Hello,
I’m trying to set up a Road Warrior VPN between a mikrotik and a ShrewSoft Client using to the following tutorial :
Unfortunately, I’m struggling quite a lot.
Both MT and client are behiend a nat with required ports open
Phase 1 seems to work fine but MT returns an error on phase 2 : failed to pre-process ph2 packet. Here is the log from MT
20:06:01 ipsec,info respond new phase 1 (Identity Protection): 192.168.66.2[500]<=>109.28.218.87[2780]
20:06:01 ipsec,info ISAKMP-SA established 192.168.66.2[4500]-109.28.218.87[4500] spi:ad1c03118f9b3789:84bd4cf33e419a5a
20:06:02 ipsec,info XAuth login succeeded for user: franek
20:06:02 ipsec,info acquired 192.168.11.16 address for 109.28.218.87[4500]
20:06:03 ipsec,error 109.28.218.87 failed to pre-process ph2 packet.
20:06:08 ipsec,error 109.28.218.87 peer sent packet for dead phase2
20:06:10 ipsec,error 109.28.218.87 failed to pre-process ph2 packet.
20:06:13 ipsec,error 109.28.218.87 peer sent packet for dead phase2
20:06:15 ipsec,error 109.28.218.87 peer sent packet for dead phase2
20:06:18 ipsec,error 109.28.218.87 peer sent packet for dead phase2
20:06:20 ipsec,error 109.28.218.87 peer sent packet for dead phase2
20:06:25 ipsec,error 109.28.218.87 peer sent packet for dead phase2
20:06:30 ipsec,error 109.28.218.87 failed to pre-process ph2 packet.
The funny part is that for the Shrew client, the tunnel is established and working so it keeps sending packets that are ignored by MT.
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
Here is my config. On the MT :
# model = 2011UiAS
/ip ipsec peer profile
set [ find default=yes ] dpd-interval=disable-dpd
add dh-group=modp768 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h name=profile1
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-128-cbc,3des lifetime=5m pfs-group=none
/ip pool
add name=dhcp_pool_LAN_guerin ranges=192.168.10.10-192.168.10.20
add name=ipsec-RW ranges=192.168.11.2-192.168.11.20
/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=192.168.10.0/24
/ip address
add address=192.168.10.1/24 interface="bridge LAN Guerin" network=192.168.10.0
/ip firewall filter
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=192.168.11.0/24
add action=accept chain=forward dst-address=192.168.11.0/24 src-address=192.168.10.0/24
add action=accept chain=input comment=temp src-address=109.28.218.87
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg passive=yes policy-template-group=RoadWarrior secret=******
/ip ipsec policy
add dst-address=192.168.11.0/24 group=RoadWarrior src-address=192.168.10.0/24 template=yes
/ip ipsec user
add name=****** password=******
On the Shrewsoft VPN client :
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:300
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:80.11.458.74
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:RXZpX2xlX0NoaWVu
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-level:auto
I’m certainly doing something wrong but I can’t find out what it is.
If someone would be so kind to help me out, that would be greatly appreciated
Franek