Mon Mar 26, 2018 6:38 pm
So I've been doing some research and concluded that the 'use IPSEC' option in the L2TP client will try and automatically generate the IPSEC config, so I dont need this option if I'm configuring the policy manually (and the auto-option doesnt seen to work).
Ok , so onto the policy (obvious info obscured) - any suggestions welcomed;
[dickie@MikroTik] /ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=104.237.61.99/32 auth-method=pre-shared-key secret="mysecret" generate-policy=no policy-template-group=default exchange-mode=main mode-config=request-only
send-initial-contact=yes nat-traversal=no proposal-check=obey compatibility-options=skip-peer-id-validation hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128
dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
dickie@MikroTik] /ip> ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=70.95.93.199/32 src-port=any dst-address=104.237.61.99/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=HideIPvpn
ph2-count=0
[dickie@MikroTik] /ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
1 name="HideIPvpn" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
I see some dynamic states appear in the installed SA tab, but they all appear to be larval ESP but never anything that is actually encrypted.
Also I can see under the peer info for Phase2 that msg1 is sent, but it never progresses beyond that.
I'm more than open to the suggestion that this is a remote config issue (that I dont control) , but I wanted to eliminate the obvious noob config errors at this end first.
Thanks in advance!!