Hi,
I have a Mikrotik RB2011 iL-iN and I seldom look at the log. Today I was surprised to see that it is full of red lines with:
… memory ipsec, error phase 1 negotiation failed due to time up 127.0.0.1[500]<=>0.0.0.0[500] …
Nobody is complaining about the network so it seems that it is not affecting its work.
What does this mean? Is someone trying to get access to it? Or is there any wrong configuration that is causing it?

Thank you

I forgot to mention that I am running version 6.34.3 (stable)

It seems as if you have something weird in ipsec configuration, like a peer configured with localhost as a remote peer’s address. Can you post here the output of

/ip ipsec export

after replacing sensitive information by xxxxxx?

Hi Sindy,
I have no access to a console but I managed to use Winbox to look at the IP IPsec configuration. Will it be the same?
This is the information that I collected. I have not replaced any address because it only has generic addresses:

• Policies

• *T
  Src.Address ::/0
  Src.Port
  Dst. Address ::/0
  Protocol 0 (all)
  Action encrypt
  Level require
  Tunnel no
  • Groups

Default
• Peers

Address 0.0.0.0
Port 500
Hash algoritm sha512
Encryption algorithm 3des aes-256
• Remote peers

Local address 127.0.0.1
Remote address 0.0.0.0
• Mode configs

Name request-only
Address pool
Address prefix
Split-include
Send DNS yes
• Proposals

Name default
Auth algorithms sha1
Encr algorithms aes-128 cbc aes-192 cbc aes-256 cbc
Lifetime 00:30:00
PFS Group modp 1024

Name proposal1
Auth algorithms sha1 sha512
Encr algorithms 3des cbc aes-256 ctr
Lifetime 00:30:00
PFS Group none
• Installed SAs

• Keys

• Users

Thank you.

I have no access to a console but I managed to use Winbox

If you can connect using Winbox, you should be able to press the “console” button and get the command line window.

Now as you have just a single peer defined in the

/ip ipsec

part of configuration, there must be something else in your configuration what causes packets to be sent to port 500 locally. Maybe the best next step would be to use

/export file=my_file_name hide-sensitive

command, download the resulting file and eventually remove public IP addresses from it, and copy-paste the sanitized contents of the file here. My candidate for the source of these packets is an L2TP interface with IPsec enabled and pointing to yourself, but it is just a wild guess.

What I got is:

jan/12/2018 13:58:12 by RouterOS 6.34.3

software id = 6X1L-00W2

/interface ethernet
set [ find default-name=ether1 ] name=“[1]WAN_Fibra”
set [ find default-name=ether2 ] disabled=yes name=“[2]WAN_Livre”
set [ find default-name=ether3 ] name=“[3]LAN_Quartos”
set [ find default-name=ether4 ] name=“[4]LAN_WiFi”
set [ find default-name=ether5 ] name=“[5]LAN_Admin”
set [ find default-name=ether6 ] disabled=yes name=“[6]LAN_Livre”
set [ find default-name=ether7 ] disabled=yes name=“[7]WAN_SpeedyDSL”
set [ find default-name=ether8 ] disabled=yes name=“[8]LAN_Livre”
set [ find default-name=ether9 ] disabled=yes name=“[9]LAN_Livre”
set [ find default-name=ether10 ] name=“[10]LAN_Manuten\E7\E3o”
/interface vlan
add interface=“[5]LAN_Admin” name=vlanAdm vlan-id=500
add interface=“[3]LAN_Quartos” name=vlanQuart vlan-id=300
add interface=“[4]LAN_WiFi” name=vlanWifi vlan-id=400
/ip ipsec proposal
add auth-algorithms=sha512,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,3des
name=proposal1 pfs-group=none
/ip pool
add name=pool_WiFi ranges=xxx.xxx.xxx.129-xxx.xxx.xxx.254
add name=pool_adm_fix ranges=xxx.xxx.xxx.241-xxx.xxx.xxx.253
add name=pool_adm_var ranges=xxx.xxx.xxx.225-xxx.xxx.xxx.239
add name=pool_quartos ranges=xxx.xxx.xxx.2-xxx.xxx.xxx.254
/ip dhcp-server
add address-pool=pool_adm_var disabled=no interface=“[5]LAN_Admin” name=
dhcp_adm
add address-pool=pool_WiFi disabled=no interface=“[4]LAN_WiFi” name=dhcp_wifi
add address-pool=pool_quartos disabled=no interface=“[3]LAN_Quartos” name=
dhcp_quartos
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 idle-timeout=4h local-address=
xxx.xxx.xxx.18 name=VPNT rate-limit=“” remote-address=pool_adm_var
use-encryption=required
/interface l2tp-server server
set authentication=mschap2 default-profile=VPNT enabled=yes
/ip address
add address=xxx.xxx.xxx.254/27 interface=“[5]LAN_Admin” network=xxx.xxx.xxx.224
add address=xxx.xxx.xxx.18/30 interface=“[1]WAN_Fibra” network=xxx.xxx.xxx.16
add address=xxx.xxx.xxx.1/29 interface=“[7]WAN_SpeedyDSL” network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.1/24 interface=“[4]LAN_WiFi” network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.1/24 interface=“[3]LAN_Quartos” network=xxx.xxx.xxx.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no
interface=“[7]WAN_SpeedyDSL”
/ip dhcp-server network
add address=xxx.xxx.xxx.0/24 gateway=xxx.xxx.xxx.1
add address=xxx.xxx.xxx.0/24 gateway=xxx.xxx.xxx.1
add address=xxx.xxx.xxx.0/24 gateway=xxx.xxx.xxx.1
add address=xxx.xxx.xxx.224/27 gateway=xxx.xxx.xxx.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,200.153.xxx.68
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=“[1]WAN_Fibra”
protocol=udp
add action=drop chain=input dst-port=53 in-interface=“[7]WAN_SpeedyDSL”
protocol=udp
add action=drop chain=input dst-port=21 protocol=tcp
add action=drop chain=input dst-port=23 protocol=tcp
add action=drop chain=forward dst-address=xxx.xxx.xxx.0/24 src-address=
xxx.xxx.xxx.0/24
add chain=forward dst-address=0.xxx.xxx.0/0 src-address=xxx.xxx.xxx.0/24
add action=drop chain=forward dst-address=xxx.xxx.xxx.0/24 src-address=
xxx.xxx.xxx.0/24
add chain=forward dst-address=0.xxx.xxx.0/0 src-address=xxx.xxx.xxx.0/24
add action=drop chain=forward dst-address=xxx.xxx.xxx.0/24 src-address=
xxx.xxx.xxx.0/24
add chain=forward dst-address=0.xxx.xxx.0/0 src-address=xxx.xxx.xxx.0/24
add action=drop chain=forward dst-address=xxx.xxx.xxx.0/24 src-address=
xxx.xxx.xxx.0/24
add chain=forward dst-address=0.xxx.xxx.0/0 src-address=xxx.xxx.xxx.0/24
add chain=input connection-state=new dst-port=500 in-interface=
“[1]WAN_Fibra” log=yes protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=
“[1]WAN_Fibra” log=yes protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=
“[1]WAN_Fibra” log=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=ADM src-address=xxx.xxx.xxx.0/24
add action=masquerade chain=srcnat src-address=xxx.xxx.xxx.224/27
add action=masquerade chain=srcnat comment=Hospedes fragment=no src-address=
xxx.xxx.xxx.0/24
add action=masquerade chain=srcnat limit=1,5:packet nth=2,1 src-address=
xxx.xxx.xxx.0/24
/ip ipsec peer
add address=0.xxx.xxx.0/32 enc-algorithm=aes-256,3des exchange-mode=main-l2tp
generate-policy=port-strict hash-algorithm=sha512
/ip route
add distance=1 gateway=xxx.xxx.xxx.17
add distance=1 gateway=“[7]WAN_SpeedyDSL”
add distance=1 dst-address=xxx.xxx.xxx.0/24 gateway=“[4]LAN_WiFi” pref-src=
xxx.xxx.xxx.1 scope=10
add distance=1 dst-address=xxx.xxx.xxx.0/24 gateway=“[3]LAN_Quartos” pref-src=
xxx.xxx.xxx.1 scope=10
add disabled=yes distance=1 dst-address=xxx.xxx.xxx.224/27 gateway=
“[1]WAN_Fibra” pref-src=xxx.xxx.xxx.254 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpnht profile=VPNT service=l2tp
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=“Top Centrum Hotel”
/system routerboard settings
set protected-routerboot=disabled

Nothing in your configuration explains the behaviour to me. As you do not use IPsec at all, I suggest you to disable the default IPsec peer if RouterOS allows you to do so, and if it does not (I’ve got nowhere to test at the moment), consider a software upgrade.

Thank you

Hi man, what resolve your problem ?? i have the same problem here and nothing works

Hi celoownz,
I tried the firmware upgrade and I reviewed the settings but the messages continue appearing.
As it is not affecting the functionality and I did not have the time to go after it, I just left it as it is.

Well, problem solved by not solving it at all – perfect…