I have an L2TP setup road warrior that has been working for months and suddenly stopped working
It’s a pretty basic setup created in the PPP menu, in L2TP Server with a preshared key.
We haven’t done any OS update nor any modifications to the configuration on the router side when this happened.
We are using macOS clients on the other side so there might have been some software updates done.
However I have the exact same setup (that I redid several times) which works on a different router (the one I use at home)
Also this router has a site-to-site tunnel using L2TP which still works well and this one hasn’t suffered any interruption.
The other end of the tunnel has another mikrotik router on which I can connect using the same L2TP road warrior setup.
That’s my only so far to access the network is to connect to the other end which routes me to my main network.
In the logs, the only error messages that I can see are the following:
08:42:54 ipsec,error no suitable proposal found.
08:42:54 ipsec,error 171.6.238.18 failed to get valid proposal.
08:42:54 ipsec,error 171.6.238.18 failed to pre-process ph1 packet (side: 1, status 1).
08:42:54 ipsec,error 171.6.238.18 phase1 negotiation failed.
I am wondering why I would have to change the proposals setup since this is working on the other router with the exact same basic setup.
I am thinking there is something wrong with the config or router itself and I already did a backup, reset the config then restore the backup but no cigar.
Ticket was created but the support replies once every 2 days and so far hasn’t been able to find a solution to the point they even stop answering me…
activate detailed logging of IPsec: /system logging add topics=ipsec,!packet
run /log print follow-only file=l2tp-ipsec-start where topics~“ipsec”
try to connect from one of the clients, wait until it reports failure
break the /log print …, download the file l2tp-ipsec-start.txt to your PC
In the log file, you should see the reason. Either the incoming request matches on a wrong peer, or none of the encryption/hash/dh algorithms proposed by the client (initiator) is available in the /ip ipsec profile row used by the responder peer.
If you have in mind Mikrotik support, this is a typical case which should first be handled by a consultant or the forum, not by the (very limited) Mikrotik staff.
hi sindy i have this problem too and in my log logged terminating - peer is not responding and disconnect all of my clients is it solved when check all algorithm and … in profile and proposal in ipsec tab ?
My guess is that system updates for any OS disable old \ weak ciphers for IPSEC.
I would suggest you to find out all the types of hardware acceleration for ipsec with the table: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Then you should enable all these types :
IP-IPSEC - Proposals - default proposal
IP-IPSEC - Profiles - default profile . Here also enable MODP size 1024 and 2048 or just enable all up to 2048.
If you enable some extra types, not hardware accelerated, there will be slow speeds and high cpu usage.
My example: RB760iGS (hEX S)
So hardware accelerated :
-DES and 3DES (MD5 SHA1 SHA256) - but these are too old and weak
-AES-CBC (MD5 SHA1 SHA256)
So my settings:
If I enable MODP 2048 instead of 1024 - works fine , but a higher cpu usage.
Even hardware accelerated my speeds = approx 60% cpu usage when 90 mbit
