Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    L2TP Site to Site between PFsense and Mikrotik

    Scheduled Pinned Locked Moved
    General pfSense Questions
    2
    13
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by stephenw10

      Use IPSec. L2TP without it is unencrypted you realise?

      But, really, forget just solve the issues with IPSec. How was that failing?

      Steve

      F 1 Reply Last reply Reply Quote 0
      • F
        felipefonsecabh @stephenw10
        last edited by

        @stephenw10 well, when i tried to use IPSec, in mikrotik side appears the error:
        "error got critical error: AUTHENTICATION_FAILED".

        The ISP has already created the rules for redirecting ports 500 and 4500 to my IP, but the above error keeps happening.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          No errors on the pfSense side? Does it try to establish both ways?

          That error looks like a pretty basic mismatch though. Can you show us the setting used at each end that generated it?

          Steve

          F 1 Reply Last reply Reply Quote 0
          • F
            felipefonsecabh @stephenw10
            last edited by

            @stephenw10
            PFsense Config:
            2021-11-22_15-10-56.png

            Mikrotik config:
            2021-11-22_15-10-39.png

            Pfsense log:
            2021-11-22_15-07-44.png

            Mikrotik log:
            2021-11-22_15-11-44.png

            The autentication method is Mutual PSK and I've already checked all the settings and apparently everything is correct.

            stephenw10S 1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator @felipefonsecabh
              last edited by

              Ok, the pSense log shows the Mikrotik is using the wrong hash value at P1 when it's initiating for some reason. The settings look correct on it though so maybe something is not applied?

              You can see it's proposing SHA1. pfSense rejects it because it's set to SHA256.

              The other thing that could be an issue is the identifier. You said you had the ISP forward ports to you? Does that mean you are behind NAT? If the identifier in pfSense would have to be set to match the external IP. We can't see that in the above screenshot.

              Steve

              F 1 Reply Last reply Reply Quote 0
              • F
                felipefonsecabh @stephenw10
                last edited by

                @stephenw10 yes the mikrotik is behind nat (in the first post there is an image with the network topology rsrs).

                Basically this is the origin of everything (the existence of NAT). I need to be able to implement this VPN with this NAT enabled, the provider cannot give me a fixed IP

                F 1 Reply Last reply Reply Quote 0
                • F
                  felipefonsecabh @felipefonsecabh
                  last edited by

                  @felipefonsecabh i try to change the encryption and hash algorithms in pfsense to sha1 and 3des (to test the functioning), and the error changes:

                  2021-11-22_22-08-16.png

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Aha, OK now the proposal matches but the identifier is mismatched. The Mikcrotik is sending it's internal private IP as the identifier [192.168.188.10] and pfSense is expecting the external public IP.
                    You can change that so it matches at either end but I've no idea how to do it in RouterOS. So edit the Phase 1 config in pfSense and change the 'Peer Identifier' from 'Peer IP Address' to 'IP Address' then set it to 192.168.188.10.

                    It will then match when the Mikrotik tries to establish. There may be other errors after that 😉

                    Steve

                    F 1 Reply Last reply Reply Quote 1
                    • F
                      felipefonsecabh @stephenw10
                      last edited by

                      @stephenw10 after change "Peer Identifier" as you suggested, works!
                      In mikrotik, i have to disable passive:

                      2021-11-23_09-11-23.png

                      The strange thing is that the mikrotik does not send the proposal as configured, but works! Thanks a lot!

                      F 1 Reply Last reply Reply Quote 1
                      • F
                        felipefonsecabh @felipefonsecabh
                        last edited by

                        @felipefonsecabh the connection was estabilished but devices between sites doesn't ping. I created all firewall rules necessary.

                        F 1 Reply Last reply Reply Quote 0
                        • F
                          felipefonsecabh @felipefonsecabh
                          last edited by

                          @felipefonsecabh I restared my pfsense and all works. Thanks a lot!

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Nice! Good result. Pure IPSec is waay better than trying to use L2TP over it.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post