Not work IPSEC/L2TP between Cisco and mikrotik hEx Lite 6.33.rc14

RouterOS General
1

Hello.
Could you help me in next problem:

I try to establish l2tp/ipsec connection between Cisco (3900 series) and mikrotik Hex lite 6.33.rc14 (I did try 6.32, 6.33 and newer) but connection ending with next message:

Mikrotik log:

MikroTik fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.


Cisco log:

Sep 24 15:32:20.362: IPSEC(validate_proposal_request): proposal part #1
Sep 24 15:32:20.362: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.2.3.4:0, remote= 195.9.62.210:0,
local_proxy= 1.2.3.4/255.255.255.255/17/0 (type=1),
remote_proxy= 5.6.7.8/255.255.255.255/17/0 (type=1), ### And why 17/0 instead of 17/1701??

protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 24 15:32:20.362: map_db_find_best did not find matching map
Sep 24 15:32:20.362: IPSEC(ipsec_process_proposal): proxy identities not supported

But if I install older routerOS version (6.25 for example) everything will work fine.

What’s wrong with my config or 6.32 (or newer) routerOS version?


Configs below:

[yyy@Mikrotikxxxxx] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 ;;; XXXXXXIPsec
src-address=5.6.7.8/32 src-port=1701 dst-address=1.2.3.4/32
dst-port=1701 protocol=udp action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=5.6.7.8/
sa-dst-address=1.2.3.4 proposal=ZZZZprop priority=0

proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=md5 enc-algorithms=3des lifetime=30m
pfs-group=none

1 name=“ZZZZprop” auth-algorithms=md5 enc-algorithms=3des lifetime=1h
pfs-group=modp1024

[av@MikrotikPharm] /ip ipsec> peer print
Flags: X - disabled, D - dynamic
0 address=1.2.3.4/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret=“vvvvvv”
generate-policy=port-override policy-template-group=default
exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=no
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5

At the same time already works 500+ same mikrotik routers with same configs and all OK :frowning: But they have 6.25 version.