will get this as the available cipher for the specific proposal depending on the DH group specified.

                      DH 19: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
                      DH 20: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
                      DH 14: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
                      

                      A little about DH Groups

                      • group1—768-bit Modular Exponential (MODP) algorithm.
                      • group2—1024-bit MODP algorithm.
                      • group5—1536-bit MODP algorithm.
                      • group14—2048-bit MODP algorithm.
                      • group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.
                      • group20—384-bit random ECP groups algorithm.
                      1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @bbigford
                        last edited by

                        @bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

                        Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

                        It worked prior to changing to DH 14 on my iPhone.

                        I had to add a proposal with DH 14 for Windows 10 to work.

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post