l2tp + ipsec

imaoskol · April 4, 2025, 7:20am

Hello!!!
I need help. I do not now what happens with my l2tp + ipsec tunnel. it works good for long time, but now it not running.
Problem:
I have l2tp ipsec client on my mikrotik for connecting to vpn server

From log I conclude that my Mikrotik does not receive responses from the remote side after several attempts. The tunnel breaks and the process repeats in a circle
Firewall is disabled.

9:39:38 l2tp,ppp,info hideMy: initializing…
09:39:38 l2tp,ppp,debug hideMy: IPCP demandUp
09:39:38 l2tp,ppp,debug hideMy: MPLSCP demandUp
09:39:38 l2tp,ppp,info hideMy: waiting for packets…
09:39:42 l2tp,ppp,info hideMy: connecting…
09:39:42 l2tp,debug tunnel 63 entering state: wait-ctl-reply
09:39:42 l2tp,debug,packet sent control message to 1.1.1.1:1701 from 2.2.2.2:1701
09:39:42 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
09:39:42 l2tp,debug,packet (M) Message-Type=SCCRQ
09:39:42 l2tp,debug,packet (M) Protocol-Version=0x01:00
09:39:42 l2tp,debug,packet (M) Framing-Capabilities=0x1
09:39:42 l2tp,debug,packet (M) Bearer-Capabilities=0x0
09:39:42 l2tp,debug,packet Firmware-Revision=0x1
09:39:42 l2tp,debug,packet (M) Host-Name=“RouterOS”
09:39:42 l2tp,debug,packet Vendor-Name=“MikroTik”
09:39:42 l2tp,debug,packet (M) Assigned-Tunnel-ID=63
09:39:42 l2tp,debug,packet (M) Receive-Window-Size=4
09:39:43 ipsec,debug ===
09:39:43 ipsec,info initiate new phase 1 (Identity Protection): 2.2.2.2[500]<=>1.1.1.1[500]
09:39:43 ipsec,debug new cookie:
09:39:43 ipsec,debug 21940c4c4ffbb224
09:39:43 ipsec,debug add payload of len 168, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 13
09:39:43 ipsec,debug add payload of len 16, next type 0
09:39:43 ipsec,debug 460 bytes from 2.2.2.2[500] to 1.1.1.1[500]
09:39:43 ipsec,debug 1 times of 460 bytes message will be sent to 1.1.1.1[500]
09:39:43 ipsec,debug,packet 21940c4c 4ffbb224 00000000 00000000 01100200 00000000 000001cc 0d0000ac
09:39:43 ipsec,debug,packet 00000001 00000001 000000a0 01010004 03000028 01010000 800b0001 000c0004
09:39:43 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 8004000e 03000028 02010000
09:39:43 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020002 80040002
09:39:43 ipsec,debug,packet 03000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020002
09:39:43 ipsec,debug,packet 8004000e 00000024 04010000 800b0001 000c0004 00015180 80010005 80030001
09:39:43 ipsec,debug,packet 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014
09:39:43 ipsec,debug,packet 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 ba676c4c 7737ae22
09:39:43 ipsec,debug,packet eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 0d000014 80d0bb3d
09:39:43 ipsec,debug,packet ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 73de52ac e952fa6b
09:39:43 ipsec,debug,packet 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 cd604643 35df21f8
09:39:43 ipsec,debug,packet 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014
09:39:43 ipsec,debug,packet 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d 18b6bbcd 0be8a846
09:39:43 ipsec,debug,packet 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 00000014 afcad713
09:39:43 ipsec,debug,packet 68a1f1c9 6b8696fc 77570100
09:39:43 ipsec sent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 21940c4c4ffbb224:0000000000000000
09:39:43 l2tp,debug,packet sent control message to 1.1.1.1:1701 from 2.2.2.2:1701
09:39:43 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
09:39:43 l2tp,debug,packet (M) Message-Type=SCCRQ
09:39:43 l2tp,debug,packet (M) Protocol-Version=0x01:00
09:39:43 l2tp,debug,packet (M) Framing-Capabilities=0x1
09:39:43 l2tp,debug,packet (M) Bearer-Capabilities=0x0
09:39:43 l2tp,debug,packet Firmware-Revision=0x1
09:39:43 l2tp,debug,packet (M) Host-Name=“RouterOS”
09:39:43 l2tp,debug,packet Vendor-Name=“MikroTik”
09:39:43 l2tp,debug,packet (M) Assigned-Tunnel-ID=63
09:39:43 l2tp,debug,packet (M) Receive-Window-Size=4
09:39:44 l2tp,debug,packet sent control message to 1.1.1.1:1701 from 2.2.2.2:1701
09:39:44 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
09:39:44 l2tp,debug,packet (M) Message-Type=SCCRQ
09:39:44 l2tp,debug,packet (M) Protocol-Version=0x01:00
09:39:44 l2tp,debug,packet (M) Framing-Capabilities=0x1
09:39:44 l2tp,debug,packet (M) Bearer-Capabilities=0x0
09:39:44 l2tp,debug,packet Firmware-Revision=0x1
09:39:44 l2tp,debug,packet (M) Host-Name=“RouterOS”
09:39:44 l2tp,debug,packet Vendor-Name=“MikroTik”
09:39:44 l2tp,debug,packet (M) Assigned-Tunnel-ID=63
09:39:44 l2tp,debug,packet (M) Receive-Window-Size=4
09:39:46 l2tp,debug,packet sent control message to 1.1.1.1:1701 from 2.2.2.2:1701
09:39:46 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
09:39:46 l2tp,debug,packet (M) Message-Type=SCCRQ
09:39:46 l2tp,debug,packet (M) Protocol-Version=0x01:00
09:39:46 l2tp,debug,packet (M) Framing-Capabilities=0x1
09:39:46 l2tp,debug,packet (M) Bearer-Capabilities=0x0
09:39:46 l2tp,debug,packet Firmware-Revision=0x1
09:39:46 l2tp,debug,packet (M) Host-Name=“RouterOS”
09:39:46 l2tp,debug,packet Vendor-Name=“MikroTik”
09:39:46 l2tp,debug,packet (M) Assigned-Tunnel-ID=63
09:39:46 l2tp,debug,packet (M) Receive-Window-Size=4
09:39:50 l2tp,debug,packet sent control message to 1.1.1.1:1701 from 2.2.2.2:1701
09:39:50 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
09:39:50 l2tp,debug,packet (M) Message-Type=SCCRQ
09:39:50 l2tp,debug,packet (M) Protocol-Version=0x01:00
09:39:50 l2tp,debug,packet (M) Framing-Capabilities=0x1
09:39:50 l2tp,debug,packet (M) Bearer-Capabilities=0x0
09:39:50 l2tp,debug,packet Firmware-Revision=0x1
09:39:50 l2tp,debug,packet (M) Host-Name=“RouterOS”
09:39:50 l2tp,debug,packet Vendor-Name=“MikroTik”
09:39:50 l2tp,debug,packet (M) Assigned-Tunnel-ID=63
09:39:50 l2tp,debug,packet (M) Receive-Window-Size=4
09:39:50 ipsec acquire for policy: 2.2.2.2:1701 <=> 1.1.1.1:1701 ip-proto:17
09:39:50 ipsec,debug (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
09:39:50 ipsec,debug (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
09:39:50 ipsec,debug (trns_id=AES-CBC encklen=192 authtype=hmac-sha1)
09:39:50 ipsec,debug (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
09:39:50 ipsec 1.1.1.1 request for establishing IPsec-SA was queued due to no phase1 found.
09:39:53 ipsec,debug 460 bytes from 2.2.2.2[500] to 1.1.1.1[500]
09:39:53 ipsec,debug 1 times of 460 bytes message will be sent to 1.1.1.1[500]
09:39:53 ipsec,debug,packet 21940c4c 4ffbb224 00000000 00000000 01100200 00000000 000001cc 0d0000ac
09:39:53 ipsec,debug,packet 00000001 00000001 000000a0 01010004 03000028 01010000 800b0001 000c0004
09:39:53 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 8004000e 03000028 02010000
09:39:53 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020002 80040002
09:39:53 ipsec,debug,packet 03000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020002
09:39:53 ipsec,debug,packet 8004000e 00000024 04010000 800b0001 000c0004 00015180 80010005 80030001
09:39:53 ipsec,debug,packet 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014
09:39:53 ipsec,debug,packet 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 ba676c4c 7737ae22
09:39:53 ipsec,debug,packet eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 0d000014 80d0bb3d
09:39:53 ipsec,debug,packet ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 73de52ac e952fa6b
09:39:53 ipsec,debug,packet 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 cd604643 35df21f8
09:39:53 ipsec,debug,packet 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014
09:39:53 ipsec,debug,packet 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d 18b6bbcd 0be8a846
09:39:53 ipsec,debug,packet 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 00000014 afcad713
09:39:53 ipsec,debug,packet 68a1f1c9 6b8696fc 77570100
09:39:53 ipsec resent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 21940c4c4ffbb224:0000000000000000
09:39:58 l2tp,debug,packet sent control message to 1.1.1.1:1701 from 2.2.2.2:1701
09:39:58 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
09:39:58 l2tp,debug,packet (M) Message-Type=SCCRQ
09:39:58 l2tp,debug,packet (M) Protocol-Version=0x01:00
09:39:58 l2tp,debug,packet (M) Framing-Capabilities=0x1
09:39:58 l2tp,debug,packet (M) Bearer-Capabilities=0x0
09:39:58 l2tp,debug,packet Firmware-Revision=0x1
09:39:58 l2tp,debug,packet (M) Host-Name=“RouterOS”
09:39:58 l2tp,debug,packet Vendor-Name=“MikroTik”
09:39:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=63
09:39:58 l2tp,debug,packet (M) Receive-Window-Size=4
09:40:03 ipsec,debug 460 bytes from 2.2.2.2[500] to 1.1.1.1[500]
09:40:03 ipsec,debug 1 times of 460 bytes message will be sent to 1.1.1.1[500]
09:40:03 ipsec,debug,packet 21940c4c 4ffbb224 00000000 00000000 01100200 00000000 000001cc 0d0000ac
09:40:03 ipsec,debug,packet 00000001 00000001 000000a0 01010004 03000028 01010000 800b0001 000c0004
09:40:03 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 8004000e 03000028 02010000
09:40:03 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020002 80040002
09:40:03 ipsec,debug,packet 03000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020002
09:40:03 ipsec,debug,packet 8004000e 00000024 04010000 800b0001 000c0004 00015180 80010005 80030001
09:40:03 ipsec,debug,packet 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014
09:40:03 ipsec,debug,packet 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 ba676c4c 7737ae22
09:40:03 ipsec,debug,packet eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 0d000014 80d0bb3d
09:40:03 ipsec,debug,packet ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 73de52ac e952fa6b
09:40:03 ipsec,debug,packet 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 cd604643 35df21f8
09:40:03 ipsec,debug,packet 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014
09:40:03 ipsec,debug,packet 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d 18b6bbcd 0be8a846
09:40:03 ipsec,debug,packet 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 00000014 afcad713
09:40:03 ipsec,debug,packet 68a1f1c9 6b8696fc 77570100
09:40:03 ipsec resent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 21940c4c4ffbb224:0000000000000000
09:40:06 l2tp,debug tunnel 63 received no replies, disconnecting
09:40:06 l2tp,debug tunnel 63 entering state: dead
09:40:06 l2tp,debug session 1 entering state: dead
09:40:06 l2tp,ppp,debug hideMy: CCP close
09:40:06 l2tp,ppp,debug hideMy: BCP close
09:40:06 l2tp,ppp,debug hideMy: IPCP close
09:40:06 l2tp,ppp,debug hideMy: IPV6CP close
09:40:06 l2tp,ppp,debug hideMy: MPLSCP close
09:40:06 l2tp,ppp,info hideMy: terminating… - session closed
09:40:06 l2tp,ppp,debug hideMy: LCP lowerdown
09:40:06 l2tp,ppp,debug hideMy: LCP down event in initial state
09:40:06 l2tp,ppp,info hideMy: disconnected
09:40:07 ipsec,debug Deleting a Ph2…
09:40:07 ipsec,debug Removing PH1…
09:40:07 ipsec,info ISAKMP-SA deleted 2.2.2.2[500]-1.1.1.1[500] spi:21940c4c4ffbb224:0000000000000000 rekey
:1

TheCat12 · April 4, 2025, 4:09pm

Based on the following log entry:

09:39:50 ipsec 1.1.1.1 request for establishing IPsec-SA was queued due to no phase1 found.

I’m prone to conclude that the problem is with Phase 1, i.e. the Profile settings

johnson73 · April 5, 2025, 9:36am

It would be good if you had posted your configuration, but okay… The first thing I would recommend is to turn on the firewall on both sides, open ports for L2tp, as can be seen in my config example. If the firewall is turned off on Mikrotik, it means that there is no security, everything is open and it is not correct. You can safely use my example because it works correctly and is safe. If the firewall is turned off on one of the sides, the traffic will not work correctly, it will not be safe because it has to specify where and how the traffic packets arrive, where they go and who they connect to, who has access, etc.
You can also read this link and compare your config. You may be missing or have incorrect phase1 or Phase2 entries. https://lapshinvr.com/articles/soedinyaemsya-s-plk-cherez-vpn-tunnel.html

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip firewall address-list
add address=192.168.88.0/24 list=Admin

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=accept chain=input src-address-list=Admin comment="Config Access"
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN