Hi there,
I have a router (RB1100AHx4) that is configured with multiple IPSec tunnels. Each tunnel is having its own proposal like this:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,a\
es-128-cbc,aes-128-ctr,aes-128-gcm,3des" lifetime=1h
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=PEER1 \
pfs-group=modp2048
add enc-algorithms=aes-128-cbc lifetime=1h name=PEER2 pfs-group=modp2048
add enc-algorithms=3des lifetime=1h name=L2TP
It was working in 6.48. Sometimes it is working in 6.48.2, but sometimes not. I tried to repair it for three hours, after that I tried to disable L2TP server in /PPP and enable it again and voila - it start working instantneously. But now it is not working at all. Here is the log:
08:55:15 ipsec,info respond new phase 1 (Identity Protection): peer.one.ip[500]<=>peer.two.ip[500]
08:55:15 ipsec received MS NT5 ISAKMPOAKLEY ID version: 9
08:55:15 ipsec received Vendor ID: RFC 3947
08:55:15 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
08:55:15 ipsec received Vendor ID: FRAGMENTATION
08:55:15 ipsec Fragmentation enabled
08:55:15 ipsec peer.two.ip Selected NAT-T version: RFC 3947
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 4:SHA
08:55:15 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 2048-bit MODP group:384-bit random ECP group
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 4:SHA
08:55:15 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 2048-bit MODP group:256-bit random ECP group
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 4:SHA
08:55:15 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 4:SHA
08:55:15 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 4:SHA
08:55:15 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 2048-bit MODP group:1024-bit MODP group
08:55:15 ipsec,error no suitable proposal found.
08:55:15 ipsec,error peer.two.ip failed to get valid proposal.
08:55:15 ipsec,error peer.two.ip failed to pre-process ph1 packet (side: 1, status 1).
08:55:15 ipsec,error peer.two.ip phase1 negotiation failed.
So it is look like that L2TP server is not getting the right proposal because from the log is obvious that it is using the PEER1 proposal instead of L2TP one.
I think Im doing something wrong there, because on other installations it is working, this installation is variing in the count of tunnels and the type of PEER1 tunnel. It is only SHA256 tunnel I’m running.
Can you point me where I should look to resolve it?
Best Regards,
Jan