I have two locations, 1 with FTTH and other with VSAT.

I want to make a L2TP VPN with IpSec between both.

The dialout is the VSAT with a RB2011, it has 3 other L2TP client connection working perfectly.

In the FTTP there is a 751, and the IpSEC and L2TP configuration is a copy of other (where the 2011 is connecting to) and it would works..... but is not working.

I allowed ports 50 (ipsec-esp), 500 udp, 1701 udp and 4500 udp.

Maybe is a problem with the ISP.... but here, the last logs in the "server" side

15:29:04 ipsec,debug,packet decrypted payload by IV:
15:29:04 ipsec,debug,packet fd25909e 9f050da3
15:29:04 ipsec,debug,packet decrypted payload, but not trimed.
15:29:04 ipsec,debug,packet 0b000018 b42e6681 3c673285 0e02039c 95d8a37a 9deca917 00000020 00000001
15:29:04 ipsec,debug,packet 01108d29 b28b6372 625d7596 7a877329 56afd6fc 00000576 5f564ccd 62c9c607
15:29:04 ipsec,debug,packet padding len=8
15:29:04 ipsec,debug,packet skip to trim padding.
15:29:04 ipsec,debug,packet decrypted.
15:29:04 ipsec,debug,packet b28b6372 625d7596 7a877329 56afd6fc 08100501 b577d7f2 0000005c 0b000018
15:29:04 ipsec,debug,packet b42e6681 3c673285 0e02039c 95d8a37a 9deca917 00000020 00000001 01108d29
15:29:04 ipsec,debug,packet b28b6372 625d7596 7a877329 56afd6fc 00000576 5f564ccd 62c9c607
15:29:04 ipsec,debug,packet HASH with:
15:29:04 ipsec,debug,packet b577d7f2 00000020 00000001 01108d29 b28b6372 625d7596 7a877329 56afd6fc
15:29:04 ipsec,debug,packet 00000576
15:29:04 ipsec,debug,packet hmac(hmac_sha1)
15:29:04 ipsec,debug,packet HASH computed:
15:29:04 ipsec,debug,packet b42e6681 3c673285 0e02039c 95d8a37a 9deca917
15:29:04 ipsec,debug,packet hash validated.
15:29:04 ipsec,debug,packet begin.
15:29:04 ipsec,debug,packet seen nptype=8(hash)
15:29:04 ipsec,debug,packet seen nptype=11(notify)
15:29:04 ipsec,debug,packet succeed.
15:29:04 ipsec,debug,packet DPD R-U-There-Ack received
15:29:04 ipsec,debug,packet received an R-U-THERE-ACK
15:29:19 ipsec,debug,packet KA: x.x.x.x[4500]->130.255.19.136[2994]
15:29:19 ipsec,debug,packet sockname x.x.x.x[4500]
15:29:19 ipsec,debug,packet send packet from x.x.x.x[4500]
15:29:19 ipsec,debug,packet send packet to 130.255.19.136[2994]
15:29:19 ipsec,debug,packet src4 x.x.x.x[4500]
15:29:19 ipsec,debug,packet dst4 130.255.19.136[2994]
15:29:19 ipsec,debug,packet 1 times of 1 bytes message will be sent to 130.255.19.136[2994]
15:29:19 ipsec,debug,packet ff
15:29:39 ipsec,debug,packet KA: x.x.x.x[4500]->130.255.19.136[2994]
15:29:39 ipsec,debug,packet sockname x.x.x.x[4500]
15:29:39 ipsec,debug,packet send packet from x.x.x.x[4500]
15:29:39 ipsec,debug,packet send packet to 130.255.19.136[2994]
15:29:39 ipsec,debug,packet src4 x.x.x.x[4500]
15:29:39 ipsec,debug,packet dst4 130.255.19.136[2994]
15:29:39 ipsec,debug,packet 1 times of 1 bytes message will be sent to 130.255.19.136[2994]
15:29:39 ipsec,debug,packet ff
15:29:59 ipsec,debug,packet KA: x.x.x.x[4500]->130.255.19.136[2994]
15:29:59 ipsec,debug,packet sockname x.x.x.x[4500]
15:29:59 ipsec,debug,packet send packet from x.x.x.x[4500]
15:29:59 ipsec,debug,packet send packet to 130.255.19.136[2994]
15:29:59 ipsec,debug,packet src4 x.x.x.x[4500]
15:29:59 ipsec,debug,packet dst4 130.255.19.136[2994]
15:29:59 ipsec,debug,packet 1 times of 1 bytes message will be sent to 130.255.19.136[2994]
15:29:59 ipsec,debug,packet ff


Here, some configs/

[admin@Alberto Mikrotik] /ip ipsec> export verbose
# jun/29/2016 15:37:40 by RouterOS 6.33.2
# software id = FPK2-WSEZ
#
/ip ipsec mode-config
set (unknown) name=request-only send-dns=yes
/ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des,aes-128,aes-192,aes-256 exchange-mode=main-l2tp generate-policy=\
    port-override hash-algorithm=sha1 lifetime=1d local-address=:: nat-traversal=yes passive=no policy-template-group=default port=500 secret=xxxxxxxxxxx send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes

[admin@Alberto Mikrotik] /ppp> export verbose
# jun/29/2016 15:39:07 by RouterOS 6.33.2
# software id = FPK2-WSEZ
#
/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !local-address name=default on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default use-mpls=default use-upnp=default !wins-server
add address-list="" !bridge !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before local-address=192.168.70.1 name=casa-in on-down="" \
    on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=pool-vpn !session-timeout use-compression=default use-encryption=default use-mpls=default use-upnp=\
    default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !local-address name=default-encryption \
    on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=no use-encryption=no use-mpls=default use-upnp=default \
    !wins-server
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 !local-address name=xxxxxx password=xxxxxxx profile=default remote-address=192.168.80.10 routes="" service=l2tp

[admin@Alberto Mikrotik] /ip firewall filter> export
# jun/29/2016 15:40:57 by RouterOS 6.33.2
# software id = FPK2-WSEZ
#
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input dst-port=80 protocol=tcp
add chain=input dst-port=8291 protocol=tcp
add chain=input comment="Aceptar VPN" dst-port=500 protocol=udp
add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway



Thank you is somebody could help me....

Thank youuuuuuuu



 

May or may not be an issue, I would start by looking at your local address versus remote address. Other than that I didn't see anything else that could be the culprit.

Ip pool should put in nat in vpn server

I know IP Pool for VPN must be in VPN, but still, is not a IP problem, is just is NOT connecting......

I have had problems in a situation where double-NAT occurs.  Is that happening in your setup as well?
I had to manually configure the server without port-strict generation of the policy.

Not, there is not double NAT.
what is the differecen between port-strict and without?

I know IP Pool for VPN must be in VPN, but still, is not a IP problem, is just is NOT connecting......

Check in L2tp setup of auth. Select only "mschap1" and "mschap2".
Your client which are pc computer or routerborad?
In case if you are using computer
From connection of windows when you created
Right click on connection select properties and change some lines and write password of ipsec.
The end dont forget steps in ipsec peer
New ipsec peer
Address 0.0.0.0/0
Port 500
Auth method: pre shared key
Secret: write password
Policy template group: default
True on send initial
True on nat traversal
Important select on Generate policy: "port overmide"
Finally apply ok
And you continue the proposals.
Regards

Not, there is not double NAT.
what is the differecen between port-strict and without?

It does not work OK with port-strict.   This is because the remote port does not match the expectation of the system.

Ok. I tried the three option possibles, and is not working.

The client is a MIKROTIK 2011, it is connecting to three other VPN using the SAME configuration.
I created another VPN server (for other location) based on my other Mikrotik working, is a "copy" of the other which are working.

I explain, 3 951 like VPN Server.
My 2011 is connecting to this 3 places

I created another (the 4th) server and I need my 2011 to connect to this place.

The 4th is a "copy" from the other 3.... are exactly equal, only chagne de wifi network, the local ip network, gateway, external ip of course..... but the rest.... is the same....