L2TP/IPSec keepalive problem

zhorick · December 12, 2016, 6:05pm

Hello.
I have two problems with L2TP/IPsec for RoadWarrior configuration:

I am unable to change keepalive-timeout on L2TP server. I can set it to 30 or 36000 or even disable but MT starts to send L2TP HELLO packets exactly 60 seconds after connection established.
That is weird. When some traffic is present through the L2TP tunnel (pings or shared files access) HELLO packets are sent and received normally. But when the tunnel is idle keepalive packets seems to be ignored by one of the sides.

L2TP client is Win10 machine.
RouterOS 6.37.3
Export and L2TP log below

/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip pool
add name=VPN_pool ranges=192.168.4.50-192.168.4.100
/ppp profile
add change-tcp-mss=yes local-address=192.168.3.252 name=VPN_profile remote-address=VPN_pool
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN_profile enabled=yes
/ip address
add address=192.168.3.252/24 comment=Inside interface=ether2 network=192.168.3.0
add address=10.1.1.1/24 comment=Outside interface=ether6 network=10.1.1.0
/ip dns
set servers=192.168.3.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether6
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override secret=test
/ip route
add distance=1 gateway=10.1.1.254
/ppp secret
add name=vpn_user password=test profile=VPN_profile service=l2tp

20:28:30 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 to 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
20:28:30 l2tp,debug,packet     (M) Message-Type=SCCRQ 
20:28:30 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
20:28:30 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
20:28:30 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
20:28:30 l2tp,debug,packet     Firmware-Revision=0xa00 
20:28:30 l2tp,debug,packet     (M) Host-Name="laptop.testdomain.local" 
20:28:30 l2tp,debug,packet     Vendor-Name="Microsoft" 
20:28:30 l2tp,debug,packet     (M) Assigned-Tunnel-ID=36 
20:28:30 l2tp,debug,packet     (M) Receive-Window-Size=8 
20:28:30 l2tp,info first L2TP UDP packet received from 10.1.1.2 
20:28:30 l2tp,debug tunnel 9 entering state: wait-ctl-conn 
20:28:30 l2tp,debug,packet sent control message to 10.1.1.2:1701 from 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=0, nr=1 
20:28:30 l2tp,debug,packet     (M) Message-Type=SCCRP 
20:28:30 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
20:28:30 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
20:28:30 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
20:28:30 l2tp,debug,packet     Firmware-Revision=0x1 
20:28:30 l2tp,debug,packet     (M) Host-Name="MikroTik" 
20:28:30 l2tp,debug,packet     Vendor-Name="MikroTik" 
20:28:30 l2tp,debug,packet     (M) Assigned-Tunnel-ID=9 
20:28:30 l2tp,debug,packet     (M) Receive-Window-Size=4 
20:28:30 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 to 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=1, nr=1 
20:28:30 l2tp,debug,packet     (M) Message-Type=SCCCN 
20:28:30 l2tp,debug tunnel 9 entering state: estabilished 
20:28:30 l2tp,debug,packet sent control message (ack) to 10.1.1.2:1701 from 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=1, nr=2 
20:28:30 l2tp,debug,packet rcvd control message (ack) from 10.1.1.2:1701 to 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=3, nr=1 
20:28:30 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 to 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=2, nr=1 
20:28:30 l2tp,debug,packet     (M) Message-Type=ICRQ 
20:28:30 l2tp,debug,packet     (M) Assigned-Session-ID=1 
20:28:30 l2tp,debug,packet     (M) Call-Serial-Number=0 
20:28:30 l2tp,debug,packet     (M) Bearer-Type=0x2 
20:28:30 l2tp,debug,packet     1(vendor-id=311)=0x26:b5:ab:86:57:06:e5:47:9b:6d:a9:bf:90:9b:12:06 
20:28:30 l2tp,debug session 1 entering state: wait-connect 
20:28:30 l2tp,debug,packet sent control message to 10.1.1.2:1701 from 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=36, session-id=1, ns=1, nr=3 
20:28:30 l2tp,debug,packet     (M) Message-Type=ICRP 
20:28:30 l2tp,debug,packet     (M) Assigned-Session-ID=1 
20:28:30 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 to 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=9, session-id=1, ns=3, nr=2 
20:28:30 l2tp,debug,packet     (M) Message-Type=ICCN 
20:28:30 l2tp,debug,packet     (M) Tx-Connect-Speed-BPS=54000000 
20:28:30 l2tp,debug,packet     (M) Framing-Type=0x1 
20:28:30 l2tp,debug,packet     Proxy-Authen-Type=4 
20:28:30 l2tp,debug session 1 entering state: established 
20:28:30 l2tp,debug,packet sent control message (ack) to 10.1.1.2:1701 from 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=4 
20:28:30 l2tp,debug,packet rcvd control message (ack) from 10.1.1.2:1701 to 10.1.1.1:1701 
20:28:30 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=4, nr=2 
20:28:30 l2tp,ppp,debug <10.1.1.2>: LCP lowerup 
20:28:30 l2tp,ppp,debug <10.1.1.2>: LCP open 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd LCP ConfReq id=0x0 
20:28:30 l2tp,ppp,debug,packet    <mru 1400> 
20:28:30 l2tp,ppp,debug,packet    <magic 0x129c5825> 
20:28:30 l2tp,ppp,debug,packet    <pcomp> 
20:28:30 l2tp,ppp,debug,packet    <accomp> 
20:28:30 l2tp,ppp,debug,packet    <callback 0x06> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent LCP ConfReq id=0x1 
20:28:30 l2tp,ppp,debug,packet    <mru 1450> 
20:28:30 l2tp,ppp,debug,packet    <magic 0x49f46e4c> 
20:28:30 l2tp,ppp,debug,packet    <auth  mschap2> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent LCP ConfRej id=0x0 
20:28:30 l2tp,ppp,debug,packet    <pcomp> 
20:28:30 l2tp,ppp,debug,packet    <accomp> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd LCP ConfAck id=0x1 
20:28:30 l2tp,ppp,debug,packet    <mru 1450> 
20:28:30 l2tp,ppp,debug,packet    <magic 0x49f46e4c> 
20:28:30 l2tp,ppp,debug,packet    <auth  mschap2> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd LCP ConfReq id=0x1 
20:28:30 l2tp,ppp,debug,packet    <mru 1400> 
20:28:30 l2tp,ppp,debug,packet    <magic 0x129c5825> 
20:28:30 l2tp,ppp,debug,packet    <callback 0x06> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent LCP ConfAck id=0x1 
20:28:30 l2tp,ppp,debug,packet    <mru 1400> 
20:28:30 l2tp,ppp,debug,packet    <magic 0x129c5825> 
20:28:30 l2tp,ppp,debug,packet    <callback 0x06> 
20:28:30 l2tp,ppp,debug <10.1.1.2>: LCP opened 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent CHAP Challenge id=0x1 
20:28:30 l2tp,ppp,debug,packet     <challenge len=16> 
20:28:30 l2tp,ppp,debug,packet     <name MikroTik> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd LCP Ident id=0x2 
20:28:30 l2tp,ppp,debug,packet     <magic 0x129c5825> 
20:28:30 l2tp,ppp,debug,packet     MSRASV5.20 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd LCP Ident id=0x3 
20:28:30 l2tp,ppp,debug,packet     <magic 0x129c5825> 
20:28:30 l2tp,ppp,debug,packet     MSRAS-0-R9-F20M0 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd LCP Ident id=0x4 
20:28:30 l2tp,ppp,debug,packet     <magic 0x129c5825> 
20:28:30 l2tp,ppp,debug,packet     &\B5\AB\86W\06\E5G\9Bm\A9\BF\90\9B\12\06 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd CHAP Response id=0x1 
20:28:30 l2tp,ppp,debug,packet     <response len=49> 
20:28:30 l2tp,ppp,debug,packet     <name vpn_user> 
20:28:30 l2tp,ppp,info,account vpn_user logged in, 192.168.4.98 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent CHAP Success id=0x1 
20:28:30 l2tp,ppp,debug,packet     S=447E540B0BA08BE331DE8024E7B30DCE790A80D7 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent CBCP CallbackReq id=0x0 
20:28:30 l2tp,ppp,debug,packet      01 02 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd CBCP CallbackResp id=0x0 
20:28:30 l2tp,ppp,debug,packet      01 02 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent CBCP CallbackAck id=0x1 
20:28:30 l2tp,ppp,debug,packet      01 02 
20:28:30 l2tp,ppp,info <l2tp-vpn_user>: authenticated 
20:28:30 l2tp,ppp,debug <10.1.1.2>: IPCP lowerup 
20:28:30 l2tp,ppp,debug <10.1.1.2>: IPCP open 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent IPCP ConfReq id=0x1 
20:28:30 l2tp,ppp,debug,packet     <addr 192.168.3.252> 
20:28:30 l2tp,ppp,debug <10.1.1.2>: IPV6CP open 
20:28:30 l2tp,ppp,debug <10.1.1.2>: MPLSCP lowerup 
20:28:30 l2tp,ppp,debug <10.1.1.2>: MPLSCP open 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent MPLSCP ConfReq id=0x1 
20:28:30 l2tp,ppp,debug <10.1.1.2>: BCP open 
20:28:30 l2tp,ppp,debug <10.1.1.2>: CCP lowerup 
20:28:30 l2tp,ppp,debug <10.1.1.2>: CCP open 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd CCP ConfReq id=0x5 
20:28:30 l2tp,ppp,debug,packet     <mppe 1000000> 
20:28:30 l2tp,ppp,debug <10.1.1.2>: received unsupported protocol 0x80fd 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent LCP ProtRej id=0x2 
20:28:30 l2tp,ppp,debug,packet      80 fd 01 05 00 0a 12 06 01 00 00 00 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd IPCP ConfReq id=0x6 
20:28:30 l2tp,ppp,debug,packet     <addr 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet     <ms-wins 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet     <ms-wins 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent IPCP ConfRej id=0x6 
20:28:30 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet     <ms-wins 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet     <ms-wins 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd LCP ProtRej id=0x7 
20:28:30 l2tp,ppp,debug,packet      82 81 01 01 00 04 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd IPCP ConfAck id=0x1 
20:28:30 l2tp,ppp,debug,packet     <addr 192.168.3.252> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd IPCP ConfReq id=0x8 
20:28:30 l2tp,ppp,debug,packet     <addr 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet     <ms-dns 0.0.0.0> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent IPCP ConfNak id=0x8 
20:28:30 l2tp,ppp,debug,packet     <addr 192.168.4.98> 
20:28:30 l2tp,ppp,debug,packet     <ms-dns 192.168.3.1> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: rcvd IPCP ConfReq id=0x9 
20:28:30 l2tp,ppp,debug,packet     <addr 192.168.4.98> 
20:28:30 l2tp,ppp,debug,packet     <ms-dns 192.168.3.1> 
20:28:30 l2tp,ppp,debug,packet  <10.1.1.2>: sent IPCP ConfAck id=0x9 
20:28:30 l2tp,ppp,debug,packet     <addr 192.168.4.98> 
20:28:30 l2tp,ppp,debug,packet     <ms-dns 192.168.3.1> 
20:28:30 l2tp,ppp,debug <10.1.1.2>: IPCP opened 
20:28:30 l2tp,ppp,info <l2tp-vpn_user>: connected 
20:29:20 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 to 10.1.1.1:1701 
20:29:20 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=4, nr=2 
20:29:20 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:20 l2tp,debug,packet sent control message (ack) to 10.1.1.2:1701 from 10.1.1.1:1701 
20:29:20 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:30 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 to 10.1.1.1:1701 
20:29:30 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=4, nr=2 
20:29:30 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:30 l2tp,debug,packet sent control message (ack) to 10.1.1.2:1701 from 10.1.1.1:1701 
20:29:30 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:30 l2tp,debug,packet sent control message to 10.1.1.2:1701 fr
20:29:30 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:30 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:31 l2tp,debug,packet sent control message to 10.1.1.2:1701 fr
20:29:31 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:31 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:32 l2tp,debug,packet sent control message to 10.1.1.2:1701 fr
20:29:32 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:32 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:34 l2tp,debug,packet sent control message to 10.1.1.2:1701 fr
20:29:34 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:34 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:38 l2tp,debug,packet sent control message to 10.1.1.2:1701 fr
20:29:38 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:38 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:40 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 
20:29:40 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=4, nr=2 
20:29:40 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:40 l2tp,debug,packet sent control message (ack) to 10.1.1.2:1
20:29:40 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=3, nr=5 
20:29:46 l2tp,debug,packet sent control message to 10.1.1.2:1701 fr
20:29:46 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=2, nr=5 
20:29:46 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:50 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 
20:29:50 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=4, nr=2 
20:29:50 l2tp,debug,packet     (M) Message-Type=HELLO 
20:29:50 l2tp,debug,packet sent control message (ack) to 10.1.1.2:1
20:29:50 l2tp,debug,packet     tunnel-id=36, session-id=0, ns=3, nr=5 
20:29:50 l2tp,debug tunnel 9 received no replies, disconnecting 
20:29:50 l2tp,debug tunnel 9 entering state: dead 
20:29:50 l2tp,debug session 1 entering state: dead 
20:29:50 l2tp,ppp,debug <10.1.1.2>: LCP lowerdown 
20:29:50 l2tp,ppp,debug <10.1.1.2>: LCP closed 
20:29:50 l2tp,ppp,debug <10.1.1.2>: CCP lowerdown 
20:29:50 l2tp,ppp,debug <10.1.1.2>: BCP lowerdown 
20:29:50 l2tp,ppp,debug <10.1.1.2>: BCP down event in starting stat
20:29:50 l2tp,ppp,debug <10.1.1.2>: IPCP lowerdown 
20:29:50 l2tp,ppp,debug <10.1.1.2>: IPCP closed 
20:29:50 l2tp,ppp,debug <10.1.1.2>: IPV6CP lowerdown 
20:29:50 l2tp,ppp,debug <10.1.1.2>: IPV6CP down event in starting s
20:29:50 l2tp,ppp,debug <10.1.1.2>: MPLSCP lowerdown 
20:29:50 l2tp,ppp,info <l2tp-vpn_user>: terminating... - hungup 
20:29:50 l2tp,ppp,debug <10.1.1.2>: LCP lowerdown 
20:29:50 l2tp,ppp,debug <10.1.1.2>: LCP down event in starting stat
20:29:50 l2tp,ppp,info,account vpn_user logged out, 80 11326 68 146 5 
20:29:50 l2tp,ppp,info <l2tp-vpn_user>: disconnected 
20:30:00 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 
20:30:00 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=4, nr=2 
20:30:00 l2tp,debug,packet     (M) Message-Type=HELLO 
20:30:10 l2tp,debug,packet rcvd control message from 10.1.1.2:1701 
20:30:10 l2tp,debug,packet     tunnel-id=9, session-id=0, ns=4, nr=2 
20:30:10 l2tp,debug,packet     (M) Message-Type=HELLO

zhorick · December 13, 2016, 9:16am

Problem 2 was solved by downgrading back to 6.35.4. ROS 6.36.4 did not help.
And still L2TP keepalive timeout is unmanageable in 6.35.4, 6.36.4 and 6.37.3.