L2TP + IPsec crashes on 4011

rasimoes · September 10, 2021, 8:17pm

Hello,

Anyone experiencing L2TP over IPsec crashes on 7.1? Tested on 7.1rc3 and 7.1rc2… A brief about the issue:

On my setup, I’ve a couple of L2TP + IPsec clients; For each tunnel, a NAT masquerade rule for output.

Then I start to transfer data thought the VPNs (SSH, Winbox, etc.), the tunnel hangs, ALL my L2TP + IPsec tunnels drops and can’t reconnect anymore…just after rebooting the system.

Important/relevant points:
This issue doesn’t affect L2TP without IPsec (MPPE128) tunnels
This issue doesn’t affect PPTP tunnels

I’ve tried this same setup/steps on hAP ac2 (7.1rc3 with exported config.) and the issue doesn’t occur

oreggin · September 11, 2021, 5:28pm

Hi! I have a 4011 and it terminates three L2TPoIPSec. Not with the embedded PSK option but with separate IPSec config (IKEv2 with certificate). I can use it without any problem with RC2 and RC3. The difference is I don’t use NAT on it.

pthunya · September 24, 2021, 3:18pm

I’ve found the same problem on RouterOS7rc4 and CCR1009-7G, all l2tp connection both with and without ipsec can’t connect after running just fine for few days. After reboot all L2TP connections now working just fine.

oreggin · October 2, 2021, 8:43am

Do you using any special in the config? I using L2TP over native ethernet IF and Vlan IF also and I have stable L2TP connections on my RB4011 (ARM) and RB1100AHx2 (PPC) with 7.1RC4.
Here is my config about the L2TP client side:

ppp/profile/print where name="default-encryption"
Flags: * - default 
 2 * name="default-encryption" bridge-learning=default use-ipv6=yes use-mpls=yes use-compression=no use-encryption=required only-one=default 
     change-tcp-mss=no use-upnp=no address-list="" on-up="" on-down=""

interface/l2tp-client/print where name="L2TP"
Flags: X - disabled; R - running 
 0  R name="L2TP" max-mtu=1376 max-mru=1376 mrru=2564 connect-to=a.b.c.d user="pppuser" password="ppppass" profile=default-encryption 
      keepalive-timeout=10 use-peer-dns=no use-ipsec=no ipsec-secret="" allow-fast-path=yes add-default-route=no dial-on-demand=no allow=mschap2 
      l2tp-proto-version=l2tpv2 l2tpv3-digest-hash=md5

L2TP server side:

ppp/profile/print where name="default-encryption"
Flags: * - default 
 4 * name="default-encryption" local-address=10.1.1.1 bridge-learning=default use-ipv6=yes use-mpls=yes use-compression=no use-encryption=required 
     only-one=default change-tcp-mss=no use-upnp=no address-list="" on-up="" on-down=""

interface/l2tp-server/server/print 
                 enabled: yes
                 max-mtu: 1384
                 max-mru: 1384
                    mrru: 2564
          authentication: mschap2
       keepalive-timeout: 10
            max-sessions: 16
         default-profile: default-encryption
               use-ipsec: no
            ipsec-secret: 
          caller-id-type: ip-address
    one-session-per-host: yes
         allow-fast-path: yes
       l2tpv3-circuit-id: 
    l2tpv3-cookie-length: 0
      l2tpv3-digest-hash: md5
  accept-pseudowire-type: all
    accept-proto-version: all

The 1376byte MTU is calculated to L2TP over IPSec tunnel on ISP’s PPPoE.

negge · October 10, 2021, 4:39pm

I have a similar problem when using L2TP/IPsec to connect from a device running 7.1rc3 to a device running 6.48.3. Everything works just fine for a couple of days, then suddenly the L2TP part stop working completely (IPsec part seems to work, SAs are being created and there are no errors in any logs).

rasimoes · October 10, 2021, 7:57pm

If you’re using an 4011, try to lower down MTU/MRU to 1400 on each tunnel. This will solve this issue for now…

oreggin · November 3, 2021, 5:12am

If MTU causing this issue then you need to start with 1280 and if it is stable you need to calculate the proper MTU and set it. The latter is strongly recommended.