Community discussions

MUM Europe 2020
 
jemp
just joined
Topic Author
Posts: 13
Joined: Fri Aug 16, 2013 1:50 pm

L2TP Phase Error after update to 6.38.1

Sun Feb 12, 2017 10:47 pm

Hello
a perfect working L2TP connection, to a Windows Server 2012 R2 , fails Phase 2, after update from 6.37 tot 6.38 or 6.38.1 !
Any idea's whats changed specifically for this ?
Log says "failed to pre-process ph2 packet"
I have searched for hours now..
downgrade to 6.37 worked again.. nothing else changed..
Tnx 4 hlp
Jempi
 
montefusco
just joined
Posts: 2
Joined: Mon Mar 27, 2017 11:10 am

Re: L2TP Phase Error after update to 6.38.1

Mon Apr 03, 2017 12:24 pm

Hello,
I'm exactly in the same position as Jempi: after updating to 6.38.5 (from 6.37.X) the IPSEC tunnel used for L2TP to a Windows Server doesn't come up.
Mikrotik in my case is the client.
In IPSec log, just before the "failed to pre-process ph2 packet", I get "mismatched IDcr was returned".

I cannot find any clue on how to fix this, I guess it's just a bug, probably due to a specific Windows implementation. Can anyone confirm?

Enrico.
 
vainkop
just joined
Posts: 6
Joined: Thu Apr 13, 2017 6:16 pm

Re: L2TP Phase Error after update to 6.38.1

Sun Apr 16, 2017 7:37 pm

6.37.4 -> 6.38.5 on RB201 same problem.

Windows & Android clients cannot cannect with "failed to pre-process ph2 packet" in Mikrotik logs.

Downgraded :(

6.39rc72 same problem btw.
 
vainkop
just joined
Posts: 6
Joined: Thu Apr 13, 2017 6:16 pm

Re: L2TP Phase Error after update to 6.38.1

Mon Apr 17, 2017 11:58 am

Solution google translate from here: http://bozza.ru/art-247.html

The default policy glitch on the mikrotik

With absolutely correct settings for the L2TP / IPSec connection on the client (for example, Windows 7) and on the server (Mikrotik), you can not establish a VPN connection. In this case, the message "failed to pre-process ph2 packet" goes to the Mikrotik log, and the error on the Windows 7 client is 789: the L2TP connection attempt failed because of an error that occurred at the security level ... This problem can occur on Firmware up to the last stable at the current time (6.30).

Solution: delete the default group in the IP - IPSec - Groups menu, create a new one and specify it in IP - IPSec - Peers in the Policy Template Group field.

According to Hopy, another solution to the problem with groups may be the execution of this command after re-creating the group:
ip ipsec peer set 0 policy-template-group =*FFFFFFFF
Perhaps this is a legacy from the old configurations, there is no exact answer, but nevertheless, this is an option. By the way, it is possible for this reason (and similar) that you should still perform a complete reset of the device before the initial setup. But this is not a requirement, that's for sure.
 
montefusco
just joined
Posts: 2
Joined: Mon Mar 27, 2017 11:10 am

Re: L2TP Phase Error after update to 6.38.1

Mon Apr 17, 2017 5:50 pm

Hello, I have tried both the proposed solutions but I still get the same error.
In my case Windows is the server and Mikrotik is the client.

As soon as I have a chance I will try with a new device so that there will be no traces of old configurations.
 
bkus
just joined
Posts: 7
Joined: Sun Sep 23, 2012 10:05 pm

Re: L2TP Phase Error after update to 6.38.1

Sat May 06, 2017 9:13 am

It looks like the problem started when upgrading from 6.38rc19 -> 6.38rc24 (wherein it seems large parts of ipsec were re-written in ROS). I have some details about it though from the ipsec debug log on 6.40rc4:
may/05 22:58:59 ipsec,debug proposal #1: 1 transform
may/05 22:58:59 ipsec,debug got the local address from ID payload 44.24.246.0[0] prefixlen=31 ul_proto=255
may/05 22:58:59 ipsec,debug got the peer address from ID payload 44.24.246.8[0] prefixlen=31 ul_proto=255
may/05 22:58:59 ipsec searching for policy
may/05 22:58:59 ipsec template lookup for selector: 44.24.246.0/31 <=> 44.24.246.8/31
may/05 22:58:59 ipsec no template matches
may/05 22:58:59 ipsec failed to get proposal for responder.
may/05 22:58:59 ipsec,error 64.119.4.114 failed to pre-process ph2 packet.
Meanwhile, the policy template is right there:
11 T group=OPP-KD7KAB src-address=44.24.246.8/31 dst-address=44.24.246.0/31 protocol=all proposal=vpn-ah template=yes
So whatever was done with the matcher / selector code is probably the problem.

Who is online

Users browsing this forum: No registered users and 99 guests