Hi, I’m trying to set up site to site vpn with two identical Hap Ac2 on two different sites. I have a working L2TP road warrior config, with one side being the L2TP server, and the other side a laptop.
So I’m thinking it should be as simple as adding an L2TP client on the remote mikrotik.
However, the remote mikrotik L2TP client failed the phase1 negotiation, and server log says no suitable proposal found. Here are the logs, cleaned up and ip addresses removed. sss.sss.ss.ss for server ip, rrr.rrr.rr.rr for remote ip:
ipsec,info respond new phase 1 (Identity Protection): sss.sss.ss.ss[500]<=>rrr.rrr.rrr.rr[500]
ipsec received Vendor ID: RFC 3947
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
ipsec received Vendor ID: CISCO-UNITY
ipsec received Vendor ID: DPD
ipsec rrr.rrr.rrr.rr Selected NAT-T version: RFC 3947
ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 2048-bit MODP group:1024-bit MODP group
ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = AES-CBC:3DES-CBC
ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 2048-bit MODP group:1024-bit MODP group
ipsec,error no suitable proposal found.
ipsec,error rrr.rrr.rrr.rr failed to get valid proposal.
ipsec,error rrr.rrr.rrr.rr failed to pre-process ph1 packet (side: 1, status 1).
ipsec,error rrr.rrr.rrr.rr phase1 negotiation failed.
Some notes:
Server has a dynamic ip
Site has static ip
Server and remote client proposal as follows:
name=“default” auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-gcm lifetime=1h30m pfs-group=none
So my questions are:
- The received vendor ID is CISCO-UNITY? Is this the ISP router?
ipsec rejected the phase1 DH group. Where is this phase1 DH group configured? Is it the same as PFS Group in IPsec > Proposal? Because I have set the PFS group as none.
ipsec rejected the phase1 enctype. The remote peer shows 3DES-CBC. I did not select this on the remote client (see notes above). Where did the 3DES-CBC come from?
Any pointers would be appreciated.