Community discussions

MikroTik App
 
pixel97
just joined
Topic Author
Posts: 9
Joined: Mon Feb 23, 2015 12:43 pm

IPSec/L2TP

Mon Feb 23, 2015 12:52 pm

Hi Guys

I need your help because I do not know where is the problem with the VPN I'm trying to configure.
I can see the client under IP/ IPSEC/Remote peers but when I check logs it shows error on phase 2 and I cannot establish vpn connection
Below is the current configuration topology
192.168.100.0/24 Lan <-- Mikrotik --> NAT 192.168.200.0/24 <-- Router 1--> NAT Dynamic Public IP
Below Ports are forwarded on both NATs
UDP 500 -> 500
ESP
AH
UDP Any -> 1701
UDP Any -> 4500

Does anyone knows what would be proper configuration for Windows 8 Clients ?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: IPSec/L2TP

Mon Feb 23, 2015 5:24 pm

Check logs on MikroTik and Windows computer, I assume logs (debug logs on MikroTik) will give you more information.
On MikroTik RouterOS /ip ipsec policy and proposal are responsible for Phase 2 settings.
As well make sure that NAT is not disturbing your IPSec connection.
 
pixel97
just joined
Topic Author
Posts: 9
Joined: Mon Feb 23, 2015 12:43 pm

Re: IPSec/L2TP

Tue Feb 24, 2015 2:48 pm

On Windows
Error 789 The L2TP connection attempt failed because security layer encountered processing error during initial negotiation with the remote computer

When I checked Log on Mikrotik this is what I see:

ipsec,debug,packet pair 2:
13:36:53 ipsec,debug,packet 0x47e2c0: next=(nil) tnext=(nil)
13:36:53 ipsec,debug,packet proposal #2: 1 transform
13:36:53 ipsec,debug,packet pair 3:
13:36:53 ipsec,debug,packet 0x47ef08: next=(nil) tnext=(nil)
13:36:53 ipsec,debug,packet proposal #3: 1 transform
13:36:53 ipsec,debug,packet get a source address of SP index from phase1 address because peer is behind NAT and we have to generate p
olicy.
13:36:53 ipsec,debug no policy template matching!
13:36:53 ipsec,error failed to pre-process ph2 packet. [/color][/b]
13:36:53 ipsec,debug,packet compute IV for phase2
13:36:53 ipsec,debug,packet phase1 last IV:
13:36:53 ipsec,debug,packet 749b01b0 5069caa1 cc655bb0

Anyone knows how to fix this ?
 
gig
just joined
Posts: 1
Joined: Tue Feb 24, 2015 9:12 pm

Re: IPSec/L2TP

Tue Feb 24, 2015 9:19 pm

Hi,

try to enable the outgoing traffic on the following UDP ports: 500,1701,4500

I had the same issue after adding those ports to the firewall list everything is working now (RouterOS: 6.27)
 
pixel97
just joined
Topic Author
Posts: 9
Joined: Mon Feb 23, 2015 12:43 pm

Re: IPSec/L2TP

Thu Feb 26, 2015 12:38 am

The outgoing traffic for this ports is enabled
I managed to fix this problem by changing Ipsec proposals pfs group to 1024
But now I have another on windows 8 client I receive error 809
any idea ?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: IPSec/L2TP

Thu Feb 26, 2015 2:10 pm

13:36:53 ipsec,debug,packet get a source address of SP index from phase1 address because peer is behind NAT and we have to generate p
olicy.
13:36:53 ipsec,debug no policy template matching!

1) Check your NAT, and make sure it does not disturb IPSec communications.
2) Confirm that correct policy exists on your MikroTik router, as error shows that there is no such policy as required.

Who is online

Users browsing this forum: No registered users and 33 guests