Community discussions

MikroTik App
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

L2TP VPN phase1 negotiation failed due to time up  [SOLVED]

Sat Jun 26, 2021 11:49 am

Hello Guys
I used this config a few times now but I can't find why it works sometimes and other times this error. Maybe this is my problem but can't find it. Ports are allowed but the NAT I'm not sure, Can you guys check my config, please. Any advice on the setting is very much appreciated!
Tested with Windows 10 and iPhone
wiki.mikrotik.com
"phase1 negotiation failed due to time up" what does it mean?
There are communication problems between peers. Possible causes include - misconfigured Phase 1 IP addresses; firewall blocking UDP ports 500 and 4500; NAT between peers not properly translating IPsec negotiation packets.
This error message can also appear when the local-address parameter is not used properly.

Screenshot phase1 negotiation failed due to time up chr-IP[500]<=>client-IP[26778] 2751bda2487d576b:4cf7459adaab08e3
Screenshot NAT-D payload #1 doesn't match
2.jpg
1.jpg
Config Export
[admin@MikroTik] > export
# jun/26/2021 22:49:48 by RouterOS 6.47.10

/interface bridge
add name=VPN
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dpd-maximum-failures=1 enc-algorithm=\
    aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    pfs-group=none
/ip pool
add name=VPN ranges=10.10.10.5-10.10.10.240
/ppp profile
add bridge=VPN change-tcp-mss=yes dns-server=10.10.10.1 local-address=\
    10.10.10.1 name=VPN remote-address=VPN use-encryption=yes use-ipv6=no
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=VPN enabled=yes \
    ipsec-secret=*** one-session-per-host=yes use-ipsec=required
/interface list member
add interface=ether1 list=Wan
add interface=VPN list=Lan
/interface pptp-server server
set authentication=mschap2 default-profile=VPN enabled=yes
/ip address
add address=10.10.10.1/24 interface=VPN network=10.10.10.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=10.10.10.1 name=dns-local.lan
/ip firewall filter
add action=accept chain=input dst-port=1701,443,500,4500 in-interface-list=Wan \
    protocol=udp
add action=accept chain=input dst-port=1723,443 in-interface-list=Wan \
    protocol=tcp
add action=accept chain=input in-interface-list=Wan protocol=gre
add action=accept chain=input in-interface-list=Wan protocol=ipsec-esp
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=accept chain=forward comment="Accept In IPsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="Accept Out IPsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "Allow packets established related to existing connections" \
    connection-state=established,related
add action=drop chain=input comment="Drop invalid traffic." connection-state=\
    invalid disabled=yes
add action=accept chain=forward comment=\
    "Allow packets established related to existing connections" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid traffic." \
    connection-state=invalid disabled=yes
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop all other traffic" disabled=yes \
    in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    Wan src-address=10.10.10.5-10.10.10.240
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set interim-update=30m use-circuit-id-in-nas-port-id=no
/ppp secret
add name=*** password=*** profile=VPN
/system logging
add topics=ipsec
/system package update
set channel=long-term
[admin@MikroTik] > 

You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: blejzu, Omerik, Uqbar and 60 guests