L2TP Client Connectivity Issues

takumi · April 26, 2018, 1:59pm

Hi guys,

So I have a bunch of RB2011UAS-2HnD’s located in a couple of my homes. One house has the router sitting behind a CPE that’s used to terminate a LTE connection. And the other has a DSL bridge which performs PPPoE pass-thru, enabling me to terminate my internet connection directly onto the Mikrotik.

The problem that I’m having. Is that on the properly with the DSL connection and the PPPoE pass-thru configured. I’m unable to establish an L2TP VPN client connection at the property. The L2TP service that I’m trying to connect to, is provided by Private Internet Access.

I’ve configured the basic L2TP/IPSEC VPN client as per most standard situations, according and following Wiki documents. I’ve also replicated this at the property where I have the other Mikrotik behind the CPE, that router is working perfectly fine.

The problem that I’m having, is that the connection get’s established, however, I’m not receiving any return traffic. It appears as though I am sending traffic, but nothing is returning. Yes I have configured the required NAT rules, and even gone as far as disabling my firewall filter rules as well.

Can anyone shed any light on this?

Running ROS 6.42.

sindy · April 26, 2018, 2:11pm

Setting ****

/system logging add topics=ipsec

and

/system logging add topics=l2tp

, making a connection attempt, and reading the output of

/log print where topics~"l2tp" || topics~"ipsec"

should tell you more.

If you can’t find anything, post the output here after systematically replacing each eventual occurrence of your public IP address with a distinctive pattern such as ****

my.ip.addr.1

.

takumi · April 26, 2018, 2:47pm

Just to add more fuel to the fire. When I establish the connection, and I try ping the assigned gateway. I’m getting a “Destination Unreachable” error. Not doing it on the other location obviously.

takumi · April 26, 2018, 2:58pm

Here’s a copy of the output.

apr/27 02:55:30 ipsec,info initiate new phase 1 (Identity Protection): 125.236.209.127[500]<=>104.156.228.68[500] 
apr/27 02:55:30 ipsec,debug new cookie: 
apr/27 02:55:30 ipsec,debug 1aaa1519890d78c0 
apr/27 02:55:30 ipsec,debug add payload of len 328, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 13 
apr/27 02:55:30 ipsec,debug add payload of len 16, next type 0 
apr/27 02:55:30 ipsec,debug 620 bytes from 125.236.209.127[500] to 104.156.228.68[500] 
apr/27 02:55:30 ipsec,debug 1 times of 620 bytes message will be sent to 104.156.228.68[500] 
apr/27 02:55:30 ipsec,debug,packet 1aaa1519 890d78c0 00000000 00000000 01100200 00000000 0000026c 0d00014c 
apr/27 02:55:30 ipsec,debug,packet 00000001 00000001 00000140 01010008 03000028 01010000 800b0001 000c0004 
apr/27 02:55:30 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020002 8004000e 03000028 02010000 
apr/27 02:55:30 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040002 
apr/27 02:55:30 ipsec,debug,packet 03000028 03010000 800b0001 000c0004 00015180 80010007 800e00c0 80030001 
apr/27 02:55:30 ipsec,debug,packet 80020002 8004000e 03000028 04010000 800b0001 000c0004 00015180 80010007 
apr/27 02:55:30 ipsec,debug,packet 800e00c0 80030001 80020002 80040002 03000028 05010000 800b0001 000c0004 
apr/27 02:55:30 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 8004000e 03000028 06010000 
apr/27 02:55:30 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020002 80040002 
apr/27 02:55:30 ipsec,debug,packet 03000024 07010000 800b0001 000c0004 00015180 80010005 80030001 80020002 
apr/27 02:55:30 ipsec,debug,packet 8004000e 00000024 08010000 800b0001 000c0004 00015180 80010005 80030001 
apr/27 02:55:30 ipsec,debug,packet 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 
apr/27 02:55:30 ipsec,debug,packet 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 ba676c4c 7737ae22 
apr/27 02:55:30 ipsec,debug,packet eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 0d000014 80d0bb3d 
apr/27 02:55:30 ipsec,debug,packet ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 73de52ac e952fa6b 
apr/27 02:55:30 ipsec,debug,packet 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 cd604643 35df21f8 
apr/27 02:55:30 ipsec,debug,packet 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 
apr/27 02:55:30 ipsec,debug,packet 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d 18b6bbcd 0be8a846 
apr/27 02:55:30 ipsec,debug,packet 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 00000014 afcad713 
apr/27 02:55:30 ipsec,debug,packet 68a1f1c9 6b8696fc 77570100 
apr/27 02:55:30 ipsec sent phase1 packet 125.236.209.127[500]<=>104.156.228.68[500] 1aaa1519890d78c0:0000000000000000 
apr/27 02:55:30 ipsec,debug ===== received 140 bytes from 104.156.228.68[500] to 125.236.209.127[500] 
apr/27 02:55:30 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 01100200 00000000 0000008c 0d00003c 
apr/27 02:55:30 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
apr/27 02:55:30 ipsec,debug,packet 80020002 8004000e 80030001 800b0001 000c0004 00015180 0d00000c 09002689 
apr/27 02:55:30 ipsec,debug,packet dfd6b712 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000014 4a131c81 
apr/27 02:55:30 ipsec,debug,packet 07035845 5c5728f2 0e95452f 
apr/27 02:55:30 ipsec,debug begin. 
apr/27 02:55:30 ipsec,debug seen nptype=1(sa) len=60 
apr/27 02:55:30 ipsec,debug seen nptype=13(vid) len=12 
apr/27 02:55:30 ipsec,debug seen nptype=13(vid) len=20 
apr/27 02:55:30 ipsec,debug seen nptype=13(vid) len=20 
apr/27 02:55:30 ipsec,debug succeed. 
apr/27 02:55:30 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
apr/27 02:55:30 ipsec received Vendor ID: DPD 
apr/27 02:55:30 ipsec,debug remote supports DPD 
apr/27 02:55:30 ipsec received Vendor ID: RFC 3947 
apr/27 02:55:30 ipsec 104.156.228.68 Selected NAT-T version: RFC 3947 
apr/27 02:55:30 ipsec,debug total SA len=56 
apr/27 02:55:30 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0080 
apr/27 02:55:30 ipsec,debug 80020002 8004000e 80030001 800b0001 000c0004 00015180 
apr/27 02:55:30 ipsec,debug begin. 
apr/27 02:55:30 ipsec,debug seen nptype=2(prop) len=48 
apr/27 02:55:30 ipsec,debug succeed. 
apr/27 02:55:30 ipsec,debug proposal #1 len=48 
apr/27 02:55:30 ipsec,debug begin. 
apr/27 02:55:30 ipsec,debug seen nptype=3(trns) len=40 
apr/27 02:55:30 ipsec,debug succeed. 
apr/27 02:55:30 ipsec,debug transform #1 len=40 
apr/27 02:55:30 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
apr/27 02:55:30 ipsec,debug encryption(aes) 
apr/27 02:55:30 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
apr/27 02:55:30 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
apr/27 02:55:30 ipsec,debug hash(sha1) 
apr/27 02:55:30 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
apr/27 02:55:30 ipsec,debug dh(modp2048) 
apr/27 02:55:30 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
apr/27 02:55:30 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
apr/27 02:55:30 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
apr/27 02:55:30 ipsec,debug pair 1: 
apr/27 02:55:30 ipsec,debug  0x4a0188: next=(nil) tnext=(nil) 
apr/27 02:55:30 ipsec,debug proposal #1: 1 transform 
apr/27 02:55:30 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 
apr/27 02:55:30 ipsec,debug trns#=1, trns-id=IKE 
apr/27 02:55:30 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC 
apr/27 02:55:30 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
apr/27 02:55:30 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
apr/27 02:55:30 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group 
apr/27 02:55:30 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
apr/27 02:55:30 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
apr/27 02:55:30 ipsec,debug type=Life Duration, flag=0x0000, lorv=4 
apr/27 02:55:30 ipsec,debug Compared: Local:Peer 
apr/27 02:55:30 ipsec,debug (lifetime = 86400:86400) 
apr/27 02:55:30 ipsec,debug (lifebyte = 0:0) 
apr/27 02:55:30 ipsec,debug enctype = AES-CBC:AES-CBC 
apr/27 02:55:30 ipsec,debug (encklen = 256:128) 
apr/27 02:55:30 ipsec,debug hashtype = SHA:SHA 
apr/27 02:55:30 ipsec,debug authmethod = pre-shared key:pre-shared key 
apr/27 02:55:30 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
apr/27 02:55:30 ipsec,debug Compared: Local:Peer 
apr/27 02:55:30 ipsec,debug (lifetime = 86400:86400) 
apr/27 02:55:30 ipsec,debug (lifebyte = 0:0) 
apr/27 02:55:30 ipsec,debug enctype = AES-CBC:AES-CBC 
apr/27 02:55:30 ipsec,debug (encklen = 256:128) 
apr/27 02:55:30 ipsec,debug hashtype = SHA:SHA 
apr/27 02:55:30 ipsec,debug authmethod = pre-shared key:pre-shared key 
apr/27 02:55:30 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
apr/27 02:55:30 ipsec,debug Compared: Local:Peer 
apr/27 02:55:30 ipsec,debug (lifetime = 86400:86400) 
apr/27 02:55:30 ipsec,debug (lifebyte = 0:0) 
apr/27 02:55:30 ipsec,debug enctype = AES-CBC:AES-CBC 
apr/27 02:55:30 ipsec,debug (encklen = 192:128) 
apr/27 02:55:30 ipsec,debug hashtype = SHA:SHA 
apr/27 02:55:30 ipsec,debug authmethod = pre-shared key:pre-shared key 
apr/27 02:55:30 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
apr/27 02:55:30 ipsec,debug Compared: Local:Peer 
apr/27 02:55:30 ipsec,debug (lifetime = 86400:86400) 
apr/27 02:55:30 ipsec,debug (lifebyte = 0:0) 
apr/27 02:55:30 ipsec,debug enctype = AES-CBC:AES-CBC 
apr/27 02:55:30 ipsec,debug (encklen = 192:128) 
apr/27 02:55:30 ipsec,debug hashtype = SHA:SHA 
apr/27 02:55:30 ipsec,debug authmethod = pre-shared key:pre-shared key 
apr/27 02:55:30 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group 
apr/27 02:55:30 ipsec,debug Compared: Local:Peer 
apr/27 02:55:30 ipsec,debug (lifetime = 86400:86400) 
apr/27 02:55:30 ipsec,debug (lifebyte = 0:0) 
apr/27 02:55:30 ipsec,debug enctype = AES-CBC:AES-CBC 
apr/27 02:55:30 ipsec,debug (encklen = 128:128) 
apr/27 02:55:30 ipsec,debug hashtype = SHA:SHA 
apr/27 02:55:30 ipsec,debug authmethod = pre-shared key:pre-shared key 
apr/27 02:55:30 ipsec,debug dh_group = 2048-bit MODP group:2048-bit MODP group 
apr/27 02:55:30 ipsec,debug an acceptable proposal found. 
apr/27 02:55:30 ipsec,debug dh(modp2048) 
apr/27 02:55:30 ipsec,debug agreed on pre-shared key auth. 
apr/27 02:55:30 ipsec,debug === 
apr/27 02:55:30 ipsec,debug dh(modp2048) 
apr/27 02:55:30 ipsec,debug compute DH's private. 
apr/27 02:55:30 ipsec,debug 72c4b95d 6ff0945b 2f680a0b 79a99356 9e63a842 7bcc046c f9cd9196 50c7d837 
apr/27 02:55:30 ipsec,debug f3dd15c6 3ba0990c 89e51864 6a6f4f51 ecc697ca c1c97b8c bad9a2f5 9d8709d6 
apr/27 02:55:30 ipsec,debug d80b9d10 e3b52b39 5838645f 8ef2cea6 06c6048e 74ba2165 024db798 895b7063 
apr/27 02:55:30 ipsec,debug 17b82e9b 0ce18bfd 60ab083f ba127b6a d592bfd3 79b3c8c3 2c947a8c 92611df1 
apr/27 02:55:30 ipsec,debug 3dd1fc3c 6b5184e7 eaae6b1d 3c31d970 ff26a192 d47e678b 60038bf5 f993aa3e 
apr/27 02:55:30 ipsec,debug 0a08713c bfa67f07 09cc9019 d627e6d0 294a46a0 222be640 d8911ff8 d78095f8 
apr/27 02:55:30 ipsec,debug 0e3972ed 69a143e3 a31e350f e1fbc477 dc22389d f5ba3dfe c110e2c8 22d66c4e 
apr/27 02:55:30 ipsec,debug cc96835c 7fb6bb6b 641ce7a1 dc04eaa3 49b96110 801565e1 d119139a 25f3de93 
apr/27 02:55:30 ipsec,debug compute DH's public. 
apr/27 02:55:30 ipsec,debug ffca915a 218a7872 2b3c4aa9 71f7f442 ddba4b84 a253872c ed1387ca 8530f872 
apr/27 02:55:30 ipsec,debug 0cb64456 0ac1e9e4 2da0b69e 77cd7f46 7f0a1f92 fbcf0b6e ed086aa0 5f04d5b6 
apr/27 02:55:30 ipsec,debug dc91849b a579d608 f43d427a 76f8e29f 93328cc6 a8d2f70c 25a505b1 08a9eb7f 
apr/27 02:55:30 ipsec,debug eef1dd22 8421758b 4fef43db 67e565a2 89929490 f584e729 75bd72db 6c642043 
apr/27 02:55:30 ipsec,debug 08edabbe e87779a6 3d8e7998 9872401d c21c1ce9 c7c4257f a34bee0e a9e79136 
apr/27 02:55:30 ipsec,debug 06e6dc9a 5bf92e74 37b7feea d76500aa 62317cf2 87db17a0 eec46960 f5efd884 
apr/27 02:55:30 ipsec,debug 9d1e636d 1e55af35 1e05e063 38c042ef 18f78f3b 228bbf95 394ef79b 38c7f0ee 
apr/27 02:55:30 ipsec,debug 27d3597f 702e85f5 7520f96d 5a5a2b48 5a69e601 0c2e7c3f 21bcb2d2 f6e42a1b 
apr/27 02:55:30 ipsec 104.156.228.68 Hashing 104.156.228.68[500] with algo #2  
apr/27 02:55:30 ipsec,debug hash(sha1) 
apr/27 02:55:30 ipsec 125.236.209.127 Hashing 125.236.209.127[500] with algo #2  
apr/27 02:55:30 ipsec,debug hash(sha1) 
apr/27 02:55:30 ipsec Adding remote and local NAT-D payloads. 
apr/27 02:55:30 ipsec,debug add payload of len 256, next type 10 
apr/27 02:55:30 ipsec,debug add payload of len 24, next type 20 
apr/27 02:55:30 ipsec,debug add payload of len 20, next type 20 
apr/27 02:55:30 ipsec,debug add payload of len 20, next type 0 
apr/27 02:55:30 ipsec,debug 364 bytes from 125.236.209.127[500] to 104.156.228.68[500] 
apr/27 02:55:30 ipsec,debug 1 times of 364 bytes message will be sent to 104.156.228.68[500] 
apr/27 02:55:30 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 04100200 00000000 0000016c 0a000104 
apr/27 02:55:30 ipsec,debug,packet ffca915a 218a7872 2b3c4aa9 71f7f442 ddba4b84 a253872c ed1387ca 8530f872 
apr/27 02:55:30 ipsec,debug,packet 0cb64456 0ac1e9e4 2da0b69e 77cd7f46 7f0a1f92 fbcf0b6e ed086aa0 5f04d5b6 
apr/27 02:55:30 ipsec,debug,packet dc91849b a579d608 f43d427a 76f8e29f 93328cc6 a8d2f70c 25a505b1 08a9eb7f 
apr/27 02:55:30 ipsec,debug,packet eef1dd22 8421758b 4fef43db 67e565a2 89929490 f584e729 75bd72db 6c642043 
apr/27 02:55:30 ipsec,debug,packet 08edabbe e87779a6 3d8e7998 9872401d c21c1ce9 c7c4257f a34bee0e a9e79136 
apr/27 02:55:30 ipsec,debug,packet 06e6dc9a 5bf92e74 37b7feea d76500aa 62317cf2 87db17a0 eec46960 f5efd884 
apr/27 02:55:30 ipsec,debug,packet 9d1e636d 1e55af35 1e05e063 38c042ef 18f78f3b 228bbf95 394ef79b 38c7f0ee 
apr/27 02:55:30 ipsec,debug,packet 27d3597f 702e85f5 7520f96d 5a5a2b48 5a69e601 0c2e7c3f 21bcb2d2 f6e42a1b 
apr/27 02:55:30 ipsec,debug,packet 1400001c 954b46ee df030af1 e2983968 33fc4dbd 1af27851 fc232322 14000018 
apr/27 02:55:30 ipsec,debug,packet a7a72585 11e15b13 58cc43bc 69ac3b4f 4f431c8d 00000018 361ffc91 885facad 
apr/27 02:55:30 ipsec,debug,packet e672be59 8aa448f5 6d8688fa 
apr/27 02:55:30 ipsec sent phase1 packet 125.236.209.127[500]<=>104.156.228.68[500] 1aaa1519890d78c0:7571902d5bbe0545 
apr/27 02:55:30 ipsec,debug ===== received 372 bytes from 104.156.228.68[500] to 125.236.209.127[500] 
apr/27 02:55:30 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 04100200 00000000 00000174 0a000104 
apr/27 02:55:30 ipsec,debug,packet 58e727e6 56223daf 2ea2a45e b3730975 fbbf9bd4 1ce8c9b1 19e69f39 a5946b7c 
apr/27 02:55:30 ipsec,debug,packet d008e27f e8fae69c 20f8cf91 5a8fb4a0 10bbf8f8 0b24c35b ad32ae1e e1e0a002 
apr/27 02:55:30 ipsec,debug,packet 6bd93d31 9ab2bf7f 3f258746 523624da 0be50036 ca2d547b 2db45a9c 671b0eaf 
apr/27 02:55:30 ipsec,debug,packet e1aaa835 d9e424cf 566c62e8 7fc5aad3 782f8527 2f801e33 3082f13e 1c801dff 
apr/27 02:55:30 ipsec,debug,packet 1a2bab1a fb1de164 3ec7e556 dee3d014 063fc45d 87076a75 27d9e8b8 a070c66f 
apr/27 02:55:30 ipsec,debug,packet 5ca4ef36 556b0458 e52cf7a7 d374b3e5 b3826f11 69f3c7d7 627e8cd5 565c5feb 
apr/27 02:55:30 ipsec,debug,packet 04707d2a 9e64508a 4b205699 a78b09f0 04372641 71fbe680 e18e4507 55812816 
apr/27 02:55:30 ipsec,debug,packet 67c9ce73 e8d91a21 7fda559d 67d0dd2d 0e994cd8 57748800 d6323a42 42064e10 
apr/27 02:55:30 ipsec,debug,packet 14000024 93e2f39d b3df7478 3c8ef094 891437b6 267f2d5d b04a7947 d80012c8 
apr/27 02:55:30 ipsec,debug,packet 3c52a5bb 14000018 361ffc91 885facad e672be59 8aa448f5 6d8688fa 00000018 
apr/27 02:55:30 ipsec,debug,packet a7a72585 11e15b13 58cc43bc 69ac3b4f 4f431c8d 
apr/27 02:55:30 ipsec,debug begin. 
apr/27 02:55:30 ipsec,debug seen nptype=4(ke) len=260 
apr/27 02:55:30 ipsec,debug seen nptype=10(nonce) len=36 
apr/27 02:55:30 ipsec,debug seen nptype=20(nat-d) len=24 
apr/27 02:55:30 ipsec,debug seen nptype=20(nat-d) len=24 
apr/27 02:55:30 ipsec,debug succeed. 
apr/27 02:55:30 ipsec 125.236.209.127 Hashing 125.236.209.127[500] with algo #2  
apr/27 02:55:30 ipsec,debug hash(sha1) 
apr/27 02:55:30 ipsec NAT-D payload #0 verified 
apr/27 02:55:30 ipsec 104.156.228.68 Hashing 104.156.228.68[500] with algo #2  
apr/27 02:55:30 ipsec,debug hash(sha1) 
apr/27 02:55:30 ipsec NAT-D payload #1 verified 
apr/27 02:55:30 ipsec NAT not detected  
apr/27 02:55:30 ipsec,debug === 
apr/27 02:55:30 ipsec,debug dh(modp2048) 
apr/27 02:55:31 l2tp,debug,packet sent control message to 104.156.228.68:1701 from 0.0.0.0:1701 
apr/27 02:55:31 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
apr/27 02:55:31 l2tp,debug,packet     (M) Message-Type=SCCRQ 
apr/27 02:55:31 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
apr/27 02:55:31 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
apr/27 02:55:31 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
apr/27 02:55:31 l2tp,debug,packet     Firmware-Revision=0x1 
apr/27 02:55:31 l2tp,debug,packet     (M) Host-Name="fw1" 
apr/27 02:55:31 l2tp,debug,packet     Vendor-Name="MikroTik" 
apr/27 02:55:31 l2tp,debug,packet     (M) Assigned-Tunnel-ID=16 
apr/27 02:55:31 l2tp,debug,packet     (M) Receive-Window-Size=4 
apr/27 02:55:31 ipsec,debug compute DH's shared. 
apr/27 02:55:31 ipsec,debug 
apr/27 02:55:31 ipsec,debug a6069ac6 3c9671b0 61147b73 00c4aeba f26e121e c39b88e3 36f6b290 3867dd36 
apr/27 02:55:31 ipsec,debug d789f8e0 00ed2613 28d10efb 2db2cbf9 98dc6111 19fdee1e 0fbeebfa bbc8a547 
apr/27 02:55:31 ipsec,debug e5bea153 caa3043e ce516c90 d89e6f09 1a4a6f1e 95560a90 5c7627fc fc8b9ba2 
apr/27 02:55:31 ipsec,debug 983726d4 b82150db 4d87c4dc 1da8b61a a283650c 1032a724 b498fcd0 09a4ca07 
apr/27 02:55:31 ipsec,debug 280751ff 47fea465 bf7f5981 085e20e6 9f9b6e10 6b8d310c 24587e4e b941a26f 
apr/27 02:55:31 ipsec,debug a76db0b7 cece57fd a25e962a 0ae49d52 90bfa7df 2f265c21 b2ea8cb7 3522dee4 
apr/27 02:55:31 ipsec,debug bb44f076 c2ceac51 aa883630 2191c12c 59427c29 387ed6ee b8bfb76b 8ddfb86b 
apr/27 02:55:31 ipsec,debug 92c7704a 96df8868 c677a8c5 848a436c e68800df 86af726f b7bb9c48 b8bf29d2 
apr/27 02:55:31 ipsec,debug nonce 1:  
apr/27 02:55:31 ipsec,debug 954b46ee df030af1 e2983968 33fc4dbd 1af27851 fc232322 
apr/27 02:55:31 ipsec,debug nonce 2:  
apr/27 02:55:31 ipsec,debug 93e2f39d b3df7478 3c8ef094 891437b6 267f2d5d b04a7947 d80012c8 3c52a5bb 
apr/27 02:55:31 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:31 ipsec,debug SKEYID computed: 
apr/27 02:55:31 ipsec,debug 895af916 e88e2290 b69efda3 102845f2 8e177392 
apr/27 02:55:31 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:31 ipsec,debug SKEYID_d computed: 
apr/27 02:55:31 ipsec,debug 4b10fd4c 44a6ae30 e180d424 eae7224b 80670690 
apr/27 02:55:31 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:31 ipsec,debug SKEYID_a computed: 
apr/27 02:55:31 ipsec,debug 6b924e95 ab7b83b5 9fedae38 586c0d49 0a0a0f45 
apr/27 02:55:31 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:31 ipsec,debug SKEYID_e computed: 
apr/27 02:55:31 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 5fda7176 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug hash(sha1) 
apr/27 02:55:31 ipsec,debug final encryption key computed: 
apr/27 02:55:31 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 
apr/27 02:55:31 ipsec,debug hash(sha1) 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug IV computed: 
apr/27 02:55:31 ipsec,debug 72de06f1 51af6f69 6452c18b 0d0ba815 
apr/27 02:55:31 ipsec,debug use ID type of IPv4_address 
apr/27 02:55:31 ipsec,debug HASH with: 
apr/27 02:55:31 ipsec,debug ffca915a 218a7872 2b3c4aa9 71f7f442 ddba4b84 a253872c ed1387ca 8530f872 
apr/27 02:55:31 ipsec,debug 0cb64456 0ac1e9e4 2da0b69e 77cd7f46 7f0a1f92 fbcf0b6e ed086aa0 5f04d5b6 
apr/27 02:55:31 ipsec,debug dc91849b a579d608 f43d427a 76f8e29f 93328cc6 a8d2f70c 25a505b1 08a9eb7f 
apr/27 02:55:31 ipsec,debug eef1dd22 8421758b 4fef43db 67e565a2 89929490 f584e729 75bd72db 6c642043 
apr/27 02:55:31 ipsec,debug 08edabbe e87779a6 3d8e7998 9872401d c21c1ce9 c7c4257f a34bee0e a9e79136 
apr/27 02:55:31 ipsec,debug 06e6dc9a 5bf92e74 37b7feea d76500aa 62317cf2 87db17a0 eec46960 f5efd884 
apr/27 02:55:31 ipsec,debug 9d1e636d 1e55af35 1e05e063 38c042ef 18f78f3b 228bbf95 394ef79b 38c7f0ee 
apr/27 02:55:31 ipsec,debug 27d3597f 702e85f5 7520f96d 5a5a2b48 5a69e601 0c2e7c3f 21bcb2d2 f6e42a1b 
apr/27 02:55:31 ipsec,debug 58e727e6 56223daf 2ea2a45e b3730975 fbbf9bd4 1ce8c9b1 19e69f39 a5946b7c 
apr/27 02:55:31 ipsec,debug d008e27f e8fae69c 20f8cf91 5a8fb4a0 10bbf8f8 0b24c35b ad32ae1e e1e0a002 
apr/27 02:55:31 ipsec,debug 6bd93d31 9ab2bf7f 3f258746 523624da 0be50036 ca2d547b 2db45a9c 671b0eaf 
apr/27 02:55:31 ipsec,debug e1aaa835 d9e424cf 566c62e8 7fc5aad3 782f8527 2f801e33 3082f13e 1c801dff 
apr/27 02:55:31 ipsec,debug 1a2bab1a fb1de164 3ec7e556 dee3d014 063fc45d 87076a75 27d9e8b8 a070c66f 
apr/27 02:55:31 ipsec,debug 5ca4ef36 556b0458 e52cf7a7 d374b3e5 b3826f11 69f3c7d7 627e8cd5 565c5feb 
apr/27 02:55:31 ipsec,debug 04707d2a 9e64508a 4b205699 a78b09f0 04372641 71fbe680 e18e4507 55812816 
apr/27 02:55:31 ipsec,debug 67c9ce73 e8d91a21 7fda559d 67d0dd2d 0e994cd8 57748800 d6323a42 42064e10 
apr/27 02:55:31 ipsec,debug 1aaa1519 890d78c0 7571902d 5bbe0545 00000001 00000001 00000140 01010008 
apr/27 02:55:31 ipsec,debug 03000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 
apr/27 02:55:31 ipsec,debug 80020002 8004000e 03000028 02010000 800b0001 000c0004 00015180 80010007 
apr/27 02:55:31 ipsec,debug 800e0100 80030001 80020002 80040002 03000028 03010000 800b0001 000c0004 
apr/27 02:55:31 ipsec,debug 00015180 80010007 800e00c0 80030001 80020002 8004000e 03000028 04010000 
apr/27 02:55:31 ipsec,debug 800b0001 000c0004 00015180 80010007 800e00c0 80030001 80020002 80040002 
apr/27 02:55:31 ipsec,debug 03000028 05010000 800b0001 000c0004 00015180 80010007 800e0080 80030001 
apr/27 02:55:31 ipsec,debug 80020002 8004000e 03000028 06010000 800b0001 000c0004 00015180 80010007 
apr/27 02:55:31 ipsec,debug 800e0080 80030001 80020002 80040002 03000024 07010000 800b0001 000c0004 
apr/27 02:55:31 ipsec,debug 00015180 80010005 80030001 80020002 8004000e 00000024 08010000 800b0001 
apr/27 02:55:31 ipsec,debug 000c0004 00015180 80010005 80030001 80020002 80040002 011101f4 7decd17f 
apr/27 02:55:31 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:31 ipsec,debug HASH computed: 
apr/27 02:55:31 ipsec,debug af24eb22 12afe89a 2cf5db61 53720d6b 4bbe4e9b 
apr/27 02:55:31 ipsec,debug add payload of len 8, next type 8 
apr/27 02:55:31 ipsec,debug add payload of len 20, next type 0 
apr/27 02:55:31 ipsec,debug begin encryption. 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug pad length = 12 
apr/27 02:55:31 ipsec,debug 0800000c 011101f4 7decd17f 00000018 af24eb22 12afe89a 2cf5db61 53720d6b 
apr/27 02:55:31 ipsec,debug 4bbe4e9b b40c0ea7 b1128b6e ec80910b 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug with key: 
apr/27 02:55:31 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 
apr/27 02:55:31 ipsec,debug encrypted payload by IV: 
apr/27 02:55:31 ipsec,debug 72de06f1 51af6f69 6452c18b 0d0ba815 
apr/27 02:55:31 ipsec,debug save IV for next: 
apr/27 02:55:31 ipsec,debug a70a3080 c1f54f5d ed432a6a 97303efd 
apr/27 02:55:31 ipsec,debug encrypted. 
apr/27 02:55:31 ipsec,debug 76 bytes from 125.236.209.127[500] to 104.156.228.68[500] 
apr/27 02:55:31 ipsec,debug 1 times of 76 bytes message will be sent to 104.156.228.68[500] 
apr/27 02:55:31 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 05100201 00000000 0000004c 3a5e066a 
apr/27 02:55:31 ipsec,debug,packet a1e974fd 3781ecd3 0a92f6b9 e9ddb419 7b18e514 ebdb8462 2015ec25 a70a3080 
apr/27 02:55:31 ipsec,debug,packet c1f54f5d ed432a6a 97303efd 
apr/27 02:55:31 ipsec sent phase1 packet 125.236.209.127[500]<=>104.156.228.68[500] 1aaa1519890d78c0:7571902d5bbe0545 
apr/27 02:55:31 ipsec,debug ===== received 76 bytes from 104.156.228.68[500] to 125.236.209.127[500] 
apr/27 02:55:31 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 05100201 00000000 0000004c 840da28e 
apr/27 02:55:31 ipsec,debug,packet 9757e97b 138a32e9 32c44a70 a9740140 18b9ee62 1c0e4edb 67848104 c3bf95a0 
apr/27 02:55:31 ipsec,debug,packet cd8441af 854cc8d8 9a58f1e5 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug IV was saved for next processing: 
apr/27 02:55:31 ipsec,debug c3bf95a0 cd8441af 854cc8d8 9a58f1e5 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug with key: 
apr/27 02:55:31 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 
apr/27 02:55:31 ipsec,debug decrypted payload by IV: 
apr/27 02:55:31 ipsec,debug a70a3080 c1f54f5d ed432a6a 97303efd 
apr/27 02:55:31 ipsec,debug decrypted payload, but not trimed. 
apr/27 02:55:31 ipsec,debug 0800000c 01000000 689ce444 00000018 50f499db 034dd3bd 54563db8 48c92079 
apr/27 02:55:31 ipsec,debug f5d448bc 00000000 00000000 00000000 
apr/27 02:55:31 ipsec,debug padding len=1 
apr/27 02:55:31 ipsec,debug skip to trim padding. 
apr/27 02:55:31 ipsec,debug decrypted. 
apr/27 02:55:31 ipsec,debug 1aaa1519 890d78c0 7571902d 5bbe0545 05100201 00000000 0000004c 0800000c 
apr/27 02:55:31 ipsec,debug 01000000 689ce444 00000018 50f499db 034dd3bd 54563db8 48c92079 f5d448bc 
apr/27 02:55:31 ipsec,debug 00000000 00000000 00000000 
apr/27 02:55:31 ipsec,debug begin. 
apr/27 02:55:31 ipsec,debug seen nptype=5(id) len=12 
apr/27 02:55:31 ipsec,debug seen nptype=8(hash) len=24 
apr/27 02:55:31 ipsec,debug succeed. 
apr/27 02:55:31 ipsec,debug HASH received: 
apr/27 02:55:31 ipsec,debug 50f499db 034dd3bd 54563db8 48c92079 f5d448bc 
apr/27 02:55:31 ipsec,debug HASH with: 
apr/27 02:55:31 ipsec,debug 58e727e6 56223daf 2ea2a45e b3730975 fbbf9bd4 1ce8c9b1 19e69f39 a5946b7c 
apr/27 02:55:31 ipsec,debug d008e27f e8fae69c 20f8cf91 5a8fb4a0 10bbf8f8 0b24c35b ad32ae1e e1e0a002 
apr/27 02:55:31 ipsec,debug 6bd93d31 9ab2bf7f 3f258746 523624da 0be50036 ca2d547b 2db45a9c 671b0eaf 
apr/27 02:55:31 ipsec,debug e1aaa835 d9e424cf 566c62e8 7fc5aad3 782f8527 2f801e33 3082f13e 1c801dff 
apr/27 02:55:31 ipsec,debug 1a2bab1a fb1de164 3ec7e556 dee3d014 063fc45d 87076a75 27d9e8b8 a070c66f 
apr/27 02:55:31 ipsec,debug 5ca4ef36 556b0458 e52cf7a7 d374b3e5 b3826f11 69f3c7d7 627e8cd5 565c5feb 
apr/27 02:55:31 ipsec,debug 04707d2a 9e64508a 4b205699 a78b09f0 04372641 71fbe680 e18e4507 55812816 
apr/27 02:55:31 ipsec,debug 67c9ce73 e8d91a21 7fda559d 67d0dd2d 0e994cd8 57748800 d6323a42 42064e10 
apr/27 02:55:31 ipsec,debug ffca915a 218a7872 2b3c4aa9 71f7f442 ddba4b84 a253872c ed1387ca 8530f872 
apr/27 02:55:31 ipsec,debug 0cb64456 0ac1e9e4 2da0b69e 77cd7f46 7f0a1f92 fbcf0b6e ed086aa0 5f04d5b6 
apr/27 02:55:31 ipsec,debug dc91849b a579d608 f43d427a 76f8e29f 93328cc6 a8d2f70c 25a505b1 08a9eb7f 
apr/27 02:55:31 ipsec,debug eef1dd22 8421758b 4fef43db 67e565a2 89929490 f584e729 75bd72db 6c642043 
apr/27 02:55:31 ipsec,debug 08edabbe e87779a6 3d8e7998 9872401d c21c1ce9 c7c4257f a34bee0e a9e79136 
apr/27 02:55:31 ipsec,debug 06e6dc9a 5bf92e74 37b7feea d76500aa 62317cf2 87db17a0 eec46960 f5efd884 
apr/27 02:55:31 ipsec,debug 9d1e636d 1e55af35 1e05e063 38c042ef 18f78f3b 228bbf95 394ef79b 38c7f0ee 
apr/27 02:55:31 ipsec,debug 27d3597f 702e85f5 7520f96d 5a5a2b48 5a69e601 0c2e7c3f 21bcb2d2 f6e42a1b 
apr/27 02:55:31 ipsec,debug 7571902d 5bbe0545 1aaa1519 890d78c0 00000001 00000001 00000140 01010008 
apr/27 02:55:31 ipsec,debug 03000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 
apr/27 02:55:31 ipsec,debug 80020002 8004000e 03000028 02010000 800b0001 000c0004 00015180 80010007 
apr/27 02:55:31 ipsec,debug 800e0100 80030001 80020002 80040002 03000028 03010000 800b0001 000c0004 
apr/27 02:55:31 ipsec,debug 00015180 80010007 800e00c0 80030001 80020002 8004000e 03000028 04010000 
apr/27 02:55:31 ipsec,debug 800b0001 000c0004 00015180 80010007 800e00c0 80030001 80020002 80040002 
apr/27 02:55:31 ipsec,debug 03000028 05010000 800b0001 000c0004 00015180 80010007 800e0080 80030001 
apr/27 02:55:31 ipsec,debug 80020002 8004000e 03000028 06010000 800b0001 000c0004 00015180 80010007 
apr/27 02:55:31 ipsec,debug 800e0080 80030001 80020002 80040002 03000024 07010000 800b0001 000c0004 
apr/27 02:55:31 ipsec,debug 00015180 80010005 80030001 80020002 8004000e 00000024 08010000 800b0001 
apr/27 02:55:31 ipsec,debug 000c0004 00015180 80010005 80030001 80020002 80040002 01000000 689ce444 
apr/27 02:55:31 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:31 ipsec,debug HASH computed: 
apr/27 02:55:31 ipsec,debug 50f499db 034dd3bd 54563db8 48c92079 f5d448bc 
apr/27 02:55:31 ipsec,debug HASH for PSK validated. 
apr/27 02:55:31 ipsec,debug 104.156.228.68 peer's ID: 
apr/27 02:55:31 ipsec,debug 01000000 689ce444 
apr/27 02:55:31 ipsec,debug === 
apr/27 02:55:31 ipsec,debug compute IV for phase2 
apr/27 02:55:31 ipsec,debug phase1 last IV: 
apr/27 02:55:31 ipsec,debug c3bf95a0 cd8441af 854cc8d8 9a58f1e5 b8846294 
apr/27 02:55:31 ipsec,debug hash(sha1) 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug phase2 IV computed: 
apr/27 02:55:31 ipsec,debug f01fab48 eafe365d 0a9639fb da152584 
apr/27 02:55:31 ipsec,debug HASH with: 
apr/27 02:55:31 ipsec,debug b8846294 0000001c 00000001 01106002 1aaa1519 890d78c0 7571902d 5bbe0545 
apr/27 02:55:31 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:31 ipsec,debug HASH computed: 
apr/27 02:55:31 ipsec,debug d5a75f57 78be2fd8 f9c60aa1 dba9afd3 7d991587 
apr/27 02:55:31 ipsec,debug begin encryption. 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug pad length = 12 
apr/27 02:55:31 ipsec,debug 0b000018 d5a75f57 78be2fd8 f9c60aa1 dba9afd3 7d991587 0000001c 00000001 
apr/27 02:55:31 ipsec,debug 01106002 1aaa1519 890d78c0 7571902d 5bbe0545 3b8a928e b58dac85 d004f60b 
apr/27 02:55:31 ipsec,debug encryption(aes) 
apr/27 02:55:31 ipsec,debug with key: 
apr/27 02:55:31 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 
apr/27 02:55:31 ipsec,debug encrypted payload by IV: 
apr/27 02:55:31 ipsec,debug f01fab48 eafe365d 0a9639fb da152584 
apr/27 02:55:31 ipsec,debug save IV for next: 
apr/27 02:55:31 ipsec,debug b0cecd57 2bae1c49 225001f9 a878aafc 
apr/27 02:55:31 ipsec,debug encrypted. 
apr/27 02:55:31 ipsec,debug 92 bytes from 125.236.209.127[500] to 104.156.228.68[500] 
apr/27 02:55:31 ipsec,debug 1 times of 92 bytes message will be sent to 104.156.228.68[500] 
apr/27 02:55:31 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 08100501 b8846294 0000005c 5a592ace 
apr/27 02:55:31 ipsec,debug,packet 63744bac eefe39dd 6f709911 5fbe7b34 a114aa1d 1f4f6776 4f79c3f7 d7487834 
apr/27 02:55:31 ipsec,debug,packet 4e10b7fc beb8bb2a f576362c b0cecd57 2bae1c49 225001f9 a878aafc 
apr/27 02:55:31 ipsec,debug sendto Information notify. 
apr/27 02:55:31 ipsec,info ISAKMP-SA established 125.236.209.127[500]-104.156.228.68[500] spi:1aaa1519890d78c0:7571902d5bbe0545 
apr/27 02:55:31 ipsec,debug === 
apr/27 02:55:32 l2tp,debug,packet sent control message to 104.156.228.68:1701 from 0.0.0.0:1701 
apr/27 02:55:32 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
apr/27 02:55:32 l2tp,debug,packet     (M) Message-Type=SCCRQ 
apr/27 02:55:32 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
apr/27 02:55:32 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
apr/27 02:55:32 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
apr/27 02:55:32 l2tp,debug,packet     Firmware-Revision=0x1 
apr/27 02:55:32 l2tp,debug,packet     (M) Host-Name="fw1" 
apr/27 02:55:32 l2tp,debug,packet     Vendor-Name="MikroTik" 
apr/27 02:55:32 l2tp,debug,packet     (M) Assigned-Tunnel-ID=16 
apr/27 02:55:32 l2tp,debug,packet     (M) Receive-Window-Size=4 
apr/27 02:55:32 ipsec,debug === 
apr/27 02:55:32 ipsec,debug begin QUICK mode. 
apr/27 02:55:32 ipsec initiate new phase 2 negotiation: 125.236.209.127[500]<=>104.156.228.68[500] 
apr/27 02:55:32 ipsec,debug compute IV for phase2 
apr/27 02:55:32 ipsec,debug phase1 last IV: 
apr/27 02:55:32 ipsec,debug c3bf95a0 cd8441af 854cc8d8 9a58f1e5 e19c8eb2 
apr/27 02:55:32 ipsec,debug hash(sha1) 
apr/27 02:55:32 ipsec,debug encryption(aes) 
apr/27 02:55:32 ipsec,debug phase2 IV computed: 
apr/27 02:55:32 ipsec,debug f75772b5 aef1324b 57cc44fe 3d5f2bec 
apr/27 02:55:32 ipsec,debug call pfkey_send_getspi 599 
apr/27 02:55:32 ipsec,debug pfkey GETSPI sent: ESP/Transport 104.156.228.68[500]->125.236.209.127[500]  
apr/27 02:55:32 ipsec,debug pfkey getspi sent. 
apr/27 02:55:32 ipsec,debug use local ID type IPv4_address 
apr/27 02:55:32 ipsec,debug use remote ID type IPv4_address 
apr/27 02:55:32 ipsec,debug IDci: 
apr/27 02:55:32 ipsec,debug 011106a5 7decd17f 
apr/27 02:55:32 ipsec,debug IDcr: 
apr/27 02:55:32 ipsec,debug 011106a5 689ce444 
apr/27 02:55:32 ipsec,debug add payload of len 48, next type 10 
apr/27 02:55:32 ipsec,debug add payload of len 24, next type 5 
apr/27 02:55:32 ipsec,debug add payload of len 8, next type 5 
apr/27 02:55:32 ipsec,debug add payload of len 8, next type 0 
apr/27 02:55:32 ipsec,debug HASH with: 
apr/27 02:55:32 ipsec,debug e19c8eb2 0a000034 00000001 00000001 00000028 01030401 082d87c2 0000001c 
apr/27 02:55:32 ipsec,debug 010c0000 80010001 80020e10 80040002 80060080 80050002 0500001c c17f977c 
apr/27 02:55:32 ipsec,debug 78613f20 fc6d3766 416ab81b 86554f51 f8c255da 0500000c 011106a5 7decd17f 
apr/27 02:55:32 ipsec,debug 0000000c 011106a5 689ce444 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug HASH computed: 
apr/27 02:55:32 ipsec,debug 6301eb9b 032579a7 fd8f631f 28fb7428 999512d4 
apr/27 02:55:32 ipsec,debug add payload of len 20, next type 1 
apr/27 02:55:32 ipsec,debug begin encryption. 
apr/27 02:55:32 ipsec,debug encryption(aes) 
apr/27 02:55:32 ipsec,debug pad length = 16 
apr/27 02:55:32 ipsec,debug 01000018 6301eb9b 032579a7 fd8f631f 28fb7428 999512d4 0a000034 00000001 
apr/27 02:55:32 ipsec,debug 00000001 00000028 01030401 082d87c2 0000001c 010c0000 80010001 80020e10 
apr/27 02:55:32 ipsec,debug 80040002 80060080 80050002 0500001c c17f977c 78613f20 fc6d3766 416ab81b 
apr/27 02:55:32 ipsec,debug 86554f51 f8c255da 0500000c 011106a5 7decd17f 0000000c 011106a5 689ce444 
apr/27 02:55:32 ipsec,debug 3fc1acb7 8a0ee406 208c72cd cd2b300f 
apr/27 02:55:32 ipsec,debug encryption(aes) 
apr/27 02:55:32 ipsec,debug with key: 
apr/27 02:55:32 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 
apr/27 02:55:32 ipsec,debug encrypted payload by IV: 
apr/27 02:55:32 ipsec,debug f75772b5 aef1324b 57cc44fe 3d5f2bec 
apr/27 02:55:32 ipsec,debug save IV for next: 
apr/27 02:55:32 ipsec,debug a61f284f eeb2fa53 8da838d4 7a45cb5d 
apr/27 02:55:32 ipsec,debug encrypted. 
apr/27 02:55:32 ipsec,debug 172 bytes from 125.236.209.127[500] to 104.156.228.68[500] 
apr/27 02:55:32 ipsec,debug 1 times of 172 bytes message will be sent to 104.156.228.68[500] 
apr/27 02:55:32 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 08102001 e19c8eb2 000000ac 3eb31f39 
apr/27 02:55:32 ipsec,debug,packet e737ffde bb3911f0 abf5c44c 89977d10 6048880c 22953659 15ac31d2 293069b9 
apr/27 02:55:32 ipsec,debug,packet 2a4667f1 8ef591c0 10ae5ae6 c08bab24 b3169889 40fd3eda e8a2bed8 5f7069b1 
apr/27 02:55:32 ipsec,debug,packet 3054a525 e48e9b6d 6eb21d6f 5e82c2df 74d68ac2 363435a0 3c84392c efa4581c 
apr/27 02:55:32 ipsec,debug,packet 25a33171 431f48bc 55aca277 5b397f84 003c3552 12eb018f 97bbe350 a61f284f 
apr/27 02:55:32 ipsec,debug,packet eeb2fa53 8da838d4 7a45cb5d 
apr/27 02:55:32 ipsec sent phase2 packet 125.236.209.127[500]<=>104.156.228.68[500] 1aaa1519890d78c0:7571902d5bbe0545:e19c8eb2 
apr/27 02:55:32 ipsec,debug ===== received 172 bytes from 104.156.228.68[500] to 125.236.209.127[500] 
apr/27 02:55:32 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 08102001 e19c8eb2 000000ac ed9209ee 
apr/27 02:55:32 ipsec,debug,packet 96215e9d c4650685 48e9d7a6 32459bda 4bcd9d25 b955ec17 553c9a6a 906d894e 
apr/27 02:55:32 ipsec,debug,packet 3be7c6fa 8786568d c3801c78 bce1ed4b 1cd00405 94995e7c f2ff09bd 71975e77 
apr/27 02:55:32 ipsec,debug,packet 3dd74114 bdc3da44 4f555788 d43ceb87 27832121 0540a019 9dd64042 19d04670 
apr/27 02:55:32 ipsec,debug,packet 0953786b 67f8d2bd 2a2461ad 2dab4520 b5ea145e 91b0d6ce b14fb48d fe63d247 
apr/27 02:55:32 ipsec,debug,packet b66c1e33 b83723b0 ab095ca5 
apr/27 02:55:32 ipsec,debug encryption(aes) 
apr/27 02:55:32 ipsec,debug IV was saved for next processing: 
apr/27 02:55:32 ipsec,debug fe63d247 b66c1e33 b83723b0 ab095ca5 
apr/27 02:55:32 ipsec,debug encryption(aes) 
apr/27 02:55:32 ipsec,debug with key: 
apr/27 02:55:32 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 
apr/27 02:55:32 ipsec,debug decrypted payload by IV: 
apr/27 02:55:32 ipsec,debug a61f284f eeb2fa53 8da838d4 7a45cb5d 
apr/27 02:55:32 ipsec,debug decrypted payload, but not trimed. 
apr/27 02:55:32 ipsec,debug 01000018 9a2f4cd8 2271b4eb f86e6494 485cef10 12194f20 0a000034 00000001 
apr/27 02:55:32 ipsec,debug 00000001 00000028 01030401 cbc0ef1d 0000001c 010c0000 80060080 80050002 
apr/27 02:55:32 ipsec,debug 80040002 80010001 80020e10 05000024 3b6726bf f8523685 fb9d7b11 75e46f16 
apr/27 02:55:32 ipsec,debug c87fe698 b191d136 4d37be00 b23fef02 0500000c 011106a5 7decd17f 0000000c 
apr/27 02:55:32 ipsec,debug 011106a5 689ce444 00000000 00000000 
apr/27 02:55:32 ipsec,debug padding len=1 
apr/27 02:55:32 ipsec,debug skip to trim padding. 
apr/27 02:55:32 ipsec,debug decrypted. 
apr/27 02:55:32 ipsec,debug 1aaa1519 890d78c0 7571902d 5bbe0545 08102001 e19c8eb2 000000ac 01000018 
apr/27 02:55:32 ipsec,debug 9a2f4cd8 2271b4eb f86e6494 485cef10 12194f20 0a000034 00000001 00000001 
apr/27 02:55:32 ipsec,debug 00000028 01030401 cbc0ef1d 0000001c 010c0000 80060080 80050002 80040002 
apr/27 02:55:32 ipsec,debug 80010001 80020e10 05000024 3b6726bf f8523685 fb9d7b11 75e46f16 c87fe698 
apr/27 02:55:32 ipsec,debug b191d136 4d37be00 b23fef02 0500000c 011106a5 7decd17f 0000000c 011106a5 
apr/27 02:55:32 ipsec,debug 689ce444 00000000 00000000 
apr/27 02:55:32 ipsec,debug begin. 
apr/27 02:55:32 ipsec,debug seen nptype=8(hash) len=24 
apr/27 02:55:32 ipsec,debug seen nptype=1(sa) len=52 
apr/27 02:55:32 ipsec,debug seen nptype=10(nonce) len=36 
apr/27 02:55:32 ipsec,debug seen nptype=5(id) len=12 
apr/27 02:55:32 ipsec,debug seen nptype=5(id) len=12 
apr/27 02:55:32 ipsec,debug succeed. 
apr/27 02:55:32 ipsec,debug IDci matches proposal. 
apr/27 02:55:32 ipsec,debug IDcr matches proposal. 
apr/27 02:55:32 ipsec,debug HASH allocated:hbuf->l=168 actual:tlen=136 
apr/27 02:55:32 ipsec,debug HASH(2) received: 
apr/27 02:55:32 ipsec,debug 9a2f4cd8 2271b4eb f86e6494 485cef10 12194f20 
apr/27 02:55:32 ipsec,debug HASH with: 
apr/27 02:55:32 ipsec,debug e19c8eb2 c17f977c 78613f20 fc6d3766 416ab81b 86554f51 f8c255da 0a000034 
apr/27 02:55:32 ipsec,debug 00000001 00000001 00000028 01030401 cbc0ef1d 0000001c 010c0000 80060080 
apr/27 02:55:32 ipsec,debug 80050002 80040002 80010001 80020e10 05000024 3b6726bf f8523685 fb9d7b11 
apr/27 02:55:32 ipsec,debug 75e46f16 c87fe698 b191d136 4d37be00 b23fef02 0500000c 011106a5 7decd17f 
apr/27 02:55:32 ipsec,debug 0000000c 011106a5 689ce444 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug HASH computed: 
apr/27 02:55:32 ipsec,debug 9a2f4cd8 2271b4eb f86e6494 485cef10 12194f20 
apr/27 02:55:32 ipsec,debug total SA len=48 
apr/27 02:55:32 ipsec,debug 00000001 00000001 00000028 01030401 082d87c2 0000001c 010c0000 80010001 
apr/27 02:55:32 ipsec,debug 80020e10 80040002 80060080 80050002 
apr/27 02:55:32 ipsec,debug begin. 
apr/27 02:55:32 ipsec,debug seen nptype=2(prop) len=40 
apr/27 02:55:32 ipsec,debug succeed. 
apr/27 02:55:32 ipsec,debug proposal #1 len=40 
apr/27 02:55:32 ipsec,debug begin. 
apr/27 02:55:32 ipsec,debug seen nptype=3(trns) len=28 
apr/27 02:55:32 ipsec,debug succeed. 
apr/27 02:55:32 ipsec,debug transform #1 len=28 
apr/27 02:55:32 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
apr/27 02:55:32 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
apr/27 02:55:32 ipsec,debug life duration was in TLV. 
apr/27 02:55:32 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
apr/27 02:55:32 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
apr/27 02:55:32 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
apr/27 02:55:32 ipsec,debug pair 1: 
apr/27 02:55:32 ipsec,debug  0x490c68: next=(nil) tnext=(nil) 
apr/27 02:55:32 ipsec,debug proposal #1: 1 transform 
apr/27 02:55:32 ipsec,debug total SA len=48 
apr/27 02:55:32 ipsec,debug 00000001 00000001 00000028 01030401 cbc0ef1d 0000001c 010c0000 80060080 
apr/27 02:55:32 ipsec,debug 80050002 80040002 80010001 80020e10 
apr/27 02:55:32 ipsec,debug begin. 
apr/27 02:55:32 ipsec,debug seen nptype=2(prop) len=40 
apr/27 02:55:32 ipsec,debug succeed. 
apr/27 02:55:32 ipsec,debug proposal #1 len=40 
apr/27 02:55:32 ipsec,debug begin. 
apr/27 02:55:32 ipsec,debug seen nptype=3(trns) len=28 
apr/27 02:55:32 ipsec,debug succeed. 
apr/27 02:55:32 ipsec,debug transform #1 len=28 
apr/27 02:55:32 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
apr/27 02:55:32 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
apr/27 02:55:32 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
apr/27 02:55:32 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
apr/27 02:55:32 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
apr/27 02:55:32 ipsec,debug life duration was in TLV. 
apr/27 02:55:32 ipsec,debug pair 1: 
apr/27 02:55:32 ipsec,debug  0x4902d0: next=(nil) tnext=(nil) 
apr/27 02:55:32 ipsec,debug proposal #1: 1 transform 
apr/27 02:55:32 ipsec attribute has been modified. 
apr/27 02:55:32 ipsec,debug begin compare proposals. 
apr/27 02:55:32 ipsec,debug pair[1]: 0x4902d0 
apr/27 02:55:32 ipsec,debug  0x4902d0: next=(nil) tnext=(nil) 
apr/27 02:55:32 ipsec,debug prop#=1 prot-id=ESP spi-size=4 #trns=1 trns#=1 trns-id=AES-CBC 
apr/27 02:55:32 ipsec,debug type=Key Length, flag=0x8000, lorv=128 
apr/27 02:55:32 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
apr/27 02:55:32 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=Transport 
apr/27 02:55:32 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
apr/27 02:55:32 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=3600 
apr/27 02:55:32 ipsec,debug peer's single bundle: 
apr/27 02:55:32 ipsec,debug  (proto_id=ESP spisize=4 spi=cbc0ef1d spi_p=00000000 encmode=Transport reqid=0:0) 
apr/27 02:55:32 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
apr/27 02:55:32 ipsec,debug my single bundle: 
apr/27 02:55:32 ipsec,debug  (proto_id=ESP spisize=4 spi=082d87c2 spi_p=00000000 encmode=Transport reqid=0:0) 
apr/27 02:55:32 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
apr/27 02:55:32 ipsec,debug matched 
apr/27 02:55:32 ipsec,debug === 
apr/27 02:55:32 ipsec,debug HASH(3) generate 
apr/27 02:55:32 ipsec,debug HASH with:  
apr/27 02:55:32 ipsec,debug 00e19c8e b2c17f97 7c78613f 20fc6d37 66416ab8 1b86554f 51f8c255 da3b6726 
apr/27 02:55:32 ipsec,debug bff85236 85fb9d7b 1175e46f 16c87fe6 98b191d1 364d37be 00b23fef 02 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug HASH computed: 
apr/27 02:55:32 ipsec,debug ed475360 525883f3 afa85d55 d9a86ed5 4dae0fa7 
apr/27 02:55:32 ipsec,debug add payload of len 20, next type 0 
apr/27 02:55:32 ipsec,debug begin encryption. 
apr/27 02:55:32 ipsec,debug encryption(aes) 
apr/27 02:55:32 ipsec,debug pad length = 8 
apr/27 02:55:32 ipsec,debug 00000018 ed475360 525883f3 afa85d55 d9a86ed5 4dae0fa7 79eab5be 121b1b07 
apr/27 02:55:32 ipsec,debug encryption(aes) 
apr/27 02:55:32 ipsec,debug with key: 
apr/27 02:55:32 ipsec,debug 1c8fda6b 0edc1b61 0eac40f1 59676661 
apr/27 02:55:32 ipsec,debug encrypted payload by IV: 
apr/27 02:55:32 ipsec,debug fe63d247 b66c1e33 b83723b0 ab095ca5 
apr/27 02:55:32 ipsec,debug save IV for next: 
apr/27 02:55:32 ipsec,debug b978e83f 7f4d4621 bc2ad62a c78c5589 
apr/27 02:55:32 ipsec,debug encrypted. 
apr/27 02:55:32 ipsec,debug 60 bytes from 125.236.209.127[500] to 104.156.228.68[500] 
apr/27 02:55:32 ipsec,debug 1 times of 60 bytes message will be sent to 104.156.228.68[500] 
apr/27 02:55:32 ipsec,debug,packet 1aaa1519 890d78c0 7571902d 5bbe0545 08102001 e19c8eb2 0000003c bf67934f 
apr/27 02:55:32 ipsec,debug,packet 4ab578a6 d97c0490 d5e4c6c8 b978e83f 7f4d4621 bc2ad62a c78c5589 
apr/27 02:55:32 ipsec,debug KEYMAT compute with 
apr/27 02:55:32 ipsec,debug 03082d87 c2c17f97 7c78613f 20fc6d37 66416ab8 1b86554f 51f8c255 da3b6726 
apr/27 02:55:32 ipsec,debug bff85236 85fb9d7b 1175e46f 16c87fe6 98b191d1 364d37be 00b23fef 02 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug encryption(aes-cbc) 
apr/27 02:55:32 ipsec,debug hmac(sha1) 
apr/27 02:55:32 ipsec,debug encklen=128 authklen=160 
apr/27 02:55:32 ipsec,debug generating 480 bits of key (dupkeymat=3) 
apr/27 02:55:32 ipsec,debug generating K1...K3 for KEYMAT. 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug eff00a17 064199dd f2e8e01c afbdbe04 5206c510 845e4a4e 54124678 32740b3d 
apr/27 02:55:32 ipsec,debug aad29481 dc9bfc19 aeeb2f76 d8865ca7 82da3862 8a1d6b11 8f250b9d 
apr/27 02:55:32 ipsec,debug KEYMAT compute with 
apr/27 02:55:32 ipsec,debug 03cbc0ef 1dc17f97 7c78613f 20fc6d37 66416ab8 1b86554f 51f8c255 da3b6726 
apr/27 02:55:32 ipsec,debug bff85236 85fb9d7b 1175e46f 16c87fe6 98b191d1 364d37be 00b23fef 02 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug encryption(aes-cbc) 
apr/27 02:55:32 ipsec,debug hmac(sha1) 
apr/27 02:55:32 ipsec,debug encklen=128 authklen=160 
apr/27 02:55:32 ipsec,debug generating 480 bits of key (dupkeymat=3) 
apr/27 02:55:32 ipsec,debug generating K1...K3 for KEYMAT. 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug hmac(hmac_sha1) 
apr/27 02:55:32 ipsec,debug d346f241 027ca055 bf747e8b 7dbecec5 69431954 186d969f 48f3a11a 831f3f5c 
apr/27 02:55:32 ipsec,debug e982d595 5c34914b 29df536a 0f5d4af6 0f06370d 4865558e 34cf284b 
apr/27 02:55:32 ipsec,debug KEYMAT computed. 
apr/27 02:55:32 ipsec,debug call pk_sendupdate 
apr/27 02:55:32 ipsec,debug encryption(aes-cbc) 
apr/27 02:55:32 ipsec,debug hmac(sha1) 
apr/27 02:55:32 ipsec,debug call pfkey_send_update_nat 
apr/27 02:55:32 ipsec IPsec-SA established: ESP/Transport 104.156.228.68[500]->125.236.209.127[500] spi=0x82d87c2 
apr/27 02:55:32 ipsec,debug pfkey update sent. 
apr/27 02:55:32 ipsec,debug encryption(aes-cbc) 
apr/27 02:55:32 ipsec,debug hmac(sha1) 
apr/27 02:55:32 ipsec,debug call pfkey_send_add_nat 
apr/27 02:55:32 ipsec IPsec-SA established: ESP/Transport 125.236.209.127[500]->104.156.228.68[500] spi=0xcbc0ef1d 
apr/27 02:55:32 ipsec,debug pfkey add sent. 
apr/27 02:55:34 l2tp,debug,packet sent control message to 104.156.228.68:1701 from 0.0.0.0:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
apr/27 02:55:34 l2tp,debug,packet     (M) Message-Type=SCCRQ 
apr/27 02:55:34 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
apr/27 02:55:34 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
apr/27 02:55:34 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
apr/27 02:55:34 l2tp,debug,packet     Firmware-Revision=0x1 
apr/27 02:55:34 l2tp,debug,packet     (M) Host-Name="fw1" 
apr/27 02:55:34 l2tp,debug,packet     Vendor-Name="MikroTik" 
apr/27 02:55:34 l2tp,debug,packet     (M) Assigned-Tunnel-ID=16 
apr/27 02:55:34 l2tp,debug,packet     (M) Receive-Window-Size=4 
apr/27 02:55:34 l2tp,debug,packet rcvd control message from 104.156.228.68:1701 to 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=16, session-id=0, ns=0, nr=1 
apr/27 02:55:34 l2tp,debug,packet     (M) Message-Type=SCCRP 
apr/27 02:55:34 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
apr/27 02:55:34 l2tp,debug,packet     (M) Framing-Capabilities=0x3 
apr/27 02:55:34 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
apr/27 02:55:34 l2tp,debug,packet     Firmware-Revision=0x690 
apr/27 02:55:34 l2tp,debug,packet     (M) Host-Name="bjs3.londontrustmedia.com" 
apr/27 02:55:34 l2tp,debug,packet     Vendor-Name="xelerance.com" 
apr/27 02:55:34 l2tp,debug,packet     (M) Assigned-Tunnel-ID=51670 
apr/27 02:55:34 l2tp,debug,packet     (M) Receive-Window-Size=4 
apr/27 02:55:34 l2tp,debug tunnel 16 entering state: established 
apr/27 02:55:34 l2tp,debug,packet sent control message to 104.156.228.68:1701 from 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=51670, session-id=0, ns=1, nr=1 
apr/27 02:55:34 l2tp,debug,packet     (M) Message-Type=SCCCN 
apr/27 02:55:34 l2tp,debug session 1 entering state: wait-reply 
apr/27 02:55:34 l2tp,debug,packet rcvd control message (ack) from 104.156.228.68:1701 to 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=16, session-id=0, ns=1, nr=2 
apr/27 02:55:34 l2tp,debug,packet sent control message to 104.156.228.68:1701 from 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=51670, session-id=0, ns=2, nr=1 
apr/27 02:55:34 l2tp,debug,packet     (M) Message-Type=ICRQ 
apr/27 02:55:34 l2tp,debug,packet     (M) Assigned-Session-ID=1 
apr/27 02:55:34 l2tp,debug,packet     (M) Call-Serial-Number=14 
apr/27 02:55:34 l2tp,debug,packet     (M) Bearer-Type=0x0 
apr/27 02:55:34 l2tp,debug,packet rcvd control message from 104.156.228.68:1701 to 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=16, session-id=1, ns=1, nr=3 
apr/27 02:55:34 l2tp,debug,packet     (M) Message-Type=ICRP 
apr/27 02:55:34 l2tp,debug,packet     (M) Assigned-Session-ID=32488 
apr/27 02:55:34 l2tp,debug session 1 entering state: established 
apr/27 02:55:34 l2tp,debug,packet sent control message to 104.156.228.68:1701 from 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=51670, session-id=32488, ns=3, nr=2 
apr/27 02:55:34 l2tp,debug,packet     (M) Message-Type=ICCN 
apr/27 02:55:34 l2tp,debug,packet     (M) Framing-Type=0x1 
apr/27 02:55:34 l2tp,debug,packet     (M) Tx-Connect-Speed-BPS=100000000 
apr/27 02:55:34 l2tp,debug,packet rcvd control message (ack) from 104.156.228.68:1701 to 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=16, session-id=0, ns=2, nr=3 
apr/27 02:55:34 l2tp,debug,packet rcvd control message (ack) from 104.156.228.68:1701 to 125.236.209.127:1701 
apr/27 02:55:34 l2tp,debug,packet     tunnel-id=16, session-id=1, ns=2, nr=4 
apr/27 02:55:34 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: LCP lowerup 
apr/27 02:55:34 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: LCP open 
apr/27 02:55:34 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent LCP ConfReq id=0x27 
apr/27 02:55:34 l2tp,ppp,debug,packet    <mru 1410> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <magic 0x3761cf38> 
apr/27 02:55:34 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP ConfReq id=0x1 
apr/27 02:55:34 l2tp,ppp,debug,packet    <mru 1410> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <asyncmap 0x0> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <magic 0xb7d81999> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <pcomp> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <accomp> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <auth  mschap2> 
apr/27 02:55:34 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent LCP ConfRej id=0x1 
apr/27 02:55:34 l2tp,ppp,debug,packet    <asyncmap 0x0> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <pcomp> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <accomp> 
apr/27 02:55:34 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP ConfAck id=0x27 
apr/27 02:55:34 l2tp,ppp,debug,packet    <mru 1410> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <magic 0x3761cf38> 
apr/27 02:55:34 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP ConfReq id=0x2 
apr/27 02:55:34 l2tp,ppp,debug,packet    <mru 1410> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <magic 0xb7d81999> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <auth  mschap2> 
apr/27 02:55:34 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent LCP ConfAck id=0x2 
apr/27 02:55:34 l2tp,ppp,debug,packet    <mru 1410> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <magic 0xb7d81999> 
apr/27 02:55:34 l2tp,ppp,debug,packet    <auth  mschap2> 
apr/27 02:55:34 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: LCP opened 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP EchoReq id=0x0 
apr/27 02:55:35 l2tp,ppp,debug,packet     <magic 0xb7d81999> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent LCP EchoRep id=0x0 
apr/27 02:55:35 l2tp,ppp,debug,packet     <magic 0x3761cf38> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd CHAP Challenge id=0xfe 
apr/27 02:55:35 l2tp,ppp,debug,packet     <challenge len=16> 
apr/27 02:55:35 l2tp,ppp,debug,packet     <name l2tpd> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent CHAP Response id=0xfe 
apr/27 02:55:35 l2tp,ppp,debug,packet     <response len=49> 
apr/27 02:55:35 l2tp,ppp,debug,packet     <name x0890276> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd CHAP Success id=0xfe 
apr/27 02:55:35 l2tp,ppp,debug,packet     S=F27C8A9F6AE545BF17A5A76B01E71D53C36390DB 
apr/27 02:55:35 l2tp,ppp,info l2tp-out-pia1_us-siliconvalley: authenticated 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: IPCP lowerup 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: IPCP open 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent IPCP ConfReq id=0x1d 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 0.0.0.0> 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: IPV6CP lowerup 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: IPV6CP open 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent IPV6CP ConfReq id=0xf 
apr/27 02:55:35 l2tp,ppp,debug,packet     <interface-identifier 0:0:0:22> 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: MPLSCP lowerup 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: MPLSCP open 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent MPLSCP ConfReq id=0xf 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: BCP open 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: CCP lowerup 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: CCP open 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd IPCP ConfReq id=0x1 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.1> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent IPCP ConfAck id=0x1 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.1> 
apr/27 02:55:35 ipsec,debug ===== received 84 bytes from 217.182.127.210[500] to 125.236.209.127[500] 
apr/27 02:55:35 ipsec,debug,packet 16720431 02a75040 16bdd3c7 246cee49 08100501 7a93a9a2 00000054 b3f323f3 
apr/27 02:55:35 ipsec,debug,packet aeeeb892 2ff5b9e7 4b33ddc4 d6df84eb 4e8292ab e8875231 6449615e 64f796c4 
apr/27 02:55:35 ipsec,debug,packet fa7790c5 c0693467 d69d15df 1eb9b4c3 950a0e6e 
apr/27 02:55:35 ipsec,debug receive Information. 
apr/27 02:55:35 ipsec,debug compute IV for phase2 
apr/27 02:55:35 ipsec,debug phase1 last IV: 
apr/27 02:55:35 ipsec,debug 93fb8675 8447bb58 7a93a9a2 
apr/27 02:55:35 ipsec,debug hash(md5) 
apr/27 02:55:35 ipsec,debug encryption(blowfish) 
apr/27 02:55:35 ipsec,debug phase2 IV computed: 
apr/27 02:55:35 ipsec,debug 0cc8f1c3 4332f388 
apr/27 02:55:35 ipsec,debug encryption(blowfish) 
apr/27 02:55:35 ipsec,debug IV was saved for next processing: 
apr/27 02:55:35 ipsec,debug 1eb9b4c3 950a0e6e 
apr/27 02:55:35 ipsec,debug encryption(blowfish) 
apr/27 02:55:35 ipsec,debug with key: 
apr/27 02:55:35 ipsec,debug de665346 08a98cff 51bee913 f47d064d 
apr/27 02:55:35 ipsec,debug decrypted payload by IV: 
apr/27 02:55:35 ipsec,debug 0cc8f1c3 4332f388 
apr/27 02:55:35 ipsec,debug decrypted payload, but not trimed. 
apr/27 02:55:35 ipsec,debug 0b000014 b858a48f 82f31691 9f107d48 b9784d57 00000020 00000001 01108d28 
apr/27 02:55:35 ipsec,debug 16720431 02a75040 16bdd3c7 246cee49 00007696 00000000 
apr/27 02:55:35 ipsec,debug padding len=1 
apr/27 02:55:35 ipsec,debug skip to trim padding. 
apr/27 02:55:35 ipsec,debug decrypted. 
apr/27 02:55:35 ipsec,debug 16720431 02a75040 16bdd3c7 246cee49 08100501 7a93a9a2 00000054 0b000014 
apr/27 02:55:35 ipsec,debug b858a48f 82f31691 9f107d48 b9784d57 00000020 00000001 01108d28 16720431 
apr/27 02:55:35 ipsec,debug 02a75040 16bdd3c7 246cee49 00007696 00000000 
apr/27 02:55:35 ipsec,debug HASH with: 
apr/27 02:55:35 ipsec,debug 7a93a9a2 00000020 00000001 01108d28 16720431 02a75040 16bdd3c7 246cee49 
apr/27 02:55:35 ipsec,debug 00007696 
apr/27 02:55:35 ipsec,debug hmac(hmac_md5) 
apr/27 02:55:35 ipsec,debug HASH computed: 
apr/27 02:55:35 ipsec,debug b858a48f 82f31691 9f107d48 b9784d57 
apr/27 02:55:35 ipsec,debug hash validated. 
apr/27 02:55:35 ipsec,debug begin. 
apr/27 02:55:35 ipsec,debug seen nptype=8(hash) len=20 
apr/27 02:55:35 ipsec,debug seen nptype=11(notify) len=32 
apr/27 02:55:35 ipsec,debug succeed. 
apr/27 02:55:35 ipsec,debug 217.182.127.210 notify: R_U_THERE 
apr/27 02:55:35 ipsec,debug 217.182.127.210 DPD R-U-There received 
apr/27 02:55:35 ipsec,debug compute IV for phase2 
apr/27 02:55:35 ipsec,debug phase1 last IV: 
apr/27 02:55:35 ipsec,debug 93fb8675 8447bb58 a58523d0 
apr/27 02:55:35 ipsec,debug hash(md5) 
apr/27 02:55:35 ipsec,debug encryption(blowfish) 
apr/27 02:55:35 ipsec,debug phase2 IV computed: 
apr/27 02:55:35 ipsec,debug 14b13863 8a08d9dd 
apr/27 02:55:35 ipsec,debug HASH with: 
apr/27 02:55:35 ipsec,debug a58523d0 00000020 00000001 01108d29 16720431 02a75040 16bdd3c7 246cee49 
apr/27 02:55:35 ipsec,debug 00007696 
apr/27 02:55:35 ipsec,debug hmac(hmac_md5) 
apr/27 02:55:35 ipsec,debug HASH computed: 
apr/27 02:55:35 ipsec,debug 105619e0 fdd67ccb 76c17e8c 77e77628 
apr/27 02:55:35 ipsec,debug begin encryption. 
apr/27 02:55:35 ipsec,debug encryption(blowfish) 
apr/27 02:55:35 ipsec,debug pad length = 4 
apr/27 02:55:35 ipsec,debug 0b000014 105619e0 fdd67ccb 76c17e8c 77e77628 00000020 00000001 01108d29 
apr/27 02:55:35 ipsec,debug 16720431 02a75040 16bdd3c7 246cee49 00007696 272a2703 
apr/27 02:55:35 ipsec,debug encryption(blowfish) 
apr/27 02:55:35 ipsec,debug with key: 
apr/27 02:55:35 ipsec,debug de665346 08a98cff 51bee913 f47d064d 
apr/27 02:55:35 ipsec,debug encrypted payload by IV: 
apr/27 02:55:35 ipsec,debug 14b13863 8a08d9dd 
apr/27 02:55:35 ipsec,debug save IV for next: 
apr/27 02:55:35 ipsec,debug fa2a2dda 6f385634 
apr/27 02:55:35 ipsec,debug encrypted. 
apr/27 02:55:35 ipsec,debug 84 bytes from 125.236.209.127[500] to 217.182.127.210[500] 
apr/27 02:55:35 ipsec,debug 1 times of 84 bytes message will be sent to 217.182.127.210[500] 
apr/27 02:55:35 ipsec,debug,packet 16720431 02a75040 16bdd3c7 246cee49 08100501 a58523d0 00000054 e4748dcb 
apr/27 02:55:35 ipsec,debug,packet e23cdc0d 829821e2 9d5f56a8 fa5782ae 6ad5affb a6fec4ae 1d56f856 4fa71b4c 
apr/27 02:55:35 ipsec,debug,packet 0e40437e c1aa73ed d9ea9fa2 fa2a2dda 6f385634 
apr/27 02:55:35 ipsec,debug sendto Information notify. 
apr/27 02:55:35 ipsec,debug received a valid R-U-THERE, ACK sent 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP ProtRej id=0x3 
apr/27 02:55:35 l2tp,ppp,debug,packet      80 57 01 0f 00 0e 01 0a 00 00 00 00 00 00 00 22 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd IPCP ConfNak id=0x1d 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.3> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent IPCP ConfReq id=0x1e 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.3> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP ProtRej id=0x4 
apr/27 02:55:35 l2tp,ppp,debug,packet      82 81 01 0f 00 04 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd IPCP ConfAck id=0x1e 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.3> 
apr/27 02:55:35 l2tp,ppp,debug l2tp-out-pia1_us-siliconvalley: IPCP opened 
apr/27 02:55:35 l2tp,ppp,info l2tp-out-pia1_us-siliconvalley: connected 
apr/27 02:55:49 ipsec,debug KA: 125.236.209.127[4500]->103.21.172.161[4500] 
apr/27 02:55:49 ipsec,debug 1 times of 1 bytes message will be sent to 103.21.172.161[4500] 
apr/27 02:55:49 ipsec,debug,packet ff

sindy · April 26, 2018, 3:35pm

Hm, the remote side behaves weird. If first offers you an IP address 10.10.1.1 and you accept it

apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd IPCP ConfReq id=0x1 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.1> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent IPCP ConfAck id=0x1 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.1>

A moment later, it changes its mind and asks you to change the address just assigned:

apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP ProtRej id=0x3 
apr/27 02:55:35 l2tp,ppp,debug,packet      80 57 01 0f 00 0e 01 0a 00 00 00 00 00 00 00 22 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd IPCP ConfNak id=0x1d 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.3> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: sent IPCP ConfReq id=0x1e 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.3> 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd LCP ProtRej id=0x4 
apr/27 02:55:35 l2tp,ppp,debug,packet      82 81 01 0f 00 04 
apr/27 02:55:35 l2tp,ppp,debug,packet  l2tp-out-pia1_us-siliconvalley: rcvd IPCP ConfAck id=0x1e 
apr/27 02:55:35 l2tp,ppp,debug,packet     <addr 10.10.1.3>

So it would be fine to see the output of ****

/ip address print

after that (to see whether the address shown does match the last one assigned by the server). If you have deactivated the connection in the meantime, it is necessary to log again in order to look at the log and the

/ip address print

from the very same attempt.

It would be also fine to look at the same log from the site which works normally, to see whether the same thing happens there.

I assume you use an individual account for each of your sites, correct? Or at least do not log in simultaneously with the same account from different sites.

takumi · April 26, 2018, 7:20pm

Just quickly checked. And noticed in the logs, that YES it does exhibit the same behavior again.

IP address output shows

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE 
10 D 10.10.1.2/32       10.10.1.1       l2tp-out-pia1_us-siliconvalley

Note I omitted internal addressing.

I am using the same account, logged in at separate times. And just to even make doublely sure, I even reset the password as well. I am allowed up to 5 connections, but yeah, didn’t do that to rule that out.

sindy · April 26, 2018, 7:39pm

what does the ****

/ip route print

show (replace the public address by something like

my.public.ip

, don’t remove the line completely)?
2. how does the ipsec&l2tp log look like at the LTE site?
3. ****

/export hide-sensitive

from the ADSL site never hurts (also there, replace all occurrences of each public address by a unique pattern before posting).

takumi · April 26, 2018, 9:41pm

Here’s output from

/ip route print

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          l2tp-out-pia1_u...       80
 1   S  ;;; Static Default Route
         0.0.0.0/0                          pppoe-out1              100

takumi · April 26, 2018, 9:42pm

I’ve manually configured the normal default route, and added the ‘add default route’ on the l2tp-client and configured it with the 80 metric. To by pass other required routes.

sindy · April 27, 2018, 8:24am

Your log in post #4 reveals that there is at least one other IPsec session running while you test the L2TP/IPsec connection.

What does ****

/ip ipsec policy print

say? There is a good chance that the policy of the other IPsec session is stealing the packets which would normally be sent via the default route set by the L2TP.

takumi · April 30, 2018, 4:24am

Hi there,

Yes, that is correct. I do have multiple IPSEC tunnels that are used to connect to a few different locations. I have them setup to look for a /16 IP ranges in the 10.x.0.0/16.

Do you suggest being more specific?

sindy · April 30, 2018, 5:05am

IPsec policies “steal” packets after they have already been routed using the normal routing table, so my suspicion is that when you ping the gateway assigned by the l2tp connection, the packet is routed towards the l2tp tunnel but right before being sent there it is stolen by one of the other ipsec policies. But a ping to 8.8.8.8 (e.g., take any other public address) should not be stolen by any of your policies unless one of them is configured with ****

dst-address=0.0.0.0/0

or with the public subnet to which the address you are pinging belongs.

So check every dst-address in ****

/ip ipsec policy print

output.

takumi · May 1, 2018, 9:06am

Hi there,

Thanks for the advice. Unfortunately this wasn’t the case. I temporarily disabled and removed all other IPSEC tunnels. Then tried again with this configuration. And it seems that it still is not working.

I can confirm that at one of my other properties. Where I have the same setup, same router. Mirkotik behind a Draytek doing PPPoE pass-thru, with a PPPoE connection setup. It also does NOT work. But at another location, where the Mikrotik is NAT’ed behind another router, and configured to simply route out that interface, it DOES work.

I’m guessing a conflict with the PPP connections some how?

sindy · May 1, 2018, 9:40am

Sounds logical but don’t mix up correlation with implication. It could also be that the PPPoE itself is not the problem here but the fact that those of your Mikrotiks which have a PPPoE client on themselves also have a public IP address on themselves (on the PPPoE interface of course), so the remote end may be so “surprised” by a client which does not come from behind a NAT that is doesn’t know how to treat it properly. I.e. if the 'Tik would have a public IP on other than PPPoE interface, the VPN server might have the same issue.

So far I only have encountered a double-reverse problem, where a Windows 10 native client was unable to cope with the server being behind a NAT.

For this case, where the IPsec connection is initiated from the Mikrotik side, it is not exactly trivial to make the IPsec stack bind to some private address and then get NATed to the public one, which is essential to make the server think that the client connects from behind a NAT. Let me think a while, I’ll come back once I conclude whether it is possible to find an easier solution than the brain-frying one described here.

If you have a possibility to check that using a 'Tik which receives a public IP from the ISP in a different way than via PPPoE, let me know ASAP to avoid the process above

takumi · May 1, 2018, 1:30pm

Hi sindy,

One other thing to throw into the mix. So what I’ve done is moved to using creating a centralised OpenVPN server that I have in the data center. So what I done, is use a spare RB1100AHx2 that we had there as a backup. Configured it as an OpenVPN server. And I’m able to connect to it, and pass traffic through it. However, if I attempt to set it as my default route, as in to force all traffic through to it from my client. It exhibits the same problem that I have described here. It will send traffic, but traffic will not be received.

However, if I remove the static route, and pass specific routes over the link, it works.

Weird right?

Just incase you were wondering. My end goal is to achieve anonymity and some internet privacy. And to bypass geo-blocks, I won’t lie about that part. I was also hoping if I wasn’t able to directly build a VPN tunnel from each of my houses, I would build a central one inside the data center, yes an actual data center, and then tunnel all the traffic out from there.

But it seems the latest iterations of ROS is making it more difficult.

Question, would running an increased CPU speed be an issue? All my RB’s are running on a slight overclock. Just because. No particular reason.

sindy · May 1, 2018, 2:31pm

Not really. In RouterOS there is no magic (like e.g. in Microsoft Windows or mobile clients) which would automatically create an exception route to the VPN server when you change the default route to go through the VPN tunnel interface. So try again but this time manually add a dedicated route to the VPN server’s IP address via the normal gateway before activating the VPN connection (it may stay there forever, it doesn’t change anything while the normal default route is not overriden by the one provided by the VPN), it should then start working fine because a more exact route always wins over a wider one.

And in fact it is probably the same issue on the L2TP/IPsec tunnel, I just haven’t realized that as didn’t expect this to be set differently at your PPPoE and non-PPPoE sites, but as your obsession with privacy prevents you from posting even anonymized configurations, it is hard to analyze such things

Whereas the L2TP transport packets are stolen by the IPsec policy regardless where the regular routing has sent them, this is not the case for the IPsec transport packets which follow the standard routing rules. So here again, overriding the normal default route (through the PPPoE) by a new one through the L2TP tunnel once the tunnel establishes has probably broken the tunnel operation as it effectively started sending its transport packets through itself.

So try this (the dedicated route towards the VPN server) and lt me know if it works; if it does, I’ll tell you how to make sure that the IPsec (or openvpn) transport packets will use the original gateway even if there are several remote servers in different subnets and you connect to them using their DNS names so you may get a different server IP address each time.

My end goal is to achieve anonymity and some internet privacy.

That’s kind of an illusion, given that the VPN provider knows quite a lot about you. Yes, you are anonymous to the servers you visit via the VPN, and your ISP doesn’t know where you browse (if you don’t forget to send DNS requests through the VPN too and if your Windows 10 do not send DNS requests in parallel via all gateways they find, ignoring routing rules completely, which is their default behaviour), but the VPN provider knows about every server you visit.

Question, would running an increased CPU speed be an issue? All my RB’s are running on a slight overclock. Just because. No particular reason.

Even if the CPU is not overclocked so much that the CPU would start making errors, increased speed => increased temperature => reduced lifetime of the components => reduced time till the unit as a whole starts to behave strange. This is how the world works. However, the $99 question is how much reduced, whether to 1/2 or to 0.99999 of the original lifetime. It surely doesn’t stand as simple as “double the CPU speed => half the unit lifetime”.

I don’t think a slight overclocking would be related to your issues, though, the above explanation with cycling the transport packets back into the tunnel seems more logical to me.

takumi · May 1, 2018, 2:47pm

Weird right?

Not really. In RouterOS there is no magic (like e.g. in Microsoft Windows or mobile clients) which would automatically create an exception route to the VPN server when you change the default route to go through the VPN tunnel interface. So try again but this time manually add a dedicated route to the VPN server’s IP address via the normal gateway before activating the VPN connection (it may stay there forever, it doesn!'t change anything while the normal default route is not overriden by the one provided by the VPN), it should then start working fine because a more exact route always wins over a wider one.

And in fact it is probably the same issue on the L2TP/IPsec tunnel, I just haven’t realized that as didn’t expect this to be set differently at your PPPoE and non-PPPoE sites, but as your obsession with privacy prevents you from posting even anonymized configurations, it is hard to analyze such things

Whereas the L2TP transport packets are stolen by the IPsec policy regardless where the regular routing has sent them, this is not the case for the IPsec transport packets which follow the standard routing rules. So here again, overriding the normal default route (through the PPPoE) by a new one through the L2TP tunnel once the tunnel establishes has probably broken the tunnel operation as it effectively started sending its transport packets through itself.

So try this (the dedicated route towards the VPN server) and lt me know if it works; if it does, I’ll tell you how to make sure that the IPsec (or openvpn) transport packets will use the original gateway even if there are several remote servers in different subnets and you connect to them using their DNS names so you may get a different server IP address each time.

My end goal is to achieve anonymity and some internet privacy.

That’s kind of an illusion, given that the VPN provider knows quite a lot about you.Yes, you are anonymous to the servers you visit via the VPN, and your ISP doesn’t know where you browse (if you don’t forget to send DNS requests through the VPN too and if your Windows 10 do not send DNS requests in parallel via all gateways they find, ignoring routing rules completely, which is their default behaviour), but the VPN provider knows about every server you visit.

Question, would running an increased CPU speed be an issue? All my RB’s are running on a slight overclock. Just because. No particular reason.

Even if the CPU is not overclocked so much that the CPU would start making errors, increased speed => increased temperature => reduced lifetime of the components => reduced time till the unit as a whole starts to behave strange. This is how the world works. However, the $99 question is how much reduced, whether to 1/2 or to 0.99999 of the original lifetime. It surely doesn’t stand as simple as “double the CPU speed => half the unit lifetime”.

I don’t think a slight overclocking would be related to your issues, though, the above explanation with cycling the transport packets back into the tunnel seems more logical to me.

Yeah I realize that about the privacy thing. It’s not really a goal. It’s more so I can get around some geo-blocked networks. But in saying that, I only haven’t posted anonymous configs because well, for some reason it spat an error at me and I didn’t have too much time to read it and fix it.

Regarding the more specific route. I have actually tried this. I’ve set a static route manually, in an attempt to direct traffic to the VPN tunnel. And when the tunnel is down, things are working ok and I’m able to browse the internet. However, when the tunnel comes up. Same thing happens. Data is being sent, but nothing received.

I have to do a Netinstall on one of my routers, funnily enough the one that’s in the DC that I’m connecting to, to try and resolve an issue. And once I’ve done that, I’ll try post some more useful information for you.