Just started experiencing something interesting, wanted to see if anyone knew what’s going on. I had a working VPN on L2TP/IPsec with PSK with the out of the box config from Mikrotik and Windows. However, while trying to mount an SMB share I experienced an error and I allowed Windows to repair the connections. Once done I rebooted the PC and now the VPN I was experimenting with will no longer connect, even when I’m on the inside LAN with the router providing the VPN. Windows logging and error reporting is too generic to diagnose what is happening. Mikrotik logging is too verbose to find the root cause of the issue. Even after deleting the VPN in Windows and rebuilding the VPN connection from scratch the connection will still not join. My first instinct is to debug the cipher suites offered by Windows to see if they were set to something back from the Windows 7 or Windows Vista era because the Windows troubleshooters have not yet been ported over to the new settings app, but this is just my guess. Does anyone have a good guide on being able to see the cipher suites offered from a client? Following that, what else should I try to troubleshoot?
I was able to fix the issue. It was a combination of running “netsh int ip reset” and then I did this…
- Open Windows Device Manager
- Navigate to Network adapters
- Uninstall all of the WAN Miniport (XXXX) devices
- Right-click on any item and choose to Scan for hardware changes
- The WAN Miniport adapters should have re-created themselves.
- Reboot
- Try connecting to your VPN again.
I was able to investigate the cipher suites offered by my computer before and after with Wireshark. I checked both the before and after, and unfortunately, they were the same. For reference, they are posted here for people to use. This is from a Windows 10 OS machine version 21H1 (19043.1566).
IKE Attribute (t=1,l=2): Encryption-Algorithm: AES-CBC
IKE Attribute (t=14,l=2): Key-Length: 256
IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
IKE Attribute (t=4,l=2): Group-Description: 384-bit random ECP group
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
IKE Attribute (t=11,l=2): Life-Type: Seconds
IKE Attribute (t=12,l=4): Life-Duration: 28800
IKE Attribute (t=1,l=2): Encryption-Algorithm: AES-CBC
IKE Attribute (t=14,l=2): Key-Length: 128
IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
IKE Attribute (t=4,l=2): Group-Description: 256-bit random ECP group
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
IKE Attribute (t=11,l=2): Life-Type: Seconds
IKE Attribute (t=12,l=4): Life-Duration: 28800
IKE Attribute (t=1,l=2): Encryption-Algorithm: AES-CBC
IKE Attribute (t=14,l=2): Key-Length: 256
IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
IKE Attribute (t=4,l=2): Group-Description: 2048 bit MODP group
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
IKE Attribute (t=11,l=2): Life-Type: Seconds
IKE Attribute (t=12,l=4): Life-Duration: 28800
IKE Attribute (t=1,l=2): Encryption-Algorithm: 3DES-CBC
IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
IKE Attribute (t=4,l=2): Group-Description: 2048 bit MODP group
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
IKE Attribute (t=11,l=2): Life-Type: Seconds
IKE Attribute (t=12,l=4): Life-Duration: 28800
IKE Attribute (t=1,l=2): Encryption-Algorithm: 3DES-CBC
IKE Attribute (t=2,l=2): Hash-Algorithm: SHA
IKE Attribute (t=4,l=2): Group-Description: Alternate 1024-bit MODP group
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
IKE Attribute (t=11,l=2): Life-Type: Seconds
IKE Attribute (t=12,l=4): Life-Duration: 28800