IPSec phase1 negotiation error

PeterEs · January 12, 2015, 10:17am

We have a MikroTik CCR1009 at the office as internet router. This router is configured as L2TP IPSec VPN server. It is possible to connect Windows clients and iPhones.

I bought a few RB750 to use as L2TP IPSec VPN client. My intension is to use this devices at some home users behind their current router, to connect a few devices (such as VoIP phones) to the corporate LAN. Because of the user home router, the RB750 will be placed behind a NAT.

The connection is UP and i can send data in both directions. However every minute I see an error in the RB750 log: “phase1 negotiation failed due to time up {user LAN ip}[500]<=>{office public IP}[500]”. Is this a configuration issue, or is this caused by the user’s internet router?

Office

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=topsecret use-ipsec=yes

Client

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address={office public IP}/32 enc-algorithm=3des lifetime=30m nat-traversal=no secret=topsecret
/interface l2tp-client
add add-default-route=no allow=mschap2 connect-to={office public IP} dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=1600 name=VPNuser password=password profile=default-encryption user=VPNuser

spippan · January 13, 2015, 12:18pm

PeterEs:

We have a MikroTik CCR1009 at the office as internet router. This router is configured as L2TP IPSec VPN server. It is possible to connect Windows clients and iPhones.

I bought a few RB750 to use as L2TP IPSec VPN client. My intension is to use this devices at some home users behind their current router, to connect a few devices (such as VoIP phones) to the corporate LAN. Because of the user home router, the RB750 will be placed behind a NAT.

The connection is UP and i can send data in both directions. However every minute I see an error in the RB750 log: “phase1 negotiation failed due to time up {user LAN ip}[500]<=>{office public IP}[500]”. Is this a configuration issue, or is this caused by the user’s internet router?

Office
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=topsecret use-ipsec=yes
Client
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address={office public IP}/32 enc-algorithm=3des lifetime=30m nat-traversal=no secret=topsecret
/interface l2tp-client
add add-default-route=no allow=mschap2 connect-to={office public IP} dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=1600 name=VPNuser password=password profile=default-encryption user=VPNuser

get the same error when i try to connect to my RB951 (rOS v6.24) L2TP/IPsec from my iPhone6 (3G and WiFi)
thou i can connect fia PPTP (just tested it with the same user) and i get a connection with “MPPE128 stateless”

from my Mac mini the L2TP IP sec connection works without any problems (same Wifi/LAN)

any ideas on how to properly get L2TP IPsec running? please…?

PeterEs · January 14, 2015, 10:56am

I think your problem is a little different. You get the errors server side, i get them on the client.

spippan · January 14, 2015, 11:30am

erm … yes, of course server side because the TIK (RB951) IS the VPN server.
i have no clue what to change in IPsec settings to get it working for my iPhone to connect via 3G/cellular … (WiFi > no problem; other L2TP/IPsec > no problem)

even if i use the mobile iphone hotspot function and try to connect via that hotspot connection with my e.g. Mac mini… no luck …
but via PPTP > success
also different L2TP/IPsec connection to completely different server via 3G/cellular/iphone-hotspot > success

spippan · February 2, 2015, 11:37am

still no clue … anyone??

still no change with the newest rOS 6.25