I have been trying to find a solution to connect to a MT router from Windows using the built in l2tp client. From XP it was possible via turning off ipsec. This is not posible in VISTA however.

I have tried every possible scenario with routeros 2.9 but I think that it's not possible to connect the native windows client to 2.9 with ipsec enabled.... even though I see some vague mention of success in these forums but no details whatsoever even though a lot of people are asking for them.

Finally I noticed however that 3.0 is able to receive connections from the native windows clients with ipsec enabled. I only tried the preshared key option...

before I go any further I want to say that I did find a problem and maybe someone from Mikrotik can help... The first connection is an immediate success, but after I log out I can log back in only 48 minutes later. I know why this is but I don't know how to fix this (please read on)

So here is the scenario

--------------------------------
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=0.0.0.0/0:500 auth-method=pre-shared-key secret="xxxxx"
generate-policy=yes exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1m lifebytes=1024

[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=aes-128,aes-192,aes-256
lifetime=1m pfs-group=modp1024

[admin@MikroTik] > ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 glucz any xxxx default 192.168.1.235
--------------------------------


with these settings I can log into microtik via ipsec/l2tp using the preshared key. The required policy will genate and the SA's will install automatically:

--------------------------------
[admin@MikroTik] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=192.168.1.118/32:any dst-address=192.168.1.234/32:any
protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=192.168.1.118 sa-dst-address=192.168.1.234
proposal=default priority=

[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xB393EA0 src-address=192.168.1.118 dst-address=192.168.1.234
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="0cced37bd18f267b7a176cb5deee371461e3fd84"
enc-key="a5687cdbb7906cd327033a5216aa5358" addtime=jan/14/2008 16:45:57
add-lifetime=48m/1h usetime=jan/14/2008 16:45:57 use-lifetime=0s/0s
current-bytes=148828 lifebytes=0/0

1 E spi=0x72986528 src-address=192.168.1.234 dst-address=192.168.1.118
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="22134735906b7fce129d47ce31680ee85e1f075b"
enc-key="d5dd6af0827c8b31cbe5c643ee5394a9" addtime=jan/14/2008 16:45:57
add-lifetime=48m/1h usetime=jan/14/2008 16:45:57 use-lifetime=0s/0s
current-bytes=133736 lifebytes=0/0
--------------------------------


The problem is that when I disconnect the l2tp connection in Windows the SA's will not delete themselves from the MT router. I don't know whether they should delete, but I know that windows will not be able to reconnect until they are gone.

Unfortunately SA's can't be deleted individually, but all at once using
ip ipsec installed-sa flush

at which point I'm able to log back in, but all other online ipsec enabled l2tp connections are destroyed as well.

I mentioned the 48minutes reconnect time .. this seems to be a random value, but in fact this is the default add-lifetime value above (soft limit) ... which cannot be changed at all. So either I wait 48 minutes or I flush SA's and destoy everyone else's connection.

Can anyone tell me whether the SA's not going away is a bug or a feature? and if it's a feature how can this mechanism be used properly with windows.

Thank you
GL




ps: I have an old pcengines wrap board that reboots itself every time an ipsec connection is made, but I'm able to connect and use the l2tp/ipsec connection via MT x86 an Athlon64 based PC ... so I don't know what the status of this feature might be on different kind of cpu's.

hi,

right now i use 2.4.50 and i can connect mikrotik to winxp with l2tp and ipsec enable

I also read maybe 1 more post like yours that it's working, but there are no details regarding the setup or the server hardware type - not to mention the client type. This is why I tried to give a clear description of what I'm doing, so there would be a thread that can help set up a working system for both XP and VISTA users.

I may have forgotten to write that what I detailed in the original post mostly applies to VISTA. Just tested and I seem to be able to connect / reconnect to RouterOS V3 from XP with both IPSEC disabled and ENABLED. So the original reconnect issue seems to be a problem mainly with VISTA.

GL

would you kindly post the xp configuration details as well as whats necessary on the RouterOS side?

I have make some tutorial in indonesia languange, but if you follow the picture and mikrotik command, i sure you can do it.

http://human.network.web.id/2008/01/15/ ... onnect-xp/

I have plan to write in wiki.mikrotik.com with english language

Your instructions worked for me. Thank you.

I have the same problem using L2TP/IPsec from Win to MK 3.15
XP works fine
Vista SP1 could connect, but when disconnecting, I cannot connect again till flushings SAs or need to wait about 1 hour for SA expiration.
I played two days with all the settings but nothing solved.

Have anybody found the solution for Vista?

Maybe this could be the explanation why, but without solution. Looks like Mikrotik guyes should improve IPsec from their side
http://support.microsoft.com/kb/942429/en-us