L2TP/IPsec falls off after connecting

vomus · May 2, 2014, 9:51am

Hi!
I am trying to set up a remote L2TP/IPsec connection to a Mikrotic 2011UiAS-RM:

/ip pool add name=l2tp-pool ranges=10.161.1.104-10.161.1.112
/ppp profile add name=L2TP local-address=10.161.1.101 remote-address=l2tp-pool \
dns-server=10.161.0.1 change-tcp-mss=yes address-list=L2TP_Clients
/ppp secret add name=name password=password profile=L2TP service=l2tp routes="10.161.0.0/16 10.161.1.101"
/interface l2tp-server server set default-profile=L2TP enabled=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=12h
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-strict
secret=secret hash-algorithm=sha1 send-initial-contact=yes nat-traversal=yes

I attach an IPsec log file where 46.61.18.28 is an external Mikrotik address, 185.3.34.7 is my Android mobile that tries to connect to. It also has a 172.29.30.88 which goes from inside a cellular carrier’s NAT. Another IP 77.66.234.235 that is seen in the log is an IP of my second site with another Mikrotik, and the two sites have a site-to-site IPsec link which works just fine.

It seems that ISAKMP stage gets established but then everything just dies out. I even downgraded the OS version to v6.7 from v6.12 which is what it was when I bought the router.

Can anyone help, please? I sent this question to Mikrotik support but do not get any response.
ipsec_v67.log (129 KB)

tomaskir · May 9, 2014, 12:40pm

Few things:
set passive=yes and send-initial-contact=no

If that doesnt work, try to switch
generate-policy=port-strict to generate-policy=port-override

vomus · May 10, 2014, 7:22pm

Doesn’t help…

tomaskir · May 10, 2014, 9:12pm

Went through the logs, here is the problems:

May/02/2014 13:15:33 ipsec,debug trns_id mismatched: my:3DES peer:AES-CBC
May/02/2014 13:15:33 ipsec,debug trns_id mismatched: my:3DES peer:AES-CBC
May/02/2014 13:15:33 ipsec,debug authtype mismatched: my:hmac-md5 peer:hmac-sha1
May/02/2014 13:15:33 ipsec,debug less key length proposed, mine:128 peer:256.  Use initiaotr's one.

vomus · May 11, 2014, 5:44am

tomaskir:

Went through the logs, here is the problems:

May/02/2014 13:15:33 ipsec,debug trns_id mismatched: my:3DES peer:AES-CBC
May/02/2014 13:15:33 ipsec,debug trns_id mismatched: my:3DES peer:AES-CBC
May/02/2014 13:15:33 ipsec,debug authtype mismatched: my:hmac-md5 peer:hmac-sha1
May/02/2014 13:15:33 ipsec,debug less key length proposed, mine:128 peer:256.  Use initiaotr's one.

This is rather strange. I have found this place in the logs and found that it does not change whatever I do in the IPsec peer settings!! How come? I attach a screenshot of winbox. These settings are also confirmed in the command line:

 0   ;;; Mobile clients
     address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="mysecret" generate-policy=port-strict 
     exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d 
     dpd-interval=3m dpd-maximum-failures=5

mrz · May 21, 2014, 1:08pm

Peer settings are phase1.
Proposal settings are phase2
Most likely these errors are for phase2, so check if you have correct settings in ./ip ipsec proposal.

vomus · May 25, 2014, 4:38am

This is rather strange. Here is my proposal settings

[vomus@Safianovo] > /ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc lifetime=1h pfs-group=modp1024 
[vomus@Safianovo] >

and this is what I see in the logs

May/25/2014 08:28:56 ipsec,debug trns_id mismatched: my:3DES peer:AES-CBC

Why is there any mismatch if 3DES and AES are both activated?