Discovery of external IP address (Noip.com)

It seems that the log is from the only client whose configuration you haven’t posted.

As you specify the peers’ addresses as domain names, I can imagine the incoming initial packet from the “server” to land on a wrong peer there, as I had such an issue when testing my setup with no static port forwarding; after reboot, the peer with address=some.fqdn was effectively created with address=0.0.0.0/0, thus it was shadowing other peers with individual addresses lower in the peer list, and those remote peers couldn’t connect as they were processed by a wrong peer at this machine. But this explanation only makes sense if you have some other peer with fqdn defined at that client, which is placed before the one representing your “server”.

NAT doesn’t seem to be involved as the connection you’ve posted did not show any src-nat or dst-nat.

Regarding the connection to port 1701, is it not shown in /ip firewall connection print where dst-address~“the.remote.public.ip” even when it works?

It seems that the log is from the only client whose configuration you haven’t posted.

 
[admin@Client3] > export hide-sensitive 
# apr/11/2021 10:48:08 by RouterOS 6.48.1
# software id = 
#
# model = RBmAPL-2nD
# serial number = 
/interface l2tp-client
add connect-to=dnsln.ddns.net disabled=no max-mru=1400 max-mtu=1400 \
    name=l2tp-out1 user=Tz
/interface wireless
set [ find default-name=wlan1 ] country= disabled=no distance=indoors \
    frequency=auto installation=indoor max-station-count=1 mode=ap-bridge name=\
    Wlan1 ssid="hidden" wmm-support=enabled wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 prf-algorithm=\
    sha1
add dh-group=modp2048 enc-algorithm=aes-128 name=Tz prf-algorithm=sha1
/ip ipsec peer
add address=dnsln.ddns.net exchange-mode=ike2 name=Tz profile=Tz
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=proposal1Tz pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.200.2
/ip dhcp-server
add address-pool=pool1 disabled=no interface=Wlan1 lease-time=1d name=dhcp1
/system logging action
add disk-file-count=10 disk-file-name=ipsecStart disk-lines-per-file=5000 name=\
    ipsecFiles target=disk
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.200.1/24 interface=Wlan1 network=192.168.200.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.0.0.0/8 list="Local Subnet"
add address=172.16.0.0/12 list="Local Subnet"
add address=192.168.0.0/16 list="Local Subnet"
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=\
    out,ipsec
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list="!Local Subnet" \
    new-routing-mark=Traffic_for_vpn passthrough=yes src-address=192.168.200.2
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add peer=Tz
/ip ipsec policy
set 0 disabled=yes
add dst-address=PublicIpAddress/32 peer=Tz proposal=proposal1Tz \
    src-address=192.168.20.3/32
/ip route
add distance=1 gateway=192.168.91.1 routing-mark=Traffic_for_vpn
add distance=1 dst-address=172.21.69.0/24 gateway=192.168.91.1
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=
/system identity
set name=Client1
/system logging
add action=ipsecFiles disabled=yes topics=ipsec,!packet
/tool sniffer
set file-name=Sniffer filter-port="hidden" filter-stream=yes streaming-enabled=yes \
    streaming-server=172.69.21.153:winbox

But this explanation only makes sense if you have some other peer with fqdn defined at that client, which is placed before the one representing your “server”.

There are no other peers on this client machine .

After changing/adding some firewall rules the auto-connect still doesn’t happen but I see a difference regarding port 1701 now. Meaning that it appears now compared to before…

# Without being able to auto connect after powering up (15 min. offline) 

 4  SAC     protocol=udp src-address=PublicIpAddress:4500 dst-address=192.168.20.3:4500 
            reply-src-address=192.168.20.3:4500 reply-dst-address=PublicIpAddress:4500 timeout=2m59s 
            orig-packets=81 orig-bytes=21 715 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=89 repl-bytes=27 562 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 
            orig-rate=8.0kbps repl-rate=0bps 

 5    C     protocol=udp src-address=192.168.20.3:1701 dst-address=PublicIpAddress:1701 
            reply-src-address=PublicIpAddress:1701 reply-dst-address=192.168.20.3:1701 timeout=9s 
            orig-packets=2 orig-bytes=254 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 
            repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=1016bps 
            repl-rate=0bps 

# After disabling and enabling the peer (on the server side)


 4  SAC     protocol=udp src-address=PublicIpAddress:4500 dst-address=192.168.20.3:4500 
            reply-src-address=192.168.20.3:4500 reply-dst-address=PublicIpAddress:4500 timeout=2m59s 
            orig-packets=235 orig-bytes=63 752 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=225 repl-bytes=51 451 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 
            orig-rate=1640bps repl-rate=1152bps 

 6  SAC     protocol=udp src-address=192.168.20.3:1701 dst-address=PublicIpAddress:1701 
            reply-src-address=PublicIpAddress:1701 reply-dst-address=192.168.20.3:1701 timeout=2m59s 
            orig-packets=107 orig-bytes=12 934 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 
            repl-packets=124 repl-bytes=31 100 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 
            orig-rate=720bps repl-rate=968bps

Regarding the connection to port 1701, is it not shown in /ip firewall connection print where dst-address~“the.remote.public.ip” even when it works?

Before it didn’t, now (after the firewall rules) it does .

Given that all policies are static, the proposals they use are identical at both ends, and there is no NAT involved at the client device itself, I’m afraid the fact that you get NO_PROPOSAL_CHOSEN is a consequence of some bug.

So I can only suggest a workaround:

/system scheduler add name=ipsec-wa on-event=“/ip ipsec peer disable name ; delay 1m ; /ip ipsec peer enable name” start-time=startup

Thank you Sindy!
Do I have to replace the word “name” with the peer’s actual name, or leave it as is? If I understand it correctly , upon reboot/shutdown etc. the schedule will basically do automatically, what I do manually - disable the peer once and then re-enable it?

Of course replace name by the actual name of the peer. And yes, the scheduled script is a substitution of your manual disable/re-enable operation after reboot.

The scheduled script is a workaround. For a solution in future RouterOS versions, you have to raise a support ticket with Mikrotik; before doing that, create a supout.rif file while it is still bad after the reboot, and attach it to the ticket, as this is the first thing they will ask you to do anyway, no exceptions. You can put just a brief description to the ticket and a link to the post in this topic where you’ve shown the log, as the beginning of the topic is a bit away from this issue.

Thank you Sindy ! I will follow up with this post (Mikrotik support) and will try something extra with a dedicated server I have (and post results) to further assist other people and the progress of Router OS . Again …much appreciate it !!!

I just tried it and it didn’t bring the link up …do you think I should make the delay 1m longer, say 3 minutes? Although I would imagine 1 minute should be enough after the power on…

I then manually disabled and re-enabled the link and it did come up…working on as detailed as possible description to send to support…

Possibly yes, but to me 1m should also be sufficient, the mAP lite is not that lazy. Maybe add a delay 1m before the disable.

It is still possible that the result depends on whether the initial request comes first from the remote peer or whether the local one is faster, but normally if none of the peers is passive, two IKE connections (active peers) are shown, at least for some time. I admit I rarely use transport mode, though, so maybe it’s different there.

OK, the delay 1m before disable did the trick ! I have also emailed support regarding the so far discussed …

OK so far:

I have contacted support on the issue, and they asked to upgrade to V. 6.48.2 from 6.48.1, as some improvements took place regarding transport mode and IPsec. The problem persisted after the upgrade.

Then support suggested to include dst-nat rule to either machines (since both are behind NAT) and use passive mode on that machine. The problem with that is when using DDNS, MT will not allow a passive mode. In a further communication I mentioned that 2 clients could connect to the server, but one couldn’t (and none had port forwarding rules). They said that probably there were somewhere port forwarding rules. I can definitively confirm that in no modem nor any MT I have introduced port forwarding rules and yet the connection gets established (after some efforts but…gets established)

Here is what I discovered today and would like the community’s input and ideas so I can better phrase it to support:

One, out of the three clients to the server, got disconnected yesterday (I discovered due to an ISP public IP change). A couple of hours later a second client got disconnected and discovered that it was also due to a public IP change. In both cases the link did not return afterwards.

So, I went on and disabled and re-enabled all three links (as before). Did not make a difference.

Disabled completely on the server and the client MT (the first one that lost connection) all settings regarding the link (without re-enabling it), then on server disabled and re-enabled the other 2 peers and Voila the links got re-established!

I was completely baffled as you can imagine then I re-enabled the last remaining client with hopes…well, the link would not establish no matter what I tried! After about an hour or so research, I completely removed all settings regarding the link on that client, and on the server side I disabled the PPP/secret for that client. Entered from scratch all settings on client (L2TP client and IPsec), enabled the PPP secret on the server and then…
started noticing some packets coming in through the firewall ( chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix=" ) .

The link would still not establish, but when I disabled the peer and re-enabled it (I flushed esp and ah before), to my amazement the link established!!!

So, it seems that in transport mode because I use DDNS name if a public IP changes, when 5 minutes later (that’s my setting) that public IP address get’s renewed:

A) The link will not be re-established and disabling/enabling it will not “fix” it. As if it remembers the old IP and exchange?
B) Deleting the configuration and starting from scratch will bring me 90% close to a successful link and the final step will be flushing in IPsec and disabling/enabling the peer on the server side (didn’t try it on the client side, could be as well the case)

All three clients are currently connected to the server. Any thoughts on the above would be very much appreciated! Here are the firewall rules (if I should include something more, please let me know, I am not suggesting anywhere that I haven’t missed something).

Server

/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec

/ip firewall nat
add action=masquerade chain=srcnat


Client 1 

/ip firewall filter
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=output connection-state=established,related
add action=drop chain=output connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1



Client 2:

/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1


Client 3:

/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1

UPDATE:

OK I can confirm: Last night one of the client’s public IP address changed. The link went down and never came up.

What I did : Disabled on client the L2TP-out client - disabled all settings in IP/ipsec
On Server: Disabled the client’s Secret @ PPP/secret , disabled the peer for that client
Rebooted both

Re-enable them all . Packets started coming in through client’s firewall. Link would still stay inactive .

Disabled once more (on Server side) the peer in IP/ipsec and enabled it back.

The link came active.

Does this sound like a bug ? I have the feeling that because dynamic IP addresses are involved, when a location changes its public IP address this drops the link (ok so far) but when the Mt …mynetname.net informs of the new address 5 minutes later the link would be “stuck” as for some reason “continues to remember” the old public IP address.

Does this make any sense to anyone ?