Hi,

I'm trying to connect with a Samsung Mobile to Mikrotik VPN L2TP IPSec pre-shared Key.
I've been through several Documents but always get the same error in the logs:

such policy does not already exist: xx.xx.xx.xx/32[0] xx.xx.xx.xx/32[0] proto=udp dir=in
such policy does not already exist: xx.xx.xx.xx/32[0] xx.xx.xx.xx/32[0] proto=udp dir=out

IPsec SA is established in both directions, Firewall rules are added, to the input chain as in the Documents.
PPTP works, also L2TP but L2TP with IPSEC PSK not.
Any advise ? Version is 5.20
Thanks

Was my Fault !

It works. !

Wrong Firewall Rule: Protocol 50 (ipsec-esp) was in forward chain, not in input chain.

best regards

Hey,

can you Post your configuration that others can use it?

Thanks!

I'd greatly appreciate it if you posted the config here as well.

I am trying to an L2TP setup for connecting with my Nexus 7. I am pretty much failing at the same point you were but protocol 50 is to the best of my knowledge forwarding correctly.

This is not an answer specifically to the requests for "exact recepies" - however...

The Wiki page on L2TP works fairly well.

For testing, try this approach.
In firewall rules, as well as NAT and mangle - you can "disable" rules without deleting them. [It's super easy in WinBox.]

So, in really short order, you can disable all firewall/NAT/mangle rules that aren't absolutely required to forward traffic.
Then try your L2TP session again.

If it works, then you KNOW it was a bad rule and you can add them back in one at a time until you get a handle on what needs fixing.

Doing this first is really your first job, and you'll probably find it allows you to fix your own issue.

---
[All that said, IPSec support, which includes L2TP is really, really BAD on MikroTik, IMO. You incur substantial risk and may induce problems using it in a road-warrior situation. If you're not doing NAT between LAN/WAN, it is suicidal to use, IMO]

I wonder if anyone knows if any of the routeros 5.x versions were just broken when it comes to l2tp. I am following the firewall rules and setups in the faq and the other mentions of this topic fairly closely without any luck. I've checked quite closely. The thing slightly unknown to me at this moment is if certain other hash and encryption options must be turned on to work with an Android device. I was using Windows XP's needs as a model.

My issues are similar to several threads where the reason was that implementation was simply not working. For instance, it looks like that the IPSec tunnel is established without any problem (and quickly), but then l2tp tries to start up and both sides send packets to say hello with no real communication happening. Eventually the attempt ends with the android giving a time out error.

I actually don't have direct access to the router at the moment (I'm at work and I don't have network access to it atm) and, plus, I want to get the RouterOS patched to a version of RouterOS that is known to work with the setup before posting any logs.

I've done L2TP on 5.12.

During connect, watch the SA's in IPSec. Do they get built and are they encrypted? If so, you probably have a functional IPSec tunnel. Then the L2TP tunnel gets built inside that.

---
Some observations:
I couldn't get L2TP to use no encryption, so make sure the device isn't trying to use no-encrypting/non-mppe.

Also a reboot on MTK in numerous cases fixes odd VPN connections.

-Greg

These rules work for my netbook running Windows 7.

http://mikrotik.patokatech.com/

As of this morning I have this working! I really appreciate the replies.

Last night I upgraded the router to 5.20. I can't tell you whether it was the upgrade that did it or some minute issue with the settings. The firewall was set up pretty much the same.

The previous version was 5.16. I don't have a RADIUS server (this is a setup just for my use) and I seem to remember somewhere that there was a version where it user manager wasn't working right with l2tp? I don't recall exactly.

But this is working. All the information was a big help. Thanks.