Hello,
one of my older 6.x routers died, so I replaced it with a new hAP ax3 (Arm64), last stable ROS 7.15.2 and I have issues with L2TP/ipsec vpn with shared secret (working for years until now). I know Mikrotik has done some of their beloved functionality-breaking “upgrades” around 6.44, moving a lot of ipsec settings to different locations, but apart from that, I was able to make it work, but it acts really weird. I know the ipsec usage/shared secret had to be enabled either in L2TP server settings, or set in ip/ipsec, not both. First one does not work, the second one does, but it seems Mikrotik is tampering with my settings, deleting or hiding my settings (I suspect the tempate policy generation?), changing peer to unknown, it freezes during just “ip/ipsec/peer print” and most of all, stops working until disabled/enabled.
1, First of all - sometimes Mikrotik kicks out users and when it does, users are not able to reconnect until L2TP interface is disabled/enabled on ROS.
07-15 14:30:54 ipsec,error no auth method defined for peer
07-15 14:30:54 ipsec,error 37.x.x.x failed to get valid proposal.
07-15 14:30:54 ipsec,error 37.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
07-15 14:30:54 ipsec,error 37.x.x.x phase1 negotiation failed.
07-15 14:30:58 ipsec,info respond new phase 1 (Identity Protection): 84.y.y.y[500]<=>37.x.x.x[30554]
07-15 14:30:58 ipsec,error no auth method defined for peer
07-15 14:30:58 ipsec,error 37.x.x.x failed to get valid proposal.
07-15 14:30:58 ipsec,error 37.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
07-15 14:30:58 ipsec,error 37.x.x.x phase1 negotiation failed.
07-15 14:30:59 ipsec,info respond new phase 1 (Identity Protection): 84.y.y.y[500]<=>37.x.x.x[30554]
07-15 14:30:59 ipsec,error no auth method defined for peer
07-15 14:30:59 ipsec,error 37.x.x.x failed to get valid proposal.
07-15 14:30:59 ipsec,error 37.x.x.x failed to pre-process ph1 packet (side: 1, status 1).
07-15 14:30:59 ipsec,error 37.x.x.x phase1 negotiation failed.
07-15 14:31:02 system,info L2TP Server settings changed by tcp-msg(winbox): (/interface l2tp-server server set accept-proto-version=l2tpv2 allow-fast-path=no authentication=mschap2 caller-id-type=ip-address default-profile=vpn enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=yes)
07-15 14:31:07 system,info L2TP Server settings changed by tcp-msg(winbox): (/interface l2tp-server server set accept-proto-version=l2tpv2 allow-fast-path=no authentication=mschap2 caller-id-type=ip-address default-profile=vpn enabled=yes keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=yes)
07-15 14:31:11 ipsec,info respond new phase 1 (Identity Protection): 84.y.y.y[500]<=>37.x.x.x[30554]
07-15 14:31:11 ipsec,info ISAKMP-SA established 84.y.y.y[4500]-37.x.x.x[30555] spi:xxxxx
07-15 14:31:13 l2tp,info first L2TP UDP packet received from 37.x.x.x
07-15 14:31:13 l2tp,ppp,info,account xxxvpnxxx logged in, 192.z.z.z from 37.x.x.x
07-15 14:31:13 l2tp,ppp,info <l2tp-xxxxx>: authenticated
07-15 14:31:13 l2tp,ppp,info <l2tp-xxxxx>: connected
as you can see, users cannot connect with “no auth method defined for peer”, “failed to get valid proposal” etc. When I disable L2TP server at 14:31:02 and instantly enable it back at 14:31:07, users magically connect. Changing keep-alive-timeout from 30 to 300 helps a lot, I changed it to 3000 now, but wtf is happening here? It creates some policies/rules when being enabled or what? I suspected the “template” setting in ip/ipsec/policy, but it seems it does not work without it. The setup seems correct since users can connect/disconnect/reconnect, but if mikrotik kicks them out, no one connects until L2TP Server is disabled/enabled again.
2, weird behavior - see pics. If I create a peer, mikrotik is hiding it but it still exists, I tried to create peer1 - peer3, none was shown in ip/ipsec/peer, but mikrotik refused to create a peer with this name, complaining “Name can’t repeat”.
Similar to this - while having a peer l2tp-peer as you can see, mikrotik complains “l2tp-peer - object doesn’t exist” or “peer does not exist” - see attached images from winbox.
3, this is super weird - I can’t even print peers using ip/ipsec/peer print, it freezes for ~10 mins and then throws this error
4, it shows some strange script error timeout - probably some system script related to ipsec, since there are no user scripts running in this router. There are things happening in the background (or not happening but should happen)
config - L2tp & ipsec related parts:
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=
aes-256,aes-192,aes-128,3des name=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,blowfish,twofish,des name=
proposal1 pfs-group=none
/ppp profile
add dns-server=local_ip local-address=local_ip name=vpn-l2tp
only-one=no remote-address=l2tp-pool use-encryption=required use-ipv6=
no/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-l2tp enabled=yes
ipsec-secret=ipsec_secret keepalive-timeout=3000 use-ipsec=yes/ip ipsec policy
set 0 dst-address=local_subnet src-address=0.0.0.0/0
add disabled=yes peer=*4
add template=yes