L2TP insany

GeniuZ · September 8, 2010, 8:17pm

Hello all,
I’m not able create connection from Windows 7. I think there is any problem with Windows configuration? I assigned 3DES policy and prohibitipsec registry set to 1.

22:04:37 ipsec IPSEC: respond new phase 1 negotiation: x.x.x.61[500]<=>x.x.x.51[500] 
22:04:37 ipsec IPSEC: begin Identity Protection mode. 
22:04:37 ipsec IPSEC: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 
22:04:37 ipsec IPSEC: received Vendor ID: RFC 3947 
22:04:37 ipsec IPSEC: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
22:04:37 ipsec IPSEC:  
22:04:37 ipsec IPSEC: received Vendor ID: FRAGMENTATION 
22:04:37 ipsec IPSEC: ISAKMP-SA established x.x.x.61[500]-x.x.x.51[500] spi:182b6a1bc29cc7d0:87fa2f2566f1d1d2 
22:04:37 ipsec IPSEC: respond new phase 2 negotiation: x.x.x.61[500]<=>x.x.x.51[500] 
22:04:37 ipsec IPSEC: no policy found, try to generate the policy : 192.168.1.33/32[0] x.x.x.61/32[0] proto=any dir=in 
22:04:37 ipsec IPSEC: IPsec-SA established: ESP/Transport x.x.x.51[0]->x.x.x.61[0] spi=235934119(0xe1011a7) 
22:04:37 ipsec IPSEC: IPsec-SA established: ESP/Transport x.x.x.61[0]->x.x.x.51[0] spi=1582202742(0x5e4e7f76)

after these log messages is waiting for timeout and error 809 appears,
when waiting, in log I see some packets from client natted public address x.x.x.51
to router address x.x.x.61, length 316 bytes, repeately, then connection is deleted:

22:06:47 ipsec IPSEC: ISAKMP-SA expired x.x.x.61[500]-x.x.x.51[500] spi:182b6a1bc29cc7d0:87fa2f2566f1d1d2 
22:06:48 ipsec IPSEC: ISAKMP-SA deleted x.x.x.61[500]-x.x.x.51[500] spi:182b6a1bc29cc7d0:87fa2f2566f1d1d2

/ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0xE1011A7 src-address=x.x.x.51 dst-address=x.x.x.61 auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="18dcbf1497695f349922c18a69bd176f035d1b10" enc-key="676d05b8c06a5a9409afa673ef76aea16af11885f293f56e" 
      addtime=sep/08/2010 20:04:37 add-lifetime=6h24m/8h usetime=sep/08/2010 20:04:38 use-lifetime=0s/0s current-bytes=550 
      lifebytes=0/0 
 1 E  spi=0x5E4E7F76 src-address=x.x.x.61 dst-address=x.x.x.51 auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="899fab08e631b5bfb2bbdbeaef0ff0b6597a79de" enc-key="8f0c7045ee072d090a302bd462484c85db6d92fae9a83b73" 
      add-lifetime=6h24m/8h use-lifetime=0s/0s lifebytes=0/0

ppp secrets
 #   NAME        SERVICE CALLER-ID       PASSWORD        PROFILE        REMOTE-ADDRESS
 0   username      l2tp               userpwd       default-encryption     192.168.2.170

 ip ipsec peer
   address=x.x.x.51/32:500 auth-method=pre-shared-key secret="passphrase" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

/interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
 #     NAME          USER         MTU        CLIENT-ADDRESS                       UPTIME   ENCODING
 0     FromLaptop      username
/interface l2tp-server> server print
          enabled: yes
          max-mtu: 1460
          max-mru: 1460
          mrru: disabled
   authentication: mschap2
  default-profile: default-encryption

Any idea? Thank you for help…

GeniuZ · September 9, 2010, 7:22pm

Nobody have any idea? Any direction for next experiments? I checked Vista today and same situation.

GeniuZ · September 9, 2010, 7:39pm

I found this on Microsoft site:

If one of the following symptoms occurs, IPSec is not causing the problem:
The Audit log shows successful main mode SA establish and successful quick mode SA establish.
The network capture trace shows ESP traffic originating from the client or server.
Ipsecmon.exe shows an IPSec SA.
Note that there are always two IPSec SAs established: one for each direction, each with its own security parameter Index (SPI); however, Ipsecmon.exe shows only the outbound SA.

Mikrotik shows successful SA establish so IPSec is not probably problem.
What can be next problem? Any routing setting? IP addresses? Any idea?

GeniuZ · September 13, 2010, 9:11pm

I solved this, I used OpenVPN…

zsozi · April 16, 2014, 10:10am

Can you send me link where I can see how to setup mikrotik as OpenVPN and conect windows client to it.

cdsJerry · May 29, 2014, 3:53pm

Did you get your OpenVPN up and running? If you found a guide that actually worked, would you share? I’m struggling with this myself.