Hello,
L2TP users try connect a VPN, Win10 give #809.
RouterOS v6.48 show only:
Connecting:
Auto disconnect after 35s:
User get #809 or #0
When user not connecting then his IP exist only at IPSec > Policies as Dynamic entry with PH2 state “ready to send”.
I cannot remote that dynamic entry, but disable & enable Proporsal give that effect ! WorkARound found. User can logon now.
Maybe some a IPSec parameter is wrong set at IPSec part? After reboot all disconnected users have auto-remove that dynamic Policies… until some time he stop remove them like bug and then users call me they cannot connect to vpn.
IPSec settings in one screenshot:
Upgrade to v6.48.1 and now wait again for new calls or my detection. :).
I do a detection and notify e-mail and FIX by re-enable Proposal, via scheduler run every 3m with code
local EmailTo "marcin.przysowa@domain.tld"
local CustomerLocation "ACME HQ"
local PH2ProposalName "L2TP_users"
foreach BadPolicy in=[/ip ipsec policy find where dynamic ph2-state=ready-to-send ] do={
local BadPolicyIPMask [ip ipsec policy get $BadPolicy dst-address]
local BadPolicyIP [:pick $BadPolicyIPMask 0 [:find $BadPolicyIPMask "/"]]
local BadActivePeer [len [ip ipsec active-peers find where comment~"L2TP" remote-address=$BadPolicyIP ]]
if ( $BadActivePeer = 0) do={
local UserWithProblem
foreach i in=[log find where message~"$BadPolicyIP" message~"logged" topics~"l2tp"] do={
local LogWithUserWithProblem [log get $i message]
set $UserWithProblem [pick $LogWithUserWithProblem 0 [:find $LogWithUserWithProblem " "]]
}
local Message ($CustomerLocation." IPSec PH2: ready-to-send DETECTED from ".$BadPolicyIP." by ".$UserWithProblem)
tool e-mail send to=$EmailTo subject=$Message
log warning $Message
/ip ipsec proposal enable $PH2ProposalName ;
}
}
and now I wait… and after problem and fix I receive e-mail subject: Consonto DataCenter IPSec ready-to-send DETECTED from 79.191.133.13 by a.nowak.
WorkARound: Disable & Enable IPSec > Proposals
ip ipsec proposal enable L2TP_users ;
Any other Suggestion ?