Hello! I’m trying to tune up L2TP server with IPSec on RB915G-2HnD. Config:
[admin@MikroTik] > export
# jan/02/1970 17:52:59 by RouterOS 6.7
# software id = A8W7-7LZ0
#
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n l2mtu=2290
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=41840244ECD3 wpa2-pre-shared-key=41840244ECD3
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=Pool ranges=192.168.0.2-192.168.0.254
add name=l2tp-pool ranges=192.168.253.2-192.168.254.62
/ppp profile
add change-tcp-mss=yes local-address=192.168.253.1 name=l2tp remote-address=l2tp-pool
/system logging action
add memory-lines=100 name=ipsec target=memory
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp enabled=yes keepalive-timeout=15 max-mru=1418 max-mtu=1418
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=10.190.100.111/24 interface=ether1 network=10.190.100.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 domain=home gateway=192.168.0.1
/ip firewall filter
add chain=input dst-address=10.190.100.111 src-address=10.190.100.110
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24 to-addresses=0.0.0.0
/ip ipsec peer
add address=10.190.100.110/32 enc-algorithm=3des secret=topsecret
/ppp secret
add local-address=10.190.100.111 name=client1 password=client1 profile=default-encryption service=l2tp
/system leds
set 0 interface=wlan1
/system logging
add action=ipsec topics=ipsec
Then connected with cable my notebook to MikroTik’s WAN port.
Created L2TP connection with pre-shared key on my notebook.
When trying to connect this l2tp connection, I get error 789 (connection attempt failed because of an error that occurred at the level of security during initial negotiations with the remote computer)
Mikrotik logs:
18:22:04 ipsec,debug,packet f3098d7f 60b68a9c ae85bcce
18:22:04 ipsec,debug,packet hash(sha1)
18:22:04 ipsec,debug,packet encryption(3des)
18:22:04 ipsec,debug,packet phase2 IV computed:
18:22:04 ipsec,debug,packet c32eeee7 cac7801c
18:22:04 ipsec,debug,packet encryption(3des)
18:22:04 ipsec,debug,packet IV was saved for next processing:
18:22:04 ipsec,debug,packet 9f1a7931 cd79d97a
18:22:04 ipsec,debug,packet encryption(3des)
18:22:04 ipsec,debug,packet with key:
18:22:04 ipsec,debug,packet 992529dc 9ca5cf0f 17a7a2c2 e498ca93 0cc9f318 b5595b4a
18:22:04 ipsec,debug,packet decrypted payload by IV:
18:22:04 ipsec,debug,packet c32eeee7 cac7801c
18:22:04 ipsec,debug,packet decrypted payload, but not trimed.
18:22:04 ipsec,debug,packet 0c000018 58d3d6ed b37f96ec 99adbd42 25488b24 806fa05d 0000001c 00000001
18:22:04 ipsec,debug,packet 01100001 b5bbf37c d0a28b26 0c71720f ae11887c 00000000
18:22:04 ipsec,debug,packet padding len=1
18:22:04 ipsec,debug,packet skip to trim padding.
18:22:04 ipsec,debug,packet decrypted.
18:22:04 ipsec,debug,packet b5bbf37c d0a28b26 0c71720f ae11887c 08100501 ae85bcce 00000054 0c000018
18:22:04 ipsec,debug,packet 58d3d6ed b37f96ec 99adbd42 25488b24 806fa05d 0000001c 00000001 01100001
18:22:04 ipsec,debug,packet b5bbf37c d0a28b26 0c71720f ae11887c 00000000
18:22:04 ipsec,debug,packet HASH with:
18:22:04 ipsec,debug,packet ae85bcce 0000001c 00000001 01100001 b5bbf37c d0a28b26 0c71720f ae11887c
18:22:04 ipsec,debug,packet hmac(hmac_sha1)
18:22:04 ipsec,debug,packet HASH computed:
18:22:04 ipsec,debug,packet 58d3d6ed b37f96ec 99adbd42 25488b24 806fa05d
18:22:04 ipsec,debug,packet hash validated.
18:22:04 ipsec,debug,packet begin.
18:22:04 ipsec,debug,packet seen nptype=8(hash)
18:22:04 ipsec,debug,packet seen nptype=12(delete)
18:22:04 ipsec,debug,packet succeed.
18:22:04 ipsec,debug,packet delete payload for protocol ISAKMP
18:22:04 ipsec,debug ISAKMP-SA expired 10.190.100.111[500]-10.190.100.110[500] spi:b5bbf37cd0a28b26:0c71720fae11887c
18:22:04 ipsec,debug,packet purged SAs.
18:22:04 ipsec,debug,packet ==========
18:22:04 ipsec,debug,packet 84 bytes message received from 10.190.100.110[500] to 10.190.100.111[500]
18:22:04 ipsec,debug,packet 0e2dc3af 341da2fb c91223d1 f5669cf9 08100501 3e4cd811 00000054 f82362c3
18:22:04 ipsec,debug,packet de92bb12 0911dbbf 620a76cf d831afdb cb0c307f d4837249 0f5ae682 c63078e7
18:22:04 ipsec,debug,packet 3b251de5 71bd2e98 3a47feb6 4da3ecc8 72de3cb0
18:22:04 ipsec,debug,packet receive Information.
18:22:04 ipsec,debug,packet compute IV for phase2
18:22:04 ipsec,debug,packet phase1 last IV:
18:22:04 ipsec,debug,packet d609afbe 50caa24e 3e4cd811
18:22:04 ipsec,debug,packet hash(sha1)
18:22:04 ipsec,debug,packet encryption(3des)
18:22:04 ipsec,debug,packet phase2 IV computed:
18:22:04 ipsec,debug,packet b38a9e75 e139377e
18:22:04 ipsec,debug,packet encryption(3des)
18:22:04 ipsec,debug,packet IV was saved for next processing:
18:22:04 ipsec,debug,packet 4da3ecc8 72de3cb0
18:22:04 ipsec,debug,packet encryption(3des)
18:22:04 ipsec,debug,packet with key:
18:22:04 ipsec,debug,packet 92ac6029 ed8e3510 694c304f ac0d12ff f8110011 429fb805
18:22:04 ipsec,debug,packet decrypted payload by IV:
18:22:04 ipsec,debug,packet b38a9e75 e139377e
18:22:04 ipsec,debug,packet decrypted payload, but not trimed.
18:22:04 ipsec,debug,packet 0c000018 14aa056c 0c5ae0ca ede003e2 b19b3c0b 50da8211 0000001c 00000001
18:22:04 ipsec,debug,packet 01100001 0e2dc3af 341da2fb c91223d1 f5669cf9 00000000
18:22:04 ipsec,debug,packet padding len=1
18:22:04 ipsec,debug,packet skip to trim padding.
18:22:04 ipsec,debug,packet decrypted.
18:22:04 ipsec,debug,packet 0e2dc3af 341da2fb c91223d1 f5669cf9 08100501 3e4cd811 00000054 0c000018
18:22:04 ipsec,debug,packet 14aa056c 0c5ae0ca ede003e2 b19b3c0b 50da8211 0000001c 00000001 01100001
18:22:04 ipsec,debug,packet 0e2dc3af 341da2fb c91223d1 f5669cf9 00000000
18:22:04 ipsec,debug,packet HASH with:
18:22:04 ipsec,debug,packet 3e4cd811 0000001c 00000001 01100001 0e2dc3af 341da2fb c91223d1 f5669cf9
18:22:04 ipsec,debug,packet hmac(hmac_sha1)
18:22:04 ipsec,debug,packet HASH computed:
18:22:04 ipsec,debug,packet 14aa056c 0c5ae0ca ede003e2 b19b3c0b 50da8211
18:22:04 ipsec,debug,packet hash validated.
18:22:04 ipsec,debug,packet begin.
18:22:04 ipsec,debug,packet seen nptype=8(hash)
18:22:04 ipsec,debug,packet seen nptype=12(delete)
18:22:04 ipsec,debug,packet succeed.
18:22:04 ipsec,debug,packet delete payload for protocol ISAKMP
18:22:04 ipsec,debug ISAKMP-SA expired 10.190.100.111[500]-10.190.100.110[500] spi:0e2dc3af341da2fb:c91223d1f5669cf9
18:22:04 ipsec,debug,packet purged SAs.
18:22:04 ipsec,debug,packet ===
18:22:04 ipsec,debug initiate new phase 1 negotiation: 10.190.100.111[500]<=>10.190.100.110[500]
18:22:04 ipsec,debug begin Identity Protection mode.
18:22:04 ipsec,debug,packet new cookie:
18:22:04 ipsec,debug,packet 2ca2986ca6b86cfb
18:22:04 ipsec,debug,packet add payload of len 52, next type 13
18:22:04 ipsec,debug,packet add payload of len 16, next type 13
18:22:04 ipsec,debug,packet add payload of len 16, next type 0
18:22:04 ipsec,debug,packet 124 bytes from 10.190.100.111[500] to 10.190.100.110[500]
18:22:04 ipsec,debug,packet sockname 10.190.100.111[500]
18:22:04 ipsec,debug,packet send packet from 10.190.100.111[500]
18:22:04 ipsec,debug,packet send packet to 10.190.100.110[500]
18:22:04 ipsec,debug,packet src4 10.190.100.111[500]
18:22:04 ipsec,debug,packet dst4 10.190.100.110[500]
18:22:04 ipsec,debug,packet 1 times of 124 bytes message will be sent to 10.190.100.110[500]
18:22:04 ipsec,debug,packet 2ca2986c a6b86cfb 00000000 00000000 01100200 00000000 0000007c 0d000038
18:22:04 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
18:22:04 ipsec,debug,packet 00015180 80010005 80030001 80020002 80040002 0d000014 12f5f28c 457168a9
18:22:04 ipsec,debug,packet 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
18:22:04 ipsec,debug,packet resend phase1 packet 2ca2986ca6b86cfb:0000000000000000
18:22:05 ipsec,debug ISAKMP-SA deleted 10.190.100.111[500]-10.190.100.110[500] spi:b5bbf37cd0a28b26:0c71720fae11887c
18:22:05 ipsec,debug ISAKMP-SA deleted 10.190.100.111[500]-10.190.100.110[500] spi:0e2dc3af341da2fb:c91223d1f5669cf9
Can anybody help with this problem?
PS sorry about my english 