I'm trying to setup a VPN between a dynamic IP address mikrotik client (LTE-kit) and a unifi cloud gateway max with static public IP address.
I manage the mikrotik side while another person manages unifi device.
We are stuck in ipsec phase2 problems using l2tp-ipsec method.
Anyone knowing/sharing an easy working method and configuration for the goal ?
Thank you.
Did you change default IPsec proposal parameters (and/or default IPsec profile parameters) on either side?
Can you check how they are set now and see if they correspond?
Unfortunately there is the trap of “let’s set this to more modern algorithms” and/or “manufacturer thinks more modern algorithms are better and disables older ones” and the two sides won’t interwork.
At least with equipment like this you can configure it and you won’t have to deal with companies like Microsoft or Google deciding what you will use.
Try adding a logging rule for ipsec,debug and see what it tells you.
Can you please expand the "We are stuck"?
Did you agree on common settings?
Could you show the tested/tried configuration?
I have set up l2tp/ipsec many times both server and client side using routerOS
The same server configuration works fine with MT client as well as windows client.
Now I'm using the l2tp-client against this unifi thing that gives me back a "NO PROPOSAL CHOSEN" error.
That's where we are stuck.
Windows client doesn't work with unifi server neither, so issue couldn't be my problem but we are trying to makes the whole thing works.
The l2tp-client related config I always used is:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des/ppp profile
add change-tcp-mss=yes name=encryption-required use-encryption=required/interface l2tp-client
add allow=mschap2 connect-to=A.B.C.D disabled=no ipsec-secret=myipsecsecret
name=l2tp-client password=mypassword profile=encryption-required use-ipsec=
yes user=myuser
So it seems to be a Unify problem that it does not negotiate parameters well.
client log:
There you go, the Unifi guys probably think they are the heralds of security and deprecated 3des…
So you go check the Unifi config and see what auth and enc algorithm they want you to use.
Probably some newfangled thing like sha256 and aes256.