Authentication mismatch issue with L2TP/Ipsec

andrei · April 14, 2016, 3:28pm

I have a problem when setting up a dial-in L2TP/Ipsec server. I set it up by entering ipsec secret in L2TP Server so that it automatically generates policies.
The problem is that it works when connecting from certain networks.(ISP networks) but when connecting from mobile ISPs I can’t connect and I get different mismatch errors: either key mismatch: key length mismatched, mine:256 peer:128 or authtype mismatched: my:hmac-sha256 peer:hmac-sha1

This is strange since it works from certain ISPs. Any ideas?

PS: RouterOS v 6.34.4

mrz · April 14, 2016, 4:11pm

As error says, client requires auth an enc algorithms that you have disabled on server.

andrei · April 14, 2016, 4:21pm

No, it’s obviously not that . It works with the exact same settings from a different ISP. I have noticed this happens with mobile operators.(don’t exactly know why)
I did something else and it seems to work now. I manually declared 0.0.0.0/0 peers and disabled ipsec secret in L2TP server.

mrz · April 14, 2016, 4:41pm

ISP cannot change enc and auth protocols that client would like to use. Either you had multiple peer configs with similar settigs or some other misconfiguration. It is hard to tell without ipsec debug logs and supout file.

andrei · April 14, 2016, 4:53pm

Asuming I had ca misconfiguration this should happen with every ISP.
When I connect using one ISP it works and with another one it doesn’t(actually with another two both mobile)
Now that I look through the logs I see the same errors and it still connects. It seems it tries different authentication protocols until it works.(which is normal) So the fact that it doesn’t connect with different ISP’s may not be related to this errors.

I forgot to mention I am using windows client to connect.

To provide logs I should redo the old config and I’m not doing that now since this works. But I remember I had this
issue before.

regi · September 1, 2016, 5:34pm

downgrade to 6.27 and all will works fine. newer routersOS have problems with determinating hash/key_length (up to 6.36.2 - latest one).
even if everything matches, mikrotik will log error - authtype or keysize mismatch

ilia2s · September 12, 2016, 6:15pm

same error on ROS 6.36.3 and win7
debug attached
win7-mtik-ipsec-error.txt (70.8 KB)

mrz · September 13, 2016, 8:27am

remote peer supports 3DES and AES-CBC-128
Ipsec will go through all configured algorithms ion your router until matched.
If you do not want to see these errors set only either aes-cbc-128 or 3des in ipsec proposal.