L2TP/IPSec - Can only connect with SHA1

CuoreSportivo · June 17, 2017, 11:14am

Hello everyone!
First post here, so sorry for any inconvenience or mistakes.

Long ago, I set up my MikroTik (RB951G-2HnD with latest current) to act as a L2TP VPN server with IPSec encryption. All this time, I had been using for Hash/Authentication SHA1 and for Encrypton 3DES. Since both of them are considered unsafe, I decided to replace them with SHA256 and AES128.
For some reason, since I applied the above changes, I cannot any more connect to my VPN neither from my Windows 10 laptop, nor from my iPhone (OS 10), nor from my Android (7.0) phone.

Any help is appreciated.

Here are the logs

and here are the IPSec settings (replace SHA1 -which is shown in the pics- with SHA256)

hgonzale · June 19, 2017, 9:20am

Yes but you are using SHA1 (insecure now) and the original post and me, we are having troubles using sha256

CuoreSportivo · June 23, 2017, 9:54am

As hgonzale said, the problem is that I am unable to connect to my VPN when I use SHA256.
@hgonzale, are you trying to connect form a Windows device?

hgonzale · June 23, 2017, 3:21pm

not, mikrotik – mikrotik

pe1chl · June 23, 2017, 3:41pm

You are correct, you can use AES256 and SHA256 in phase 2 but not in phase 1, it does not work.
There are compatibility issues.

hgonzale · June 23, 2017, 3:51pm

phase1? Could you explain me a little bit!!!

Thank you

pe1chl · June 23, 2017, 4:52pm

When you are not even familiar with IPsec terms like phase 1 and phase 2, and you don’t want to spend time
on investigating this yourself, I advise you to not change the default parameters! You will quickly find yourself
in a very difficult situation from which it is difficult to recover when you have not made notes along the way.
(similar to Tom Thumb)

hgonzale · June 23, 2017, 7:05pm

Ok, I will investigate myself, but in resume, aren’t we able to use sha256?

I am providing free VPN for friends and journals in my country (Venezuela) for their own security, and I want to help them with the security…

pe1chl · June 23, 2017, 7:12pm

The normal default parameters are plenty secure enough to use for a VPN for you and your friends.
The 256 bit variants are really for the extremely paranoid who believe the CIA is trying to break into their encryption
using their supercomputers. It is not at all like default IPsec is wide open for cracking, it is quite secure especially
when compared to other alternatives.

Unfortunately there are interworking isssues with those newer encryption options. So you will have to be able
to debug problems and find workarounds, something that you will not be able to do without in-depth knowledge of
what all those checkmarks and options really do.

hgonzale · June 23, 2017, 7:17pm

Jajaja I am not paranoid with the CIA.. and even.. in personal, I am pro USA jajajaja (sorry for others)
But my paranoid is with Venezuelan government and for the security of the journalist I am helping!!!
And Venezuela government is helped by G2… sorry for talking about politicians jeje
Thank you a lot

CuoreSportivo · October 10, 2017, 11:59am

Hello pe1chl,
Are these compatibility issues spotted on the server (MT) side or on the client (Windows/Android/iOS) side?
Do you, or a MT representative, know if these issues are going to be addresses?