Problem with L2PT VPN

Hi i’m trying to configure a VPN L2PT for connect my outside device to my Mikrotik

I receive this message when i’m trying to connect

“failed to pre-process ph2 packet”
“peer sent packet for dead phase 2”


This is /export

set allow-remote-requests=yes
/ip dns static
add address=192.168.98.4 name=router
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input dst-port=500,4500,1701 ingress-priority=0 priority=0 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward connection-state=established,related dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=forward connection-state=established,related dst-address=192.168.98.0/24 src-address=192.168.54.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=192.168.98.0/24
add action=accept chain=forward dst-address=192.168.98.0/24 src-address=192.168.5.0/24
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!mactel
add action=accept chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=srcnat comment=NAT_Velletri dst-address=192.168.5.0/24 src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=pppoe-out1 out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.54.0/24 dst-address-list=212.210.227.1 src-address=192.168.98.0/24 src-address-list=79.58.99.100
/ip ipsec peer
add address=xx/32 comment=VPN_Tivoli dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=xx/32 comment=VPN_Velletri dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override
/ip ipsec policy
set 0 disabled=yes
add comment=VPN_Tivoli dst-address=192.168.54.0/24 sa-dst-address=xx sa-src-address=xx0 src-address=192.168.98.0/24 tunnel=yes
add comment=VPN_Velletri dst-address=192.168.5.0/24 sa-dst-address=xx sa-src-address=xx src-address=192.168.98.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=fabio service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel

You must first have ‘Input’ ‘rules, then’ Output ‘and’ Forward '.

This is not correct. The order of rules is important but only within a chain. Whether a particular incoming packet will be processed by input chain or forward chain depends on its destination address, not on order of rules.

@ibrahimovich, I cannot see any “/interface l2tp-server” in your Mikrotik configuration export, so it cannot work as you expect. Please follow the relevant manual page - after removing your manually created “/ip ipsec peer” with “address=0.0.0.0/0” as it would prevent the “/interface l2tp-server add” from creating a dynamic peer configuration. There is a note in the manual that care must be taken if other IPsec configuration is used, which is your case, but as your existing configuration identifies the peers with individual addresses, the automatically generated peer won’t shadow them.

Create the “plain” configuration first and then modify it to the “road warrior” one. The road warrior example alone does not contain all settings.

“not correct” means that it creates an impression that the particular order in which two rules in different chains are configured affects which of these two rules will be applied to a packet. This is not true, so rearranging the rules will not help the topic author deal with his issue.

It definitely is a good practice to keep rules of the same chain together in the configuration, and also to keep the chains in some systematic order (input-output-forward) in all configurations, because it makes the configuration better readable for humans. Following such practice makes it easier for you to review someone else’s configuration, and for someone else to review your configuration (where that someone else is often actually yourself several months older). However, RouterOS itself only cares about the order of rules in the same chain, as I wrote. Stating something else may cause doubts and misunderstandings about the concept for less experienced users.

… Finally, “drop All” ‘forward’ is specified. Agree?

I’m a bit afraid that we hijack the topic from the OP, maybe we should move somewhere else with this discussion? I agree with part of your points, and I disagree with other ones.

Imagine the following set of five filter rules. In a chaotic configuration, they could be arranged the following way:

forward rule 1
input rule 1
forward rule 2
input rule 2
forward rule 3

In an orderly configuration, they would be arranged like this:

input rule 1
input rule 2
forward rule 1
forward rule 2
forward rule 3

Now there are two theoretical possibilities:

• either the RouterOS evaluates all the rules top to bottom, which means that “forward rule 3” is evaluated as the 5th one in both cases, so where exactly the two input rules were located among the previous four rules has no effect to the throughput,
• or the RouterOS actually converts the configuration into internal lists of rules which are built separately for each chain, and in such case the forward rule 3 is always evaluated as the 3rd one because, for a packet coming from outside the RB and routed outside the RB again, the rule evaluation starts from forward rule 1 and the input rules are not evaluated at all for that packet, so again the position of the two input rules in the configuration script has no effect on the throughput.

I totally agree with you that order of rules within a given chain is important - just think of putting the “drop” or “accept” rule which matches to any packet (no matching conditions specified) as the first one to a given chain, if you do so, all the other rules in that chain become irrelevant because none of them will ever be evaluated.

Now, to use your own example, try to do the following:

• make sure that ssh service is enabled on a test RouterBoard and that you can connect to it from your PC.
• next, disconnect that RouterBoard from internet to stay secure and configure its firewall with only the two following rules (just disable the rest for a moment):

/ip firewall filter
add chain=input dst-address=LAN-IP-of-the-RB dst-port=80 action=accept
add chain=forward action=drop

Now try to establish a new SSH connection to LAN-IP-of-the-RB again. You will get connected to the RB

• despite the “drop everything” rule in the forward chain - because packets to RB’s own addresses are not handled by “forward” chain, only by “input”, and
• despite the fact that ssh listens at port 22 while you have only accepted packets to port 80 in the “input” chain - because packets not matching to any rule in their chain are accepted by default.

So to answer your question - yes, I do keep my configurations readable by putting rules belonging to the same chain all together, but when I review someone else’s ones, I do not rely on the author to follow this habit so I do not stop searching for “input” rules as soon as I get to the first rule belonging to another chain. And (maybe I should be shy to do that?), I follow the input - forward - output order in my configurations, because this is the order in which iptables on linux list the rules.

So again - I’m all for keeping the firewall configurations clean and orderly, but I disagree that putting a forward rule before an input rule can change anything about the system behaviour. And I disagree with confusing newbies by suggesting changes to configuration which are irrelevant to their problem.

Hi guys,

this is my L2TP server configuration (sorry but i can’t do the export)

Can’t do because you don’t know how to do that from Winbox or can’t do because it is administratively prohibited?

Whatever, the configuration export you’ve provided earlier contains a static peer configuration with “address=0.0.0.0/0”. The L2TP server with IPsec set to “yes” or “required” (the latter should be used to prevent L2TP connections without IPsec from being set up unless you really want to support them too) creates a dynamic peer configuration with all the necessary settings for L2TP over IPsec mode and also with “address=0.0.0.0/0” setting.

Now as the statically configured peer is the first one in the list, it is used to handle the incoming requests from unknown-in-advance IP addresses rather than the dynamically configured one, because among all peers whose “address” parameter matches the source IP of the request, the one with longest mask is chosen; if the mask length is the same for several peers, their order decides.

So please disable the statically configured peer with “address=0.0.0.0/0” (unless that would cut your management connection) and try to connect the client again.

Can’t because how do it,

“creates a dynamic peer configuration with all the necessary settings for L2TP over IPsec mode and also with “address=0.0.0.0/0” setting.”

So how doing it? (i’m sorry but i’m very new with all this configuration) i’ve disabled the statically peer and this is the settings (i’m setting L2PT Server in Use Ipsec=required)

/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps country=italy distance=indoors frequency=2422 \
    mode=ap-bridge name=Miko rate-set=configured ssid=Miko wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=@alicebiz.routed
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des lifetime=0s
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TP \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.98.150-192.168.98.190
add name=VPN_Pool ranges=192.168.98.70-192.168.98.85
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.98.4 name=\
    L2TP-IN-Profile remote-address=VPN_Pool
add name=profile1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=Miko
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=mactel
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-IN-Profile enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=Miko list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=\
    192.168.98.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
    192.168.98.4 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.4 name=router
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input dst-port=500,4500,1701 ingress-priority=0 \
    priority=0 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.98.0/24 src-address=192.168.54.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=\
    192.168.98.0/24
add action=accept chain=forward dst-address=192.168.98.0/24 src-address=\
    192.168.5.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!mactel
add action=accept chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.54.0/24 src-address=\
    192.168.98.0/24
add action=accept chain=srcnat comment=NAT_Velletri dst-address=192.168.5.0/24 \
    src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    pppoe-out1 out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.54.0/24 \
    dst-address-list=2XX src-address=192.168.98.0/24 \
    src-address-list=XX
/ip ipsec peer
add address=XX/32 comment=VPN_Tivoli dh-group=modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=XX2/32 comment=VPN_Velletri dh-group=modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 disabled=yes enc-algorithm=\
    aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=\
    port-override local-address=192.168.98.4
/ip ipsec policy
set 0 disabled=yes
add comment=VPN_Tivoli dst-address=192.168.54.0/24 sa-dst-address=XX \
    sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
add comment=VPN_Velletri dst-address=192.168.5.0/24 sa-dst-address=XX \
    sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=fabio profile=L2TP-IN-Profile service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel

Well, in your today’s export I can see, at the peer in question, “disabled=yes” which was not there in your first export, so I guess you’ve found how to disable it.

Now, “/ip ipsec peer print” should show the static peers and also the dynamic one created by the L2TP server. If the dynamic peer is not there, the L2TP server has not created it, so try to disable and then re-enable the L2TP server. If it is there, please replace all passwords with xxxxxx and paste here the output for all peers, not just the dynamic one.

Yes it’s created

[admin@MikroTik] >> /ip ipsec  peer print    
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; VPN_Tivoli
       address=xxx/32 auth-method=pre-shared-key secret="xx" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

 1     ;;; VPN_Velletri
       address=xxx/32 auth-method=pre-shared-key secret="xx*" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

 2  DR address=::/0 passive=yes auth-method=pre-shared-key secret="xx" generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

OK. And if you try to connect your client now, you still get the same log messages like you did before or something else?

“Failed to pre-process ph2 packet”
“peer sent packet for dead phase2”

What kind of remote device do you try to connect?

Iphone 5s and i’m trying with Windows 10 too…same error

this is the report

1.png945×919 82.6 KB

OK, we’re getting somewhere The lines right before the red one saying “Failed to pre-process ph2 packet” are important:
no template matches
failed to get proposal for responder

A look at your exported config shows the following:

/ip ipsec policy
set 0 disabled=yes

So the default policy template referring to default IPsec proposal is disabled. Try

/ip ipsec policy set 0 disabled=no

(or use mouse to re-enable the template) and try to connect the phone again.

Ok connected but now i have other problem, if i’m trying to connect via RDP to a remote Server i canno’t connect it

The 192.168.98.4 IP it’s my Mikrotik router Ip, it’s correct that i receive this ip?

That IP in the log says that out of all the Mikrotik’s own IPs, this one receives the IPsec packets from the client, so it is fine. You should see somewhere in the ppp server window that client Fabio is connected and which IP address it has been assigned (or use “/interface l2tp-server print”). Also deep in the iPhone’s menu you might be able to see the IP you’ve received.

Now can you use something else than RDP to test whether the iPhone can connect at least somewhere? E.g., the web interface of Mikrotik itself but when the iPhone is connected to such a network that it would be sure that it cannot get there any other way than via the tunnel?

the ip it’s 192.168.98.70 see this stranger things…

First…connect L2PT VPN…when i’m connected…i’m try to connect via RDP to my server and i can connect it too…if i close RDP connection (but not VPN) and i’m retry to connect to my server VIA rdp…not possibile to connect it

192.168.98.4 is Mikrotik
192.168.98.70 is the client via L2TP
what is the IP of the server and how is it connected to the Mikrotik?

192.168.98.222

So everything in the same subnet except that the server is on the LAN and the client is connected via L2TP.

Normally, I would expect that the end of this manual chapter is relevant, you have to permit proxy-arp functionality at the LAN interface to which the server is connected, but your configuration export says:

/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes name=bridge

What is unusual, though, is that the IP address of the Mikrotik itself, 192.168.98.4, is assigned to “ether2” which itself is a member interface of a bridge named “bridge”. So please activate safe mode and change the interface for that IP address from “ether2-master” to “bridge”. That change should not break anything but better safe than sorry.