I have been trying to find a solution to connect to a MT router from Windows using the built in l2tp client. From XP it was possible via turning off ipsec. This is not posible in VISTA however.
I have tried every possible scenario with routeros 2.9 but I think that it's not possible to connect the native windows client to 2.9 with ipsec enabled.... even though I see some vague mention of success in these forums but no details whatsoever even though a lot of people are asking for them.
Finally I noticed however that 3.0 is able to receive connections from the native windows clients with ipsec enabled. I only tried the preshared key option...
before I go any further I want to say that I did find a problem and maybe someone from Mikrotik can help... The first connection is an immediate success, but after I log out I can log back in only 48 minutes later. I know why this is but I don't know how to fix this (please read on)
So here is the scenario
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=0.0.0.0/0:500 auth-method=pre-shared-key secret="xxxxx"
generate-policy=yes exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1m lifebytes=1024
[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=aes-128,aes-192,aes-256
lifetime=1m pfs-group=modp1024
[admin@MikroTik] > ppp secret print
Flags: X - disabled
NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 glucz any xxxx default 192.168.1.235
with these settings I can log into microtik via ipsec/l2tp using the preshared key. The required policy will genate and the SA's will install automatically:
[admin@MikroTik] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=192.168.1.118/32:any dst-address=192.168.1.234/32:any
protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=192.168.1.118 sa-dst-address=192.168.1.234
proposal=default priority=
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xB393EA0 src-address=192.168.1.118 dst-address=192.168.1.234
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="0cced37bd18f267b7a176cb5deee371461e3fd84"
enc-key="a5687cdbb7906cd327033a5216aa5358" addtime=jan/14/2008 16:45:57
add-lifetime=48m/1h usetime=jan/14/2008 16:45:57 use-lifetime=0s/0s
current-bytes=148828 lifebytes=0/0
1 E spi=0x72986528 src-address=192.168.1.234 dst-address=192.168.1.118
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="22134735906b7fce129d47ce31680ee85e1f075b"
enc-key="d5dd6af0827c8b31cbe5c643ee5394a9" addtime=jan/14/2008 16:45:57
add-lifetime=48m/1h usetime=jan/14/2008 16:45:57 use-lifetime=0s/0s
current-bytes=133736 lifebytes=0/0
The problem is that when I disconnect the l2tp connection in Windows the SA's will not delete themselves from the MT router. I don't know whether they should delete, but I know that windows will not be able to reconnect until they are gone.
Unfortunately SA's can't be deleted individually, but all at once using
ip ipsec installed-sa flush
at which point I'm able to log back in, but all other online ipsec enabled l2tp connections are destroyed as well.
I mentioned the 48minutes reconnect time .. this seems to be a random value, but in fact this is the default add-lifetime value above (soft limit) ... which cannot be changed at all. So either I wait 48 minutes or I flush SA's and destoy everyone else's connection.
Can anyone tell me whether the SA's not going away is a bug or a feature? and if it's a feature how can this mechanism be used properly with windows.
Thank you
GL
ps: I have an old pcengines wrap board that reboots itself every time an ipsec connection is made, but I'm able to connect and use the l2tp/ipsec connection via MT x86 an Athlon64 based PC ... so I don't know what the status of this feature might be on different kind of cpu's.