Hey guys.
I’m struggling with L2TP. It’s working for Mac but not for windows.
Logs show:
respond new phase 1 (Identity Protection): 192.168.1.100[500]<=>x.x.x.x[500]
no suitable proposal found.
x.x.x.x failed to get valid proposal.
x.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
x.x.x.x phase1 negotiation failed.
I tried all the recommendations.
thisisafilename.rsc (16.1 KB)
/ip ipsec profile
set [ find default=yes ] dh-group=modp4096,modp2048,modp1024 dpd-interval=\
disable-dpd enc-algorithm=aes-256,aes-192,aes-128,3des hash-algorithm=\
sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des pfs-group=modp4096
Don’t do that. It won’t work with Windows.
Which part?
The entire encryption profile/proposal?
How am I supposed to do L2TP without it?
When you keep profile and proposal at defaults, it will work with Windows, Android, etc.
When you “upgrade encryption” you will have to do your own research to find what algorithms and sizes each OS supports, which of course also varies by OS release.
Your problem is probably the modp4096.
When you temporarily add a logging entry for topics=ipsec,!packet you can see in the (very verbose) dump in the log what the other end proposes. Disable it after you have resolved it.
I’d want to see features like being able to seed your network of devices with a TOTP secret and the devices requiring a 2fa code to make changes (or significant changes). The central management system wouldn’t have that code information.