I have two locations, 1 with FTTH and other with VSAT.
I want to make a L2TP VPN with IpSec between both.
The dialout is the VSAT with a RB2011, it has 3 other L2TP client connection working perfectly.
In the FTTP there is a 751, and the IpSEC and L2TP configuration is a copy of other (where the 2011 is connecting to) and it would works..... but is not working.
I allowed ports 50 (ipsec-esp), 500 udp, 1701 udp and 4500 udp.
Maybe is a problem with the ISP.... but here, the last logs in the "server" side
15:29:04 ipsec,debug,packet decrypted payload by IV:
15:29:04 ipsec,debug,packet fd25909e 9f050da3
15:29:04 ipsec,debug,packet decrypted payload, but not trimed.
15:29:04 ipsec,debug,packet 0b000018 b42e6681 3c673285 0e02039c 95d8a37a 9deca917 00000020 00000001
15:29:04 ipsec,debug,packet 01108d29 b28b6372 625d7596 7a877329 56afd6fc 00000576 5f564ccd 62c9c607
15:29:04 ipsec,debug,packet padding len=8
15:29:04 ipsec,debug,packet skip to trim padding.
15:29:04 ipsec,debug,packet decrypted.
15:29:04 ipsec,debug,packet b28b6372 625d7596 7a877329 56afd6fc 08100501 b577d7f2 0000005c 0b000018
15:29:04 ipsec,debug,packet b42e6681 3c673285 0e02039c 95d8a37a 9deca917 00000020 00000001 01108d29
15:29:04 ipsec,debug,packet b28b6372 625d7596 7a877329 56afd6fc 00000576 5f564ccd 62c9c607
15:29:04 ipsec,debug,packet HASH with:
15:29:04 ipsec,debug,packet b577d7f2 00000020 00000001 01108d29 b28b6372 625d7596 7a877329 56afd6fc
15:29:04 ipsec,debug,packet 00000576
15:29:04 ipsec,debug,packet hmac(hmac_sha1)
15:29:04 ipsec,debug,packet HASH computed:
15:29:04 ipsec,debug,packet b42e6681 3c673285 0e02039c 95d8a37a 9deca917
15:29:04 ipsec,debug,packet hash validated.
15:29:04 ipsec,debug,packet begin.
15:29:04 ipsec,debug,packet seen nptype=8(hash)
15:29:04 ipsec,debug,packet seen nptype=11(notify)
15:29:04 ipsec,debug,packet succeed.
15:29:04 ipsec,debug,packet DPD R-U-There-Ack received
15:29:04 ipsec,debug,packet received an R-U-THERE-ACK
15:29:19 ipsec,debug,packet KA: x.x.x.x[4500]->130.255.19.136[2994]
15:29:19 ipsec,debug,packet sockname x.x.x.x[4500]
15:29:19 ipsec,debug,packet send packet from x.x.x.x[4500]
15:29:19 ipsec,debug,packet send packet to 130.255.19.136[2994]
15:29:19 ipsec,debug,packet src4 x.x.x.x[4500]
15:29:19 ipsec,debug,packet dst4 130.255.19.136[2994]
15:29:19 ipsec,debug,packet 1 times of 1 bytes message will be sent to 130.255.19.136[2994]
15:29:19 ipsec,debug,packet ff
15:29:39 ipsec,debug,packet KA: x.x.x.x[4500]->130.255.19.136[2994]
15:29:39 ipsec,debug,packet sockname x.x.x.x[4500]
15:29:39 ipsec,debug,packet send packet from x.x.x.x[4500]
15:29:39 ipsec,debug,packet send packet to 130.255.19.136[2994]
15:29:39 ipsec,debug,packet src4 x.x.x.x[4500]
15:29:39 ipsec,debug,packet dst4 130.255.19.136[2994]
15:29:39 ipsec,debug,packet 1 times of 1 bytes message will be sent to 130.255.19.136[2994]
15:29:39 ipsec,debug,packet ff
15:29:59 ipsec,debug,packet KA: x.x.x.x[4500]->130.255.19.136[2994]
15:29:59 ipsec,debug,packet sockname x.x.x.x[4500]
15:29:59 ipsec,debug,packet send packet from x.x.x.x[4500]
15:29:59 ipsec,debug,packet send packet to 130.255.19.136[2994]
15:29:59 ipsec,debug,packet src4 x.x.x.x[4500]
15:29:59 ipsec,debug,packet dst4 130.255.19.136[2994]
15:29:59 ipsec,debug,packet 1 times of 1 bytes message will be sent to 130.255.19.136[2994]
15:29:59 ipsec,debug,packet ff
Here, some configs/
[admin@Alberto Mikrotik] /ip ipsec> export verbose
# jun/29/2016 15:37:40 by RouterOS 6.33.2
# software id = FPK2-WSEZ
#
/ip ipsec mode-config
set (unknown) name=request-only send-dns=yes
/ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des,aes-128,aes-192,aes-256 exchange-mode=main-l2tp generate-policy=\
port-override hash-algorithm=sha1 lifetime=1d local-address=:: nat-traversal=yes passive=no policy-template-group=default port=500 secret=xxxxxxxxxxx send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
[admin@Alberto Mikrotik] /ppp> export verbose
# jun/29/2016 15:39:07 by RouterOS 6.33.2
# software id = FPK2-WSEZ
#
/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !local-address name=default on-down="" on-up="" \
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default use-mpls=default use-upnp=default !wins-server
add address-list="" !bridge !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before local-address=192.168.70.1 name=casa-in on-down="" \
on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=pool-vpn !session-timeout use-compression=default use-encryption=default use-mpls=default use-upnp=\
default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !local-address name=default-encryption \
on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=no use-encryption=no use-mpls=default use-upnp=default \
!wins-server
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 !local-address name=xxxxxx password=xxxxxxx profile=default remote-address=192.168.80.10 routes="" service=l2tp
[admin@Alberto Mikrotik] /ip firewall filter> export
# jun/29/2016 15:40:57 by RouterOS 6.33.2
# software id = FPK2-WSEZ
#
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input dst-port=80 protocol=tcp
add chain=input dst-port=8291 protocol=tcp
add chain=input comment="Aceptar VPN" dst-port=500 protocol=udp
add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
Thank you is somebody could help me....
Thank youuuuuuuu