VPN setup for Windows 10

RouterOS General
1

Hello,

I’m pulling my hair out trying to get this to work. Fortunately, I keep my hair short so I can’t do any damage. :sunglasses:

This is in a test environment so I am not worried about passwords or IP addresses. My goal is to be able to have Windows, Android, and Apple (Macs, iPads, and iPhones) devices connect.

What am I missing?
Thanks!

Laptop attempting to connect using the Windows 10 built-in VPN connector.

  • Edition Windows 10 Pro
  • Version 2004
  • OS build 19042.1165
  • Experience Windows Feature Experience Pack 120.2212.3530.0

The following configuration represents a combination of several articles/notes.
/ip ipsec export

# sep/16/2021 18:38:51 by RouterOS 6.48.4
#
# model = RouterBOARD 750G r3
/ip ipsec profile set [ find default=yes ] \
dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024 \
   dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256

/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm\
   pfs-group=ecp256

/ip ipsec peer print

Flags: X - disabled, D - dynamic, R - responder
 0  DR name="l2tp-in-server" passive=yes profile=default exchange-mode=main send-initial-contact=yes

/interface l2tp-server export hide-sensitive

# sep/16/2021 18:36:57 by RouterOS 6.48.4
#
# model = RouterBOARD 750G r3
/interface l2tp-server add name=l2tp-in1 user=vpn

/interface l2tp-server server set enabled=yes ipsec-secret=vpn use-ipsec=required

/log print where topics~“ipsec”

18:27:32 ipsec,info respond new phase 1 (Identity Protection): 10.10.1.134[500]<=>10.10.1.141[500]
18:27:32 ipsec,error no suitable proposal found.
18:27:32 ipsec,error 10.10.1.141 failed to get valid proposal.
18:27:32 ipsec,error 10.10.1.141 failed to pre-process ph1 packet (side: 1, status 1).
18:27:32 ipsec,error 10.10.1.141 phase1 negotiation failed.
18:27:33 ipsec,info respond new phase 1 (Identity Protection): 10.10.1.134[500]<=>10.10.1.141[500]
18:27:33 ipsec,error no suitable proposal found.
18:27:33 ipsec,error 10.10.1.141 failed to get valid proposal.
18:27:33 ipsec,error 10.10.1.141 failed to pre-process ph1 packet (side: 1, status 1).
18:27:33 ipsec,error 10.10.1.141 phase1 negotiation failed.
18:27:36 ipsec,info respond new phase 1 (Identity Protection): 10.10.1.134[500]<=>10.10.1.141[500]
18:27:36 ipsec,error no suitable proposal found.
18:27:36 ipsec,error 10.10.1.141 failed to get valid proposal.
18:27:36 ipsec,error 10.10.1.141 failed to pre-process ph1 packet (side: 1, status 1).
18:27:36 ipsec,error 10.10.1.141 phase1 negotiation failed.
2

/system logging add topics=ipsec,!packet will make the log much more verbose, and you’ll be able to see what is the contents of the Phase 1 proposal coming from Windows.

If I remember well, Windows don’t support sha256, at least unless you do some PowerShell magic.

3

Thanks for the logging hint Sindy.

Using the log, I was able to get the 2 sides to sync up. Now I just have to figure out how to be able to access systems on the Mikrotik ethernet ports.

My settings.
IP / IPsec / Proposals

  • Auth Algo. - sha1, sha256, sha 512
  • Encr. algo. - aes-128 cbc, aes-256 cbc
  • lifetime - 08:00:00 (this came from the windows side)
  • PFS group - ecp388

IP / IPsec / Profiles

  • Hash algo. - sha1
  • PRF algo. - sha1
  • Encryption Algo. - sha1, sha256, sha 512
  • DH group - ecp256, ecp384, ecp521
  • Proposal Check - Obey
  • lifetime - 08:00:00