Community discussions

 
rbuserdl
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 87
Joined: Thu Mar 22, 2018 1:53 pm

L2TP + IPSec -> policy not found

Tue May 07, 2019 12:09 am

Hello,

Once before, I configured a L2TP + IPSec tunnel to connect to it from different OSs, it is working fine.
Now I have configured the same VPN in another Mikrotik (Totally different place)
Got the following error:
17:41:00 ipsec LOG-IPSEC: searching for policy for selector: PUBLIC_IP:1701 ip-proto:17 <=> EXTERNAL_IP:1701 ip-proto:17 
17:41:00 ipsec LOG-IPSEC: policy not found 
17:41:00 ipsec LOG-IPSEC: failed to get proposal for responder. 
17:41:00 ipsec,error EXTERNAL_IP failed to pre-process ph2 packet. 
17:41:00 ipsec,error LOG-IPSEC: EXTERNAL_IP failed to pre-process ph2 packet. 
I have replaced IP address with "EXTERNAL_IP" and "PUBLIC_IP" (Local IP)
I cant see where the problem is
Noticed that the router where the VPN is working has routerOS 6.42.6 and the problem I appearing in a routerOS 6.43.4
I have 2 WAN interfaces in this affected router, I dont know if this is an issue, but the secondary WAN IP does not appear in LOGS or Settings

I attach here the settings:
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TP
/ip pool
add name=dhcp_l2tp ranges=172.16.0.100-172.16.0.150
/ip ipsec mode-config
add address-pool=dhcp_l2tp name=l2tp_config system-dns=no
/ppp profile
add change-tcp-mss=yes dns-server=172.16.0.1,8.8.8.8 local-address=172.16.0.1 name=L2TP remote-address=dhcp_l2tp
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4 local-address=172.16.0.1 remote-address=dhcp_l2tp
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes ipsec-secret=Secret2019 max-mru=1460 max-mtu=1460 use-ipsec=required
/ip firewall
add action=accept chain=input comment="For L2TP + IPSEC" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="For L2TP + IPSEC" protocol=ipsec-esp
add action=accept chain=input comment="For L2TP + IPSEC" protocol=ipsec-ah
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp passive=yes secret=Secret2019
/ip ipsec policy
set 0 dst-address=0.0.0.0/1 proposal=L2TP src-address=0.0.0.0/0
add dst-address=128.0.0.0/1 proposal=L2TP src-address=0.0.0.0/0 template=yes
// Before there was just 1 policy: 0.0.0.0/0, the same issue
/ppp secret
add name=soporte password=Password01 profile=L2TP
I hope I didnt forget anything.
Any Idea?
Thanks in advance.
Regards
Damián
 
Exiver
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Jan 10, 2015 6:45 pm

Re: L2TP + IPSec -> policy not found

Tue May 07, 2019 12:23 am

How is your router connected to the internet? Is it behind NAT? Is your IP a public or a private one?

This is wrong:
/ip ipsec policy
set 0 dst-address=0.0.0.0/1 proposal=L2TP src-address=0.0.0.0/0
add dst-address=128.0.0.0/1 proposal=L2TP src-address=0.0.0.0/0 template=yes
0.0.0.0/1 or 128.0.0.0/1 is not working. To be honest i have never seen anyone using a netmask of 1. Why did you do that?
dst-address should be 0.0.0.0/0 ....
 
sindy
Forum Guru
Forum Guru
Posts: 3893
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP + IPSec -> policy not found  [SOLVED]

Tue May 07, 2019 7:05 am

I hope I didnt forget anything.
Any Idea?
You forgot to set generate-policy in /ip ipsec peer to port-strict. The default value is no so your policy template cannot be used to dynamically create a local policy from the information received from the peer.

And there is no need to split the policy template into two, so you can delete the added one and change the dst-address in the default one back to 0.0.0.0/0.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3893
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP + IPSec -> policy not found

Tue May 07, 2019 7:13 am

0.0.0.0/1 or 128.0.0.0/1 is not working. To be honest i have never seen anyone using a netmask of 1. Why did you do that?
dst-address should be 0.0.0.0/0 ....
This is not the root cause of the issue. 0.0.0.0/1 covers "the lower half of the IPv4 internet", i.e. IP addresses from 0.0.0.0 to 127.255.255.255, and 128.0.0.0/1 covers "the upper half", i.e. addresses from 128.0.0.0 to 255.255.255.255. The fact that it is an unnecessary overcomplication in this particular scenario does not mean that it doesn't work or that it doesn't make sense in other scenarios.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
rbuserdl
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 87
Joined: Thu Mar 22, 2018 1:53 pm

Re: L2TP + IPSec -> policy not found

Tue May 07, 2019 4:22 pm

Thanks to all for your help.
Sindy, you allways save me, thanks a lot!!!
It is working now, I dont know why it is not working in my W10 but I dont need it here, this problem in my machine only makes me waste time.

Regards!
 
Exiver
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Jan 10, 2015 6:45 pm

Re: L2TP + IPSec -> policy not found

Tue May 07, 2019 8:50 pm

0.0.0.0/1 or 128.0.0.0/1 is not working. To be honest i have never seen anyone using a netmask of 1. Why did you do that?
dst-address should be 0.0.0.0/0 ....
This is not the root cause of the issue. 0.0.0.0/1 covers "the lower half of the IPv4 internet", i.e. IP addresses from 0.0.0.0 to 127.255.255.255, and 128.0.0.0/1 covers "the upper half", i.e. addresses from 128.0.0.0 to 255.255.255.255. The fact that it is an unnecessary overcomplication in this particular scenario does not mean that it doesn't work or that it doesn't make sense in other scenarios.
Thanks for the clarification. I could infer that /1 would mean half of /0 but that it would work was not in my mind (because i have never seen that before) ;-) But you never stop learning i guess.

Who is online

Users browsing this forum: MSN [Bot] and 99 guests