CHR L2TP/IPSec

jebz · March 25, 2016, 12:57pm

I’m using the latest CHR v6.35rc42 on a remote virtual hosting provider. The wan ether1 is connected and Winbox v3.4 enables easy monitoring and configuration through this interface.

I created a bridge and assigned it an IP 192.168.100.1. I created a IP-Pool 192.168.100.10-192.168.100.20 on this network for the IPSec clients. The clients will be behind NAT’ed connections. An Android client doesn’t connect to this server although with near identical setup connects to a regular RB450G v6.29 router. The log shows the following with the last line repeated -

15:47:36 firewall,info input: in:ether1 out:(none), src-mac 0c:c4:7a:45:89:57, proto UDP, 1.132.111.222:500->43.221.222.228:500, len 608 
15:47:36 firewall,info input: in:ether1 out:(none), src-mac 0c:c4:7a:45:89:57, proto UDP, 1.132.111.222:4500->43.221.222.228:4500, len 124 
15:47:37 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256 
15:47:38 firewall,info input: in:ether1 out:(none), proto UDP, 1.132.111.222:45444->43.221.222.228:1701, len 97 
15:47:40 firewall,info input: in:ether1 out:(none), proto UDP, 1.132.111.222:45444->43.221.222.228:1701, len 97

Sob · March 25, 2016, 1:40pm

This error looks clear:

15:47:37 ipsec,error authtype mismatched: my:hmac-sha1 peer:hmac-sha256

Either tell client to use sha1 or server to use sha256.

jebz · March 25, 2016, 9:49pm

Yes it did to me too but on the working physical rb450g I have the same error but it works. Just to be sure though I added sha256 to the CHR IPSec Proposal, Auth. Algorithms and this cleared the error but the Android still was unable to connect.

jebz · March 28, 2016, 12:10am

Resolved for others than have a brain holiday

PPP L2TP Server wasn’t enabled by the GUI tick box.