Solved! when l2tp-ipsec is activated it drops all site to site ipsec vpns

RouterOS General
1

Hi guys,
I have a problem with site-to-site ipsec vpn and l2tp-ipsec config.
When I have just site-to-site ipsec vpns enable I am able to get my sites to connect without any issues.
When I then enable l2tp-ipsec client one of 2 things happens…

  1. all my sites maintain connection and also l2tp-ipsec connects. after a while my site to site connection will drop and are not able to re-connect .
  2. if there are no site-to-site connections then l2tp-ipsec will connect but no site-to-site vpns will be able to connect.
    with both of these scenarios i get password incorrect in the ipsec logs.
    (passwords for secret in site to site and l2tp-ipsec are different) It looks like when I enable l2tp-ipsec then the site to site vpns will try to use the l2tp-ipsec profile (i think)

one important thing, all the site-to-site vpns come from lte modems that are behind nats so I am using the default template (If this makes sense..)

Just to clarify… just site-to-site or just l2tp-ipsec it works fine. when I use both the site-to-sites will drop and not be able to reconnect and I get “This entry is unreachable” for the peer.
Below is my config:

jun/03/2019 10:24:55 by RouterOS 6.44.3

software id = BH42-E3DL

model = RB1100x4

serial number = 91D70A344D65

/interface bridge
add name=brg_Lan
/interface list
add name=WAN
add name=LAN
/ip ipsec profile
add dh-group=modp1024 lifetime=8h name=Lyon
/ip ipsec peer

This entry is unreachable

add name=Lyon passive=yes profile=Lyon send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=8h
/ip pool
add name=dhcp_pool0 ranges=10.254.254.2-10.254.254.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=brg_Lan lease-time=10h10m name=dhcp1
/interface bridge port
add bridge=brg_Lan interface=ether2
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=brg_Lan list=LAN
/ip address
add address=10.254.254.1/24 interface=brg_Lan network=10.254.254.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.254.254.0/24 dns-server=1.1.1.1 gateway=10.254.254.1
/ip firewall filter
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment=“accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“drop invalid” connection-state=invalid log-prefix="DROP3 "
add action=accept chain=input comment=“accept ICMP” protocol=icmp
add action=drop chain=input comment=“drop all not coming from LAN” disabled=yes in-interface-list=!LAN log-prefix=“DROP2 "
add action=accept chain=forward comment=“accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment=“accept established,related, untracked” connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment=“drop invalid” connection-state=invalid log-prefix=“DROP "
add action=drop chain=forward comment=” drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here”
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=10.254.254.0/24
add action=accept chain=srcnat dst-address=10.254.254.0/24 src-address=192.168.101.0/24
add action=accept chain=srcnat dst-address=192.168.101.0/24 src-address=10.254.254.0/24
add action=accept chain=srcnat dst-address=10.254.254.0/24 src-address=192.168.100.0/24
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-strict peer=Lyon
/ppp secret
add local-address=10.254.254.1 name=XXXXXXX profile=default-encryption remote-address=10.254.254.111 service=l2tp
/system logging
add topics=ipsec
add topics=l2tp

2

Solved!
Just needed to delete the profile “Lyon” and just use the dynamic profile that was created for the L2tp-ipsec configuration for all the dynamic VPNs.
Same password etc..