I am having an issue getting a mikrotik v7 L2TP (with IPSEC) client to connect to a V6 server, i am hoping you can help.
The V6 server is an RB1100x2ah running v6.49.18, L2TP server with ipsec, if i connect to it with a win11 laptop is works as expected, if i connect to it using a HEX POE running v6.49.18 it works as expected, but if i connect to it with a HAP ax3 it wont connect, in all three i use the same secret etc, i have tried a few different versions of v6 on the server.
However if i enable PPTP server on the RB1100x2ah and connect the v7 HAP ax3 it connects straight away , (again using the same secret etc).
I don’t want to use PPTP as it’s not very secure.
The server gives this message when the v7 l2tp client tries to connect, “no suitable proposal found. (client ip address) failed to pre-process ph2 packet.
Any help would be great, i have compared all configs, the only real difference is V7 and being an AX3 which won’t downgrade to v6.
I am assuming you intend to use the automated ipsec tunnel creation with l2tp client and that you have it enabled and correct PSK.
Since l2tp/ipsec uses the default ipsec profiles and ipaec proposals to generate peers, verify the default templates for ipsec profiles and proposals are compatible between both peers (at least one combination that matches on both routers).
Sorry i don’t quite understand, as i say it works on v6, but v7 using the same configuration it does not work, the only difference i can find is the v7 configuration options has one extra drop down menu in winbox which allows l2tp v2 or v3 other than that i can’t find anything else related to change, it works fine on pptp but i get the message that pptp is not secure on v7 using winbox so want to use something more secure like l2tp with ipsec.
If i cant find a way of doing it then i will have to use an older piece of mikrotik hardware running v6 to do the vpn side of things but add on ax wireless as a separate piece of hardware in simple bridge configuration.
When you say same configuration is that just the L2TP client or the other IPsec settings as well?
Ticking Use IPsec and adding an IPsec secret to an L2TP client (also applies to other tunnel/VPN interfaces) will use the default IPsec profile & proposal which can be found under IP > IPsec on the Profiles and Proposals tabs respectively. The newer defaults likely do not overlap sufficiently with the older defaults, some of which are deprecated as are now deemed insecure.
tdw you’re a star , yes ip > ipsec > proposals > Encr algorithms had most of the tick boxes unticked, i have enabled them all and it works great top man.
So you did not understand how you solved your issue… That is not the right way….
“Sorry i don’t quite understand, as i say it works on v6, but v7 using the same configuration it does not work”
What does it matter if worked on v6 and on v7 no? Did you check as tdw told you, the IPSEC settings? So wich is the settings that made the connection working?
