L2tp/ipsec tunnel entering state: dead

RouterOS Beginner Basics
1

Hello!

I’m trying to create l2tp/ipsec tunnel with both sides dynamic IP. I’ve started from “bottom”, first creating pptp, then l2tp and in the end l2tp/ipsec. The first two was working out of box, but the ipsec thing is just refusing to stay alive.
When/while the tunnel is up the client can communicate with the router until it receives rcvd CCP TermAck id=0x3.

Can somebody explain what’s going on?
My setup is mikrotik default, tried the same on RB750 and RB751U-2HnD (with 3G stick as WAN).

This is from RB751:

00:47:11 l2tp,ppp,debug <10.79.163.88>: IPCP opened
00:47:11 l2tp,ppp,info <l2tp-0>: connected
00:47:11 l2tp,ppp,info,account user logged in, 192.168.88.107
00:47:11 l2tp,ppp,debug,packet  <10.79.163.88>: rcvd CCP TermAck id=0x3
00:47:11 ipsec,debug 192.168.88.100[500] used as isakmp port (fd=16)
00:47:24 l2tp,ppp,debug,packet  <10.79.163.88>: rcvd LCP TermReq id=0x4
00:47:24 l2tp,ppp,debug,packet     User request
00:47:24 l2tp,ppp,debug <10.79.163.88>: LCP closed
00:47:24 l2tp,ppp,debug <10.79.163.88>: CCP lowerdown
00:47:24 l2tp,ppp,debug <10.79.163.88>: BCP lowerdown
00:47:24 l2tp,ppp,debug <10.79.163.88>: BCP down event in starting state
00:47:24 l2tp,ppp,debug <10.79.163.88>: IPCP lowerdown
00:47:24 l2tp,ppp,debug <10.79.163.88>: IPCP closed
00:47:24 l2tp,ppp,info,account user logged out, 13 119 131 9 10
00:47:24 l2tp,ppp,debug <10.79.163.88>: IPV6CP lowerdown
00:47:24 l2tp,ppp,debug <10.79.163.88>: IPV6CP down event in starting state
00:47:24 l2tp,ppp,debug <10.79.163.88>: MPLSCP lowerdown
00:47:24 l2tp,ppp,debug,packet  <10.79.163.88>: sent LCP TermAck id=0x4
00:47:24 l2tp,ppp,debug <10.79.163.88>: LCP lowerdown
00:47:24 l2tp,ppp,info <l2tp-user>: terminating...
00:47:24 l2tp,debug,packet sent control message to 10.79.163.88:47429
00:47:24 l2tp,debug,packet     tunnel-id=33056, session-id=3738, ns=2, nr=4
00:47:24 l2tp,debug,packet     (M) Message-Type=CDN
00:47:24 l2tp,debug,packet     (M) Result-Code=1
00:47:24 l2tp,debug,packet     (M) Assigned-Session-ID=1
00:47:24 l2tp,debug session 1 entering state: stopping
00:47:24 l2tp,ppp,debug <10.79.163.88>: LCP lowerdown
00:47:24 l2tp,ppp,debug <10.79.163.88>: LCP down event in starting state
00:47:24 l2tp,ppp,info <l2tp-user>: disconnected
00:47:24 l2tp,debug,packet rcvd control message from 10.79.163.88:47429
00:47:24 l2tp,debug,packet     tunnel-id=8, session-id=0, ns=4, nr=2
00:47:24 l2tp,debug,packet     (M) Message-Type=StopCCN
00:47:24 l2tp,debug,packet     (M) Assigned-Tunnel-ID=33056
00:47:24 l2tp,debug,packet     (M) Result-Code=6
00:47:24 l2tp,debug,packet sent control message (ack) to 10.79.163.88:47429
00:47:24 l2tp,debug,packet     tunnel-id=33056, session-id=0, ns=3, nr=5
00:47:24 l2tp,debug tunnel 8 entering state: dead
00:47:24 l2tp,debug session 1 entering state: dead
00:47:24 ipsec,debug unbind ::ffff:192.168.88.100

Configuration:

[admin@MikroTik] > /ip ipsec proposal print
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=30m pfs-group=modp1024

[admin@MikroTik] > /ip ipsec peer print
Flags: X - disabled
 0   address=0.0.0.0/32 port=500 auth-method=pre-shared-key secret="testtest" generate-policy=yes exchange-mode=main send-initial-contact=yes 

nat-traversal=yes
     my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 

dpd-interval=disable-dpd
     dpd-maximum-failures=1


[admin@MikroTik] > /ppp profile print
Flags: * - default
 0 * name="default" use-mpls=default use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes
 1 * name="default-encryption" local-address=pptp_pool remote-address=pptp_remote use-mpls=default use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes

pptp_pool=192.168.88.150-192.168.88.200
pptp_remote=192.168.89.150-192.168.89.200

[admin@MikroTik] > /ppp secret print
Flags: X - disabled
 #   NAME     SERVICE CALLER-ID    PASSWORD   PROFILE                   REMOTE-ADDRESS
 0   user           any        user                         default-encryption

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp
 1   ;;; default configuration
     chain=input action=accept connection-state=established
 2   ;;; default configuration
     chain=input action=accept connection-state=related
 3   chain=input action=accept protocol=ipsec-esp
 4   chain=input action=accept connection-state=new protocol=udp dst-port=500
 5   chain=input action=accept connection-state=new protocol=udp dst-port=1701
 6   chain=input action=accept connection-state=new protocol=udp dst-port=4500
 7   ;;; l2tp test
     chain=forward action=accept connection-state=new protocol=udp src-address=192.168.89.0/24 dst-port=4500
 8   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway
[admin@MikroTik] >

Edit: Please :smiley:
Edit: Added configuration info.

2

Just to answer my own question. There was two problems.

  1. It’s mandatory to change IPsec policies in win xp as described in manual. If it is not working after that, reinstall windows!
  2. Somehow the peer 0.0.0.0/0 changed to 0.0.0.0/32 and I didn’t noticed that.