Community discussions

MikroTik App
 
andrei
newbie
Topic Author
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Authentication mismatch issue with L2TP/Ipsec

Thu Apr 14, 2016 6:28 pm

I have a problem when setting up a dial-in L2TP/Ipsec server. I set it up by entering ipsec secret in L2TP Server so that it automatically generates policies.
The problem is that it works when connecting from certain networks.(ISP networks) but when connecting from mobile ISPs I can't connect and I get different mismatch errors: either key mismatch: key length mismatched, mine:256 peer:128 or authtype mismatched: my:hmac-sha256 peer:hmac-sha1

This is strange since it works from certain ISPs. Any ideas?

PS: RouterOS v 6.34.4
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6045
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Authentication mismatch issue with L2TP/Ipsec

Thu Apr 14, 2016 7:11 pm

As error says, client requires auth an enc algorithms that you have disabled on server.
 
andrei
newbie
Topic Author
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Re: Authentication mismatch issue with L2TP/Ipsec

Thu Apr 14, 2016 7:21 pm

No, it's obviously not that . It works with the exact same settings from a different ISP. I have noticed this happens with mobile operators.(don't exactly know why)
I did something else and it seems to work now. I manually declared 0.0.0.0/0 peers and disabled ipsec secret in L2TP server.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6045
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Authentication mismatch issue with L2TP/Ipsec

Thu Apr 14, 2016 7:41 pm

ISP cannot change enc and auth protocols that client would like to use. Either you had multiple peer configs with similar settigs or some other misconfiguration. It is hard to tell without ipsec debug logs and supout file.
 
andrei
newbie
Topic Author
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Re: Authentication mismatch issue with L2TP/Ipsec

Thu Apr 14, 2016 7:53 pm

Asuming I had ca misconfiguration this should happen with every ISP.
When I connect using one ISP it works and with another one it doesn't(actually with another two both mobile)
Now that I look through the logs I see the same errors and it still connects. It seems it tries different authentication protocols until it works.(which is normal) So the fact that it doesn't connect with different ISP's may not be related to this errors.

I forgot to mention I am using windows client to connect.

To provide logs I should redo the old config and I'm not doing that now since this works. But I remember I had this
issue before.
 
regi
just joined
Posts: 6
Joined: Wed Jul 08, 2015 9:27 pm

Re: Authentication mismatch issue with L2TP/Ipsec

Thu Sep 01, 2016 8:34 pm

I have a problem when setting up a dial-in L2TP/Ipsec server. I set it up by entering ipsec secret in L2TP Server so that it automatically generates policies.
The problem is that it works when connecting from certain networks.(ISP networks) but when connecting from mobile ISPs I can't connect and I get different mismatch errors: either key mismatch: key length mismatched, mine:256 peer:128 or authtype mismatched: my:hmac-sha256 peer:hmac-sha1

This is strange since it works from certain ISPs. Any ideas?

PS: RouterOS v 6.34.4
downgrade to 6.27 and all will works fine. newer routersOS have problems with determinating hash/key_length (up to 6.36.2 - latest one).
even if everything matches, mikrotik will log error - authtype or keysize mismatch
 
ilia2s
just joined
Posts: 3
Joined: Mon Sep 12, 2016 3:02 pm

Re: Authentication mismatch issue with L2TP/Ipsec

Mon Sep 12, 2016 9:15 pm

same error on ROS 6.36.3 and win7
debug attached
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6045
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Authentication mismatch issue with L2TP/Ipsec

Tue Sep 13, 2016 11:27 am

remote peer supports 3DES and AES-CBC-128
Ipsec will go through all configured algorithms ion your router until matched.
If you do not want to see these errors set only either aes-cbc-128 or 3des in ipsec proposal.

Who is online

Users browsing this forum: Google [Bot], markos222, miro79, Phaere and 86 guests