SOLVED - L2TP IPSEC stoped working after Upgrade to 6.18

bgonev · August 12, 2014, 9:03pm

Hi,
Yesterday I did upgrade from V5.20 to v6.18. HW is RouterBoard RB450G. Previously (on ver5.20) I have succesfully established L2TP/IPSEC with my WIndows 7/Android. After upgrade L2TP/IPSEC is not working anymore.

Here is the log from RB:

22:56:26 ipsec,error failed to pre-process ph2 packet.
22:56:29 ipsec,error failed to begin ipsec sa negotiation.
22:56:29 ipsec,error failed to pre-process ph2 packet.
22:56:32 ipsec,error failed to pre-process ph2 packet.
22:56:35 ipsec,error failed to pre-process ph2 packet.
22:56:38 ipsec,error failed to pre-process ph2 packet.
22:56:41 ipsec,error failed to pre-process ph2 packet.
22:56:45 ipsec,error failed to pre-process ph2 packet.
22:56:47 ipsec,error failed to pre-process ph2 packet.
22:56:50 ipsec,error failed to pre-process ph2 packet.
22:56:53 ipsec,error failed to pre-process ph2 packet.
22:56:56 l2tp,info first L2TP UDP packet received from 7x.1x5.35.1x4
22:57:24 system,info ipsec policy changed by admin
22:57:29 ipsec,error failed to begin ipsec sa negotiation.
22:58:29 ipsec,error failed to begin ipsec sa negotiation.
22:59:24 system,info ipsec policy changed by admin
22:59:29 ipsec,error failed to begin ipsec sa negotiation.
23:00:29 ipsec,error failed to begin ipsec sa negotiation.
23:01:24 system,info ipsec policy changed by admin
23:01:29 ipsec,error failed to begin ipsec sa negotiation.
23:02:29 ipsec,error failed to begin ipsec sa negotiation.

Any help ?

BR
Boris

bgonev · August 13, 2014, 7:54am

Anyone ?

bgonev · August 13, 2014, 9:36am

SOLVED

Problem was that inside IPSEC Peer definition there was Policy Group: default. I’m not sure if this value was present in v5.20 setup, or maybe it was set up by default after upgrade to v6.18. However removing the value for Policy Group (no value at all - NULL), solved the problem.
I hope this will help to anyone who have simmilar problem..

BR
Boris

allansud · August 19, 2014, 1:21am

Hi There!

Can you post your config please??!

bgonev · August 19, 2014, 4:07pm

Here it is:

/ip ipsec peer > print

/ip ipsec peer > print
 address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500
 auth-method=pre-shared-key secret="Password"
 generate-policy=port-override exchange-mode=main-l2tp
 send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
 enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m
 dpd-maximum-failures=5

/ip ipsec proposal> print

 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=5m
      pfs-group=modp1024

This is working configuration.

lambert · August 22, 2014, 8:13pm

I had the same problem after upgrading from 6.11 to 6.18.

I’ve tried at various times on 6.x to get any policy using a policy group to work. It never has. It may be a failure on my part to understand how to use policy groups.

jaytcsd · August 24, 2014, 12:06am

this works from win 8 but not from 8.1, I think I have a firewall issue on 8.1.

/ip ipsec peer> pr
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret=“monkee”
generate-policy=port-override exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=disable-dpd dpd-maximum-failures=1

/ip ipsec proposal> pr
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

chemp86 · November 22, 2014, 6:36am

Confirmed words of comrade Boris. If config is:

address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="password" generate-policy=port-override policy-template-group=*FFFFFFFF exchange-mode=main
 send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

It is works. I deleted it manually form “Groups” section.
RouterOS 6.22

garther · January 20, 2015, 2:22pm

Hi
I’ve got a smilar problem with s2s VPN

Here is the config:

/ip ipsec proposal
add enc-algorithms=3des,aes-128-cbc name=proposal1 pfs-group=modp1536
add enc-algorithms=3des,aes-128-cbc name=proposal2 pfs-group=modp1536
add enc-algorithms=3des,aes-128-cbc name=proposal3 pfs-group=modp1536

/ip ipsec peer
add address=213.165.0.0/32 dh-group=modp1536 lifetime=8h nat-traversal=no proposal-check=strict secret=0
add address=92.222.0.0/32  dh-group=modp1536 lifetime=8h nat-traversal=no proposal-check=strict secret=0
add address=37.114.0.0/32 dh-group=modp1536 lifetime=8h nat-traversal=no proposal-check=strict secret=0

The log is being flooded with errors regarding ph2 pre-process just after I’ve added the 3rd node (37…) which is an Cisco ASA.
The VPN is working correctly [all 3 of them].

Anyone has got similar problems?

Michel · February 4, 2015, 1:10pm

I setup a new router and IPSEC was not working, giving me all the time

ipsec,error failed to pre-process ph2 packet

I had compared all the settings from the working one and noticed that it is impossible to create a peer from the GUI with having policy-template-group=*FFFFFFFF . Also if you just change anything inside the Peer than you lost the ***** and it only stands there policy-template-group=FFFFFFFF with the result that IPSEC is not working.

If you take a look to an export config than policy-template-group=*FFFFFFFF is missing in the peer

At all, you must add a new Peer with this

/ip ipsec peer

add address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=port-override policy-template-group=*FFFFFFFF exchange-mode=main-l2tp\ send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

If you changed later the password over the GUI or anyhting else than you lost the *FFFFFFFF and IPSEC no longer works.

Puhhh…this problem cost me 3 days of my nervs.

sergejs · February 4, 2015, 2:20pm

Michel,
policy-template should be default not *FFFFF, perhaps you upgraded from the version, where was issuse with it.
Add new peer, it should has correct settings.

cmurrayis · May 11, 2015, 1:21am

I’ve just had the axact same issue with setting up 6.27 to AWS.

Changed this policy value to *FFFFFFFF and the tunnel came up instantly.

jgraue · June 3, 2015, 12:54am

Today I also went through the same problem. I am using Shrew client for a Client-to-Site VPN. Just IPSec, no L2tp.
In fact I am using PSK and XAUTH and I started using a Policy template Roadwarrior as the configuration example stated and after I removed it and add the *FFFFFFFF it inmediately came up.

This is the entire config:

First define the pool for the remote users (roadwarriors)
/ip pool
add name=ipsec-RW ranges=192.168.50.2-192.168.50.254

/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=192.168.88.0/24

Although I have it here I then override this group
/ip ipsec policy group
add name=RoadWarrior

/ip ipsec policy
add dst-address=192.168.50.0/24 group=RoadWarrior src-address=192.168.88.0/24 template=yes
add dst-address=192.168.88.0/24 group=RoadWarrior src-address=192.168.50.0/24 template=yes

/ip ipsec user
add name=johndow password=gladiator

Im adding to peers (one without NAT-T and the other with the NAT-T so I can cover both situations)
/ip ipsec peer
add auth-method=pre-shared-key-xauth generate-policy=port-strict hash-algorithm=md5 mode-config=RW-cfg nat-traversal=no passive=yes secret=mysecret policy-template-group=*FFFFFFFF
add auth-method=pre-shared-key-xauth generate-policy=port-strict hash-algorithm=md5 mode-config=RW-cfg passive=yes secret=mysecret policy-template-group=*FFFFFFFF

Then you need to add the Firewall filters so you allow IPSec traffic (UDP=500) and NAT-T (UDP=4500).
Be sure to insert them in the corresponding position.

/ip firewall filter
add chain=input comment=IPsec dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udp

/ip firewall mangle
add action=mark-packet chain=input dst-port=4500 new-packet-mark=vpn protocol=udp
add action=mark-packet chain=input new-packet-mark=vpn protocol=ipsec-esp

Hope this help other ones, I spent more than 3 entire days…

wcrisman · November 7, 2015, 4:57am

Thank you all so much for these posts.. Saved my bacon today.

Couldn’t use webfig to change the remote one since the console doesn’t work right for the editor.

cross · November 17, 2015, 2:29pm

I can add that I’ve been using the same example for setting

ip ipsec peer set 0 policy-template-group=*FFFFFFFF 
failure: can not change dynamic peer

But Like you all see I got failure with message above. Reason for this was obvious. In new MikroTik (mine is RB750Gr2 / hEX) when adding L2TP you can choose to select “Use IPsec” and the secret password and you have section ip ipsec configured too. But, it’s dynamic and you can add those *FFFF in the policy template in ip ipsec peer so I remove it and added my static peer in ipsec. But I made one thing. I didn’t set the *FFFF.. thing. Why? Because it’s a link to Policies section. And there I found a default template which has to be enabled.

/ip ipsec policy> pr
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

So I enabled it. And then in peer configuration like this

ip ipsec peer> pr                                                                             
Flags: X - disabled, D - dynamic 
 0    address=0.0.0.0/0 local-address=:: passive=yes port=500 auth-method=pre-shared-key secret="********" 
      generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes 
      hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-256 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

everything works fine. When I disabled the Policies and set the *FFFFFF… it works too. But the reason for my was that I had Policies disabled.

And remember set the generate-policy=port-override

port-override – generate policies and force policy to use any port (old behavior)

StefanM · April 2, 2016, 11:52pm

Thanks for solution.

jaytcsd · April 7, 2016, 7:47am

I ran into this problem after a hardware reset when I lost the ability to get some websites to load.
L2TP was working under 6.33 and up to 6.34.2 via quickset upgrades.

After the reset I added L2TP but got the pre-process error.

While using the terminal to fix this I found a bug in winbox 2.2.18, it won’t show DPD interval settings or port override, my screen stops after the DH group list.

lambert · April 7, 2016, 3:53pm

jaytcsd, you should create a new topic for your similar symptom but completely unrelated question. This topic is about upgrades from anything before 6.18 to 6.18 or later. 6.33 to 6.34.2 did not change the behavior of the IPsec stack in the way that 6.17 to 6.18 did. Therefore, you have a new and interesting issue which needs it’s own thread.

Winbox 2 is not likely to work with the current release of RouterOS. I believe that is mentioned in the release notes of RouterOS but have not gone back to re-read them to verify for you. Get Winbox 3.4 or above. If you still have issue, please create a new topic.

I would not mind seeing another new topic on the “I lost the ability to get some websites to load” issue you mention.

lfduarte91 · October 20, 2016, 7:12pm

i change the proposal check to “obey”, it´s workinh ok.

manelfl · February 26, 2019, 1:45pm

Same for me.

I have done the same.

Woks for me too.

I have generate-policy=port-strict and it works.