L2TP IPSec (no suit proposal found)

akarpas · June 7, 2018, 10:52am

Hi guys.

I have setting up L2TP IPSec tunel (client-server type).
connecting form windows 10 PC. L2TP server , prifile, secret, settings I believe are ok.
Then i try to connect im getting error no good proposal found phase1 failing.
I did debug see attached picture.
Can someone explain what is wrong by the debug log, as as much i have tried various settings on the peer and proposal all the time getting the same on debug log.

your help is much appreciated

evince · June 7, 2018, 12:50pm

Hello,

Can you export your settings regardins l2tp configuration please?

sindy · June 7, 2018, 12:51pm

Use the “terminal” window of Winbox or WebFig, or a command line connection (ssh), and place the following command:

/log print where topics~“ipsec” file=some-file-name

Then download the file and use “find&replace” in text editor to systematically replace the public IP addresses by a distinctive pattern like my.public.ip.1

Also place here the output of
/ip ipsec export hide-sensitive
/ip ipsec peer print
/interface l2tp-server export hide-sensitive
(hide-sensitive removes passwords from the output but you have to replace the IP addresses the same way like above, and you also have to remove manually the secret=xxxx from the output of the print command).

I’ve tested Win10 native L2TP/IPsec client a few weeks ago and it was fine, so there is likely some issue in the peer proposal.

akarpas · June 7, 2018, 2:08pm

Use the “terminal” window of Winbox or WebFig, or a command line connection (ssh), and place the following command:

/log print where topics~“ipsec” file=some-file-name

Then download the file and use “find&replace” in text editor to systematically replace the public IP addresses by a distinctive pattern like my.public.ip.1

Also place here the output of
/ip ipsec export hide-sensitive
/ip ipsec peer print
/interface l2tp-server export hide-sensitive
(hide-sensitive removes passwords from the output but you have to replace the IP addresses the same way like above, and you also have to remove manually the secret=xxxx from the output of the print command).

I’ve tested Win10 native L2TP/IPsec client a few weeks ago and it was fine, so there is likely some issue in the peer proposal.

Could it be ISP issue as i have on other mikrotik with different isp L2TP working with no problems

akarpas · June 7, 2018, 2:45pm

Use the “terminal” window of Winbox or WebFig, or a command line connection (ssh), and place the following command:

/log print where topics~“ipsec” file=some-file-name

Then download the file and use “find&replace” in text editor to systematically replace the public IP addresses by a distinctive pattern like my.public.ip.1

Also place here the output of
/ip ipsec export hide-sensitive
/ip ipsec peer print
/interface l2tp-server export hide-sensitive
(hide-sensitive removes passwords from the output but you have to replace the IP addresses the same way like above, and you also have to remove manually the secret=xxxx from the output of the print command).

I’ve tested Win10 native L2TP/IPsec client a few weeks ago and it was fine, so there is likely some issue in the peer proposal.

Could it be ISP issue as i have on other mikrotik with different isp L2TP working with no problems

here is all you have asked, all mess

/ip ipsec mode-config
add address-pool=admin_dhcp name=IKE2 static-dns=x.x.x.x system-dns=no
/ip ipsec policy group
add name=LT2TP
add name=IKE2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc name=LFG pfs-group=none
add enc-algorithms=aes-128-cbc name=proposal1
add enc-algorithms=aes-256-cbc lifetime=0s name=L2TPVPN pfs-group=none
add enc-algorithms=aes-256-cbc lifetime=0s name=IKEA pfs-group=none
/ip ipsec peer
add address=x.x.x.x comment=LFH dh-group=modp1024 enc-algorithm=aes-128 nat-traversal=no
add address= x.x.x.x comment=“LFH Over VF Backup” dh-group=modp1024 disabled=yes enc-algorithm=aes-128 nat-traversal=no
add address=x.x.x.x comment=LFH dh-group=modp1024 disabled=yes nat-traversal=no
add address=x.x.x.x comment=LFH dh-group=modp1024 enc-algorithm=aes-128 nat-traversal=no
add address=x.x.x.x comment=AOC dh-group=modp1024 enc-algorithm=aes-128 nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override
policy-template-group=LT2TP
add address=0.0.0.0/0 auth-method=rsa-signature comment=IKE2 dh-group=modp1024 enc-algorithm=3des exchange-mode=ike2 mode-config
IKE2 passive=yes policy-template-group=IKE2
/ip ipsec policy
set 0 disabled=yes
add comment=“VPN HQ - LFH” dst-address=x.x.x.x proposal=LFG sa-dst-address=x.x.x.x sa-src-address=x.x.x.x
src-address=x.x.x.x tunnel=yes
add comment=“VPN HQ - LFH Over LFH VF Backup” disabled=yes dst-address= x.x.x.x proposal=LFG sa-dst-address=x.x.x.x
sa-src-address=x.x.x.x src-address=x.x.x.x tunnel=yes
add comment=“VPN HQ - LFH IT” dst-address=x.x.x.x proposal=LFG sa-dst-address=x.x.x.x sa-src-address=x.x.x.x
src-address=x.x.x.x tunnel=yes
add comment=“VPN HQ - 69” dst-address=x.x.x.x proposal=LFG sa-dst-address=x.x.x.x sa-src-address=x.x.x.x
src-address=x.x.x.x tunnel=yes
add comment=“VPN HQ - AOC” dst-address=x.x.x.x proposal=proposal1 sa-dst-address=x.x.x.x sa-src-address=
x.x.x.x src-address=x.x.x.x tunnel=yes

/ip ipsec peer print

\

/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 ;;; LFH
address=x.x.x.x auth-method=pre-shared-key secret=“” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

1 X ;;; LFH Over VF Backup
address=x.x.x.x auth-method=pre-shared-key secret=“” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

2 X ;;; LFH
address=x.x.x.x auth-method=pre-shared-key secret=“” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

3 ;;; LFH
address=x.x.x.x auth-method=pre-shared-key secret=“” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

4 ;;; AOC
address=x.x.x.x auth-method=pre-shared-key secret=“” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

5 R ;;; L2TP
address=0.0.0.0/0 auth-method=pre-shared-key secret=“” generate-policy=port-override policy-template-group=LT2TP
exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

6 R ;;; IKE2
address=0.0.0.0/0 passive=yes auth-method=rsa-signature certificate=*3 remote-certificate=*3 generate-policy=no
policy-template-group=IKE2 exchange-mode=ike2 mode-config=IKE2 send-initial-contact=yes hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m

/interface l2tp-server export hide-sensitive

/
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TPVPN enabled=yes keepalive-timeout=disabled

sindy · June 8, 2018, 1:58pm

Well, you haven’t pasted the log, but let’s try without if first.

The first issue is that you have two peers with (remote) address=0.0.0.0/0, the one for L2TP and another one for IKEv2. I’m not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be matched to this peer. So as the first thing to try, disable the IKE2 one to be sure that it does not shadow the L2TP one. If it doesn’t, then the L2TP one shadows the IKE2 one. It’s simply not possible to have two IPsec peers open for 0.0.0.0/0 unless you bind them to different local addresses (which may not be possible if you only have a single public address) - the peer to use is only chosen up to the combination of local and remote address of the initial packet, not by any information carried inside the packet.

Next, you don’t use the automatically (dynamically) created IPsec peer for L2TP/IPsec; instead, you have created one manually. I can see that the peer (phase1) proposal only permits 3des encryption-algorithm; I’m not sure whether the Win10 client supports it too. So first try to permit all encryption-algorithms in the peer proposal; if that way the Phase 1 establishes, you can proceed by tuning the policy (Phase 2) proposal. Some more points are that

in the automatically generated peer, passive is set to yes, which is not the case on your manually created peer (this affects Phase 1)
proposal-check is set to strict while yours is obey (I’m not sure whether this affects Phase 1)
generate-policy is set to port-strict while yours is port-override

akarpas · June 8, 2018, 2:46pm

Well, you haven’t pasted the log, but let’s try without if first.

The first issue is that you have two peers with (remote) address=0.0.0.0/0, the one for L2TP and another one for IKEv2. I’m not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be matched to this peer. So as the first thing to try, disable the IKE2 one to be sure that it does not shadow the L2TP one. If it doesn’t, then the L2TP one shadows the IKE2 one. It’s simply not possible to have two IPsec peers open for 0.0.0.0/0 unless you bind them to different local addresses (which may not be possible if you only have a single public address) - the peer to use is only chosen up to the combination of local and remote address of the initial packet, not by any information carried inside the packet.

Next, you don’t use the automatically (dynamically) created IPsec peer for L2TP/IPsec; instead, you have created one manually. I can see that the peer (phase1) proposal only permits 3des encryption-algorithm; I’m not sure whether the Win10 client supports it too. So first try to permit all encryption-algorithms in the peer proposal; if that way the Phase 1 establishes, you can proceed by tuning the policy (Phase 2) proposal. Some more points are that

in the automatically generated peer, passive is set to yes, which is not the case on your manually created peer (this affects Phase 1)

proposal-check is set to strict while yours is obey (I’m not sure whether this affects Phase 1)

generate-policy is set to port-strict while yours is port-override

Ike2 was set up after L2TP didnt work just to experiment, even if im taking IKE2 away the same troubles with L2TP ill work on you second part of advise about phase 1 and phase 2

akarpas · June 8, 2018, 2:52pm

Well, you haven’t pasted the log, but let’s try without if first.

The first issue is that you have two peers with (remote) address=0.0.0.0/0, the one for L2TP and another one for IKEv2. I’m not sure whether the fact that the L2TP one is declared first is sufficient to let incoming connections be matched to this peer. So as the first thing to try, disable the IKE2 one to be sure that it does not shadow the L2TP one. If it doesn’t, then the L2TP one shadows the IKE2 one. It’s simply not possible to have two IPsec peers open for 0.0.0.0/0 unless you bind them to different local addresses (which may not be possible if you only have a single public address) - the peer to use is only chosen up to the combination of local and remote address of the initial packet, not by any information carried inside the packet.

Next, you don’t use the automatically (dynamically) created IPsec peer for L2TP/IPsec; instead, you have created one manually. I can see that the peer (phase1) proposal only permits 3des encryption-algorithm; I’m not sure whether the Win10 client supports it too. So first try to permit all encryption-algorithms in the peer proposal; if that way the Phase 1 establishes, you can proceed by tuning the policy (Phase 2) proposal. Some more points are that

in the automatically generated peer, passive is set to yes, which is not the case on your manually created peer (this affects Phase 1)

proposal-check is set to strict while yours is obey (I’m not sure whether this affects Phase 1)

generate-policy is set to port-strict while yours is port-override

Ike2 was set up after L2TP didnt work just to experiment, even if im taking IKE2 away the same troubles with L2TP ill work on you second part of advise about phase 1 and phase 2

next question how to create peer for L2TP IPsec automaticly?

sindy · June 8, 2018, 2:59pm

Disable the manually created one and set use-ipsec to yes or require and configure the ipsec-secret in the L2TP configuration. Bear in mind that the automatically created peer always uses the policy template group called “default” and the proposal of the policy template belonging to that group.

akarpas · June 9, 2018, 10:43am

thanks for advise, have disabled manually created one, and modified LT2P server settings to get dynamically peer policy created, so seems to be i got passed phase 1 now stuck on phase 2.

sindy · June 9, 2018, 11:35am

/log print where topics~“ipsec” is much more useful than screenshots.

The log says

searching for policy for selector x.x.x.x:1701 ip proto:17 <=> y.y.y.y:1701 ip proto:17
no template matches

So it points back to what I’ve written before:

Your configuration export shows that you have disabled the default policy template:

/ip ipsec policy
set 0 disabled=yes

So you have to re-enable this default /ip ipsec policy template and make sure that its group property is set to default. Next, you can either let it this template point to the proposal named “default”, or you can create another proposal and let the default policy template point to it, e.g. /ip ipsec policy set 0 proposal=L2TPVPN

akarpas · June 9, 2018, 2:20pm

/log print where topics~“ipsec” is much more useful than screenshots.

The log says
searching for policy for selector x.x.x.x:1701 ip proto:17 <=> y.y.y.y:1701 ip proto:17
no template matches
So it points back to what I’ve written before:

Bear in mind that the automatically created peer always uses the policy template group called “default” and the proposal of the policy template belonging to that group.

Your configuration export shows that you have disabled the default policy template:
/ip ipsec policy
set 0 disabled=yes
So you have to re-enable this default /ip ipsec policy template and make sure that its group property is set to default. Next, you can either let it this template point to the proposal named “default”, or you can create another proposal and let the default policy template point to it, e.g. /ip ipsec policy set 0 proposal=L2TPVPN

very strange as default proposal in not disabled its enabled next the command to change default proposal as default L2TPVPN didnt works , default is still default and i have full rights on mikrotik

akarpas · June 9, 2018, 2:25pm

/log print where topics~“ipsec” is much more useful than screenshots.

The log says
searching for policy for selector x.x.x.x:1701 ip proto:17 <=> y.y.y.y:1701 ip proto:17
no template matches
So it points back to what I’ve written before:

Bear in mind that the automatically created peer always uses the policy template group called “default” and the proposal of the policy template belonging to that group.

Your configuration export shows that you have disabled the default policy template:
/ip ipsec policy
set 0 disabled=yes
So you have to re-enable this default /ip ipsec policy template and make sure that its group property is set to default. Next, you can either let it this template point to the proposal named “default”, or you can create another proposal and let the default policy template point to it, e.g. /ip ipsec policy set 0 proposal=L2TPVPN
very strange as default proposal in not disabled its enabled next the command to change default proposal as default L2TPVPN didnt works , default is still default and i have full rights on mikrotik

ok my mistake didnt get you right have enabled default policy pointed to L2TPVPN proposal , ok now im not getting any errors but connection is not established, no errors on mikrotik but windows keeps connecting until fails.

sindy · June 9, 2018, 2:30pm

Yes, there is a lot of “default” items and a complex structure of references/dependencies in the IPsec configuration. It needs some experience to realize all the relationships.

If the Mikrotik reports no error but the Windows client gives up, it suggests that IPsec is already fine and the issue is on l2tp layer. What does /ip firewall filter export show?

akarpas · June 9, 2018, 2:50pm

/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether2 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether2 protocol=tcp
add action=drop chain=forward comment=“allow access only to phone system” dst-address=!x.x.x.x src-address=x.x.x.x
add action=drop chain=forward comment=“Drop Non Mail Srv SMTP Out on UPC (WF)” dst-port=25 out-interface=ether2 protocol=tcp
src-address=!x.x.x.x
add action=drop chain=forward comment=“Drop Non Mail Srv SMTP Out on UPC (WF)” dst-port=25 out-interface=ether2 protocol=udp
src-address=!x.x.x.x
add action=accept chain=forward comment=“Allow Mail Srv outbound SMTP Out” dst-port=25 in-interface=admin_lan protocol=tcp
src-address=x.x.x.x
add action=accept chain=forward dst-address=x.x.x.x/24 src-address=x.x.x.x/24
add action=accept chain=forward
add action=drop chain=input src-address-list=BlackList

akarpas · June 9, 2018, 2:57pm

looking to mikrotik log mit hangs at “first L2TP UDP packet received from x.x.x.x” and nothing more

sindy · June 9, 2018, 3:10pm

OK. Let’s ignore for a while that your firewall is not safe because there is no “drop the rest” rule in input chain (i.e. you let in anything except known threats which is not a good idea), but the firewall is not the reason why the L2TP does not come up.

By default, only events with severity info and above are logged. So do the following:
/system logging add topics=l2tp
This will make the system log everything related to l2tp, including severity debug.
Then, start
/log print follow-only file=l2tp-log where topics~“l2tp”

let it run, let the Windows client connection attempt to start and fail, and then stop the /log print by pressing Ctrl-C.

Then download the file, look what it says, and if it doesn’t clarify the issue, use find&replace to substitute real IP addresses with meaningful strings like mtik.public.ip, client’s.public.ip and post the result as text here.

akarpas · June 9, 2018, 3:40pm

OK. Let’s ignore for a while that your firewall is not safe because there is no “drop the rest” rule in input chain (i.e. you let in anything except known threats which is not a good idea), but the firewall is not the reason why the L2TP does not come up.

By default, only events with severity info and above are logged. So do the following:
/system logging add topics=l2tp
This will make the system log everything related to l2tp, including severity debug.
Then, start
/log print follow-only file=l2tp-log where topics~“l2tp”

let it run, let the Windows client connection attempt to start and fail, and then stop the /log print by pressing Ctrl-C.

Then download the file, look what it says, and if it doesn’t clarify the issue, use find&replace to substitute real IP addresses with meaningful strings like mtik.public.ip, client’s.public.ip and post the result as text here.

jun/ 9/2018 16:14:11 by RouterOS 6.42.1

software id = WY7A-F6QQ

16:14:37 l2tp,debug,packet rcvd control message from x.x.x.x:1701 to x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:14:37 l2tp,debug,packet (M) Message-Type=SCCRQ
16:14:37 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:14:37 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:14:37 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:14:37 l2tp,debug,packet Firmware-Revision=0xa00
16:14:37 l2tp,debug,packet (M) Host-Name=“???”
16:14:37 l2tp,debug,packet Vendor-Name=“Microsoft”
16:14:37 l2tp,debug,packet (M) Assigned-Tunnel-ID=11
16:14:37 l2tp,debug,packet (M) Receive-Window-Size=8
16:14:37 l2tp,info first L2TP UDP packet received from x.x.x.x
16:14:37 l2tp,debug tunnel 11 entering state: wait-ctl-conn
16:14:37 l2tp,debug,packet sent control message to x.x.x.x:1701 from x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=0, nr=1
16:14:37 l2tp,debug,packet (M) Message-Type=SCCRP
16:14:37 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:14:37 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:14:37 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:14:37 l2tp,debug,packet Firmware-Revision=0x1
16:14:37 l2tp,debug,packet (M) Host-Name=“???”
16:14:37 l2tp,debug,packet Vendor-Name=“MikroTik”
16:14:37 l2tp,debug,packet (M) Assigned-Tunnel-ID=11
16:14:37 l2tp,debug,packet (M) Receive-Window-Size=4
16:14:37 l2tp,debug,packet rcvd control message from x.x.x.x:1701 to x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=1, nr=1
16:14:37 l2tp,debug,packet (M) Message-Type=SCCCN
16:14:37 l2tp,debug tunnel 11 entering state: estabilished
16:14:37 l2tp,debug,packet sent control message (ack) to x.x.x.x:1701 from x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=1, nr=2
16:14:37 l2tp,debug,packet rcvd control message from x.x.x.x:1701 to x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=2, nr=1
16:14:37 l2tp,debug,packet (M) Message-Type=ICRQ
16:14:37 l2tp,debug,packet (M) Assigned-Session-ID=1
16:14:37 l2tp,debug,packet (M) Call-Serial-Number=0
16:14:37 l2tp,debug,packet (M) Bearer-Type=0x2
16:14:37 l2tp,debug,packet 1(vendor-id=311)=0xe1:48:fc:8b:7b:dd:cc:4e:81:8e:e9:af:e9:b0:81:e9
16:14:37 l2tp,debug session 1 entering state: wait-connect
16:14:37 l2tp,debug,packet sent control message to x.x.x.x:1701 from x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=1, ns=1, nr=3
16:14:37 l2tp,debug,packet (M) Message-Type=ICRP
16:14:37 l2tp,debug,packet (M) Assigned-Session-ID=1
16:14:37 l2tp,debug,packet rcvd control message from x.x.x.x:1701 to x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=1, ns=3, nr=2
16:14:37 l2tp,debug,packet (M) Message-Type=ICCN
16:14:37 l2tp,debug,packet (M) Tx-Connect-Speed-BPS=433300000
16:14:37 l2tp,debug,packet (M) Framing-Type=0x1
16:14:37 l2tp,debug,packet Proxy-Authen-Type=4
16:14:37 l2tp,debug session 1 entering state: established
16:14:37 l2tp,debug,packet sent control message (ack) to x.x.x.x:1701 from x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=2, nr=4
16:14:37 l2tp,debug,packet rcvd control message (ack) from x.x.x.x:1701 to x.x.x.x:1701
16:14:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=4, nr=2
16:14:37 l2tp,ppp,debug <x.x.x.x>: LCP lowerup
16:14:37 l2tp,ppp,debug <x.x.x.x>: LCP open
16:14:38 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:14:38 l2tp,ppp,debug,packet 1.187.10.5>: sent <x.x.x.x>: sent <x.x.x.x>: sent <x.x.x.x>: sent <x.x.x.x>: sent LCP ConfReq id=0x1
16:14:38 l2tp,ppp,debug,packet <mru 1450>
16:14:38 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:14:38 l2tp,ppp,debug,packet
16:14:39 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:14:39 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x2
16:14:39 l2tp,ppp,debug,packet <mru 1450>
16:14:39 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:14:39 l2tp,ppp,debug,packet
16:14:41 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:14:41 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x3
16:14:41 l2tp,ppp,debug,packet <mru 1450>
16:14:41 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:14:41 l2tp,ppp,debug,packet
16:14:43 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:14:43 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x4
16:14:43 l2tp,ppp,debug,packet <mru 1450>
16:14:43 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:14:43 l2tp,ppp,debug,packet
16:14:46 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:14:46 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x5
16:14:46 l2tp,ppp,debug,packet <mru 1450>
16:14:46 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:14:46 l2tp,ppp,debug,packet
16:14:51 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:14:51 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x6
16:14:51 l2tp,ppp,debug,packet <mru 1450>
16:14:51 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:14:51 l2tp,ppp,debug,packet
16:14:59 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:14:59 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x7
16:14:59 l2tp,ppp,debug,packet <mru 1450>
16:14:59 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:14:59 l2tp,ppp,debug,packet
16:15:12 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:15:12 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x8
16:15:12 l2tp,ppp,debug,packet <mru 1450>
16:15:12 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:15:12 l2tp,ppp,debug,packet
16:15:28 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:15:28 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0x9
16:15:28 l2tp,ppp,debug,packet <mru 1450>
16:15:28 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:15:28 l2tp,ppp,debug,packet
16:15:37 l2tp,debug,packet sent control message to x.x.x.x:1701 from x.x.x.x:1701
16:15:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=2, nr=4
16:15:37 l2tp,debug,packet (M) Message-Type=HELLO
16:15:37 l2tp,debug,packet rcvd control message (ack) from x.x.x.x:1701 to x.x.x.x:1701
16:15:37 l2tp,debug,packet tunnel-id=11, session-id=0, ns=4, nr=3
16:15:52 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:15:52 l2tp,ppp,debug,packet <x.x.x.x>: sent LCP ConfReq id=0xa
16:15:52 l2tp,ppp,debug,packet <mru 1450>
16:15:52 l2tp,ppp,debug,packet <magic 0x7015dc2c>
16:15:52 l2tp,ppp,debug,packet
16:16:32 l2tp,ppp,debug <x.x.x.x>: LCP timer
16:16:32 l2tp,ppp,debug <x.x.x.x>: LCP timeout sending ConfReq
16:16:32 l2tp,ppp,debug <x.x.x.x>: LCP lowerdown
16:16:32 l2tp,ppp,debug <x.x.x.x>: CCP close
16:16:32 l2tp,ppp,debug <x.x.x.x>: BCP close
16:16:32 l2tp,ppp,debug <x.x.x.x>: IPCP close
16:16:32 l2tp,ppp,debug <x.x.x.x>: IPV6CP close
16:16:32 l2tp,ppp,debug <x.x.x.x>: MPLSCP close
16:16:32 l2tp,ppp,debug <x.x.x.x>: LCP lowerdown
16:16:32 l2tp,ppp,debug <x.x.x.x>: LCP down event in starting state
16:16:32 l2tp,debug,packet sent control message to x.x.x.x:1701 from x.x.x.x:1701
16:16:32 l2tp,debug,packet tunnel-id=11, session-id=1, ns=3, nr=4
16:16:32 l2tp,debug,packet (M) Message-Type=CDN
16:16:32 l2tp,debug,packet (M) Result-Code=1
16:16:32 l2tp,debug,packet (M) Assigned-Session-ID=1
16:16:32 l2tp,debug session 1 entering state: stopping
16:16:32 l2tp,debug,packet rcvd control message from x.x.x.x:1701 to x.x.x.x:1701
16:16:32 l2tp,debug,packet tunnel-id=11, session-id=0, ns=4, nr=4
16:16:32 l2tp,debug,packet (M) Message-Type=StopCCN
16:16:32 l2tp,debug,packet (M) Assigned-Tunnel-ID=11
16:16:32 l2tp,debug,packet (M) Result-Code=6
16:16:32 l2tp,debug,packet Error-Code=0
16:16:32 l2tp,debug,packet sent control message (ack) to x.x.x.x:1701 from x.x.x.x:1701
16:16:32 l2tp,debug,packet tunnel-id=11, session-id=0, ns=4, nr=5
16:16:32 l2tp,debug tunnel 11 entering state: dead
16:16:32 l2tp,debug session 1 entering state: dead

sindy · June 9, 2018, 4:01pm

The log shows that the Windows client doesn’t respond to some of our requests after the session got established; I’m not an L2TP specialist so I don’t know whether ignoring what you don’t understand is a legal behaviour or not.

So please post the output of the following:

/interface l2tp-server server export verbose hide-sensitive
/ppp secret export verbose hide-sensitive
/ppp profile export verbose

akarpas · June 9, 2018, 4:17pm

The log shows that the Windows client doesn’t respond to some of our requests after the session got established; I’m not an L2TP specialist so I don’t know whether ignoring what you don’t understand is a legal behaviour or not.

So please post the output of the following:
/interface l2tp-server server export verbose hide-sensitive
/ppp secret export verbose hide-sensitive
/ppp profile export verbose

[???] > /interface l2tp-server server export verbose hide-sensitive

jun/09/2018 17:08:46 by RouterOS 6.42.3

software id = WY7A-F6QQ

model = 1100AHx2

serial number = xxxxxxx

/interface l2tp-server server
set allow-fast-path=no authentication=mschap1,mschap2 caller-id-type=ip-address default-profile=L2TPVPN enabled=yes
keepalive-timeout=disabled max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no
use-ipsec=required

[???] > /ppp secret export verbose hide-sensitive

jun/09/2018 17:10:25 by RouterOS 6.42.3

software id = WY7A-F6QQ

model = 1100AHx2

serial number = XXXXXXX

/ppp secret
add caller-id=“” disabled=no limit-bytes-in=0 limit-bytes-out=0 !local-address name=xxxxxx profile=L2TPVPN !remote-address
routes=“” service=l2tp

???] > /ppp profile export verbose

jun/09/2018 17:12:32 by RouterOS 6.42.3

software id = WY7A-F6QQ

model = 1100AHx2

serial number = xxxxxxxx

/ppp profile
set *0 address-list=“” !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server
!idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down=“” on-up=“”
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout
use-compression=default use-encryption=default use-mpls=default use-upnp=default !wins-server
add address-list=“” !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=default dns-server=
x.x.x.x !idle-timeout !incoming-filter !insert-queue-before !interface-list local-address=x.x.x.x name=L2TPVPN
on-down=“” on-up=“” only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=admin_dhcp
!session-timeout use-compression=default use-encryption=required use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list=“” !bridge !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server
!idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down=“”
on-up=“” only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout
use-compression=default use-encryption=yes use-mpls=default use-upnp=default !wins-server