Hopefully someone can give me some advice. I’m trying to establish an L2TP/IPsec VPN tunnel between an Ubuntu server VPS machine (VPN server) and a Mikrotik router (VPN client). I have the L2TP side of things up and running but for the lfie of me cannot get the IPSec encryption to work. I am using Openswan on the ubuntu side of things and RouterOS v 6.2 on my Mikrotik. Config files are as follows:
Ubuntu (/etc/ipsec.conf):
config setup
oe=off
protostack=netkey
conn %defualt
type=tunnel
keyingtries=3
disablearrivalcheck=off
authby=secret
left=
leftsubnet=192.168.9.0/24 (this is the LAN behind the Ubuntu machine)
leftsourceip=192.168.9.1 (lan IP address of Ubuntu machine)
leftprotoport=17/1701
right=
rightsubnet=192.168.1.0/24 (this is the LAN behind the mikrotik)
rightsourceip=192.168.1.4 ( LAN IP address on the mikrotik)
rightprotoport=17/%any
auth=esp
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
pfs=yes
auto=add
Mikrotik config:
/ip ipsec policy
src-address=192.168.0.0/24 src-port=any dst-address=192.168.9.0/24 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address= sa-dst-address=proposal=default priority=0
/ip ipsec peer
address= passive=no port=500 auth-method=pre-shared-key secret= generate-policy=port-override
exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal
name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
I can see the following in my log file on the ubuntu machine:
Aug 7 20:11:59 Gateway pluto[2221]: packet from :500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Aug 7 20:11:59 Gateway pluto[2221]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 7 20:11:59 Gateway pluto[2221]: packet from :500: received Vendor ID payload [Cisco-Unity]
Aug 7 20:11:59 Gateway pluto[2221]: packet from :500: received Vendor ID payload [Dead Peer Detection]
Aug 7 20:11:59 Gateway pluto[2221]: “%defualt” #1: responding to Main Mode
Aug 7 20:11:59 Gateway pluto[2221]: “%defualt” #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 7 20:11:59 Gateway pluto[2221]: “%defualt” #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 7 20:12:00 Gateway pluto[2221]: “%defualt” #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 7 20:12:00 Gateway pluto[2221]: “%defualt” #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 7 20:12:00 Gateway pluto[2221]: “%defualt” #1: Main mode peer ID is ID_IPV4_ADDR: ‘24.69.105.120’
Aug 7 20:12:00 Gateway pluto[2221]: “%defualt” #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 7 20:12:00 Gateway pluto[2221]: “%defualt” #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Aug 7 20:12:18 Gateway pluto[2221]: “%defualt” #1: the peer proposed: 192.168.9.0/24:17/1701 → 192.168.1.0/24:17/0
Aug 7 20:12:18 Gateway pluto[2221]: “%defualt” #1: cannot respond to IPsec SA request because no connection is known for 192.168.9.0/24===<x.x.x.x>[+S=C]…<x.x.x.x>[+S=C]:0/%any===192.168.1.0/24
I’d greatly appreciate any advice anyone has in order to get this setup up and running.