l2tp server with ipsec [2011UiAS-2HnD 6.19]

chaf84 · October 2, 2014, 7:45am

Hi
I cant get my l2tp server to work I get the following log when i try to connect, it doesnt matter what password or login i use.

ipsec,debug couldn't find configuration.

My configuration

/interface l2tp-server server

            enabled: yes
            max-mtu: 1450
            max-mru: 1450
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: L2TP-In
          use-ipsec: yes
       ipsec-secret: ******

/ppp secret

 0   username       l2tp                  ****   L2TP-In

/ppp profile

 1   name="L2TP-In" local-address=192.168.0.1 remote-address=vpn-pool
     use-mpls=default use-compression=default use-vj-compression=default
     use-encryption=required only-one=default change-tcp-mss=default
     address-list="" dns-server=192.168.0.33

/ip ipsec proposal

 0  * name="default" auth-algorithms=sha1
      enc-algorithms=3des,aes-128-cbc,aes-256-cbc lifetime=30m pfs-group=none

/ip ipsec peer

 1  D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500
      auth-method=pre-shared-key secret="****"
      generate-policy=port-strict policy-group=default
      exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
      hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256
      dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

*Missed firewall config
/ip firewall filter

 chain=input action=accept protocol=udp in-interface=ether1-gateway
      dst-port=1701 log=no log-prefix=""

 2    chain=input action=accept protocol=udp in-interface=ether1-gateway
      dst-port=4500 log=no log-prefix=""

 3    chain=input action=accept protocol=ipsec-esp in-interface=ether1-gateway
      log=no log-prefix=""

 4    chain=input action=accept protocol=udp in-interface=ether1-gateway
      dst-port=500 log=no log-prefix=""

Anyone have the same issue or a solution to this?
I have a site2site vpn with ipsec up, maybe this is the problem.
I think I have posted all the config you need. I log the following ppp, l2tp and ipsec,!packet

chaf84 · October 7, 2014, 7:42am

I been troubleshooting for a while know but I cant get it to work. I have tried to disable the l2tpserver and still get the same error in the my log.

Is it possible to have a vpn-tunnel with ipsec and l2tp-server with ipsec?

Anyone have some ideas what to do?

scottniven · October 7, 2014, 7:37pm

Hi chaf84,

This is an export from my working L2TP with IPSec setup I’m testing with. It may be of some help to you. The X.X.X.X values were my WAN IP/Gateway/Network. The *'s were where the same password I had was (Both client and shared password were the same in my setup). The username for the L2TP connection was ‘mikrotik’.

[admin@MikroTik] > export
# oct/07/2014 20:29:57 by RouterOS 6.20rc7
#
/interface pptp-server
add disabled=yes name=pptp-in1 user=mikrotik
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] disabled=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc
/ip pool
add name=dhcp ranges=10.10.10.10-10.10.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set 1 dns-server=8.8.8.8,8.8.4.4 local-address=10.10.10.2 remote-address=dhcp use-ipv6=no
/system logging action
set 2 remember=yes
/interface l2tp-server server
set enabled=yes ipsec-secret=******** use-ipsec=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=X.X.X.X/23 comment="default configuration" interface=ether1 network=X.X.X.0
add address=10.10.10.1/23 interface=ether1 network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/23 gateway=10.10.10.1 netmask=23
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add chain=forward
add chain=input
add chain=output
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=l2tp-in1 new-routing-mark=vpnIn
add chain=prerouting
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set sip disabled=yes
/ip ipsec peer
add enc-algorithm=3des,aes-128,aes-192,aes-256 exchange-mode=main-l2tp generate-policy=port-override secret=********
/ip route
add distance=1 gateway=ether1 routing-mark=vpnIn
add distance=1 gateway=X.X.X.1
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=mikrotik password=******** profile=default-encryption service=l2tp
/snmp
set trap-community=public

Hope it helps.
Scott.