Page 1 of 1

Ipsec template not generate dynamic policy

Posted: Fri Aug 30, 2019 9:03 pm
by resetsa
Hello all!
please help me with config l2tp-client/ipsec.
RouterOS version 6.45.5 on RBM33G.

my config
/interface l2tp-client
add allow=mschap2 connect-to=46.243.217.1 disabled=no keepalive-timeout=15 max-mru=1400 max-mtu=1400 name=l2tp_apple_m user=XXXXXXXXXXXXX

/ip ipsec policy group
add name=l2tp
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128,3des lifetime=8h proposal-check=exact
add dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128,3des lifetime=8h name=l2tp_profile proposal-check=claim
/ip ipsec peer
add address=46.243.217.1/32 name=46.243.217.1 profile=l2tp_profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=8h name=l2tp_ivacy pfs-group=none
/ip ipsec identity
add generate-policy=port-strict peer=46.243.217.1 policy-template-group=l2tp
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=l2tp proposal=l2tp_ivacy protocol=udp src-address=0.0.0.0/0 template=yes
My statistics

ISAKMP SA established.
/ip ipsec active-peers print detail 
Flags: R - responder, N - natt-peer 
 0    local-address=93.81.205.164 remote-address=46.243.217.1 state=established side=initiator uptime=48s last-seen=48s

IPSEC SA not installed.
/ip ipsec installed-sa print 
Flags: H - hw-aead, A - AH, E - ESP
Policy not dynamic created from template.
/ip ipsec policy print detail 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 TX* group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 
 1 T   group=l2tp src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=udp proposal=l2tp_ivacy template=yes
l2tp-client trying to connect.
21:13:19 ipsec 46.243.217.1 Selected NAT-T version: RFC 3947 
21:13:19 ipsec 46.243.217.1 Hashing 46.243.217.1[500] with algo #2  
21:13:19 ipsec 93.81.205.164 Hashing 93.81.205.164[500] with algo #2  
21:13:19 ipsec Adding remote and local NAT-D payloads. 
21:13:19 ipsec sent phase1 packet 93.81.205.164[500]<=>46.243.217.1[500] 9277bae67aebdffd:79128b3a33d1dada 
21:13:19 ipsec 93.81.205.164 Hashing 93.81.205.164[500] with algo #2  
21:13:19 ipsec NAT-D payload #0 verified 
21:13:19 ipsec 46.243.217.1 Hashing 46.243.217.1[500] with algo #2  
21:13:19 ipsec NAT-D payload #1 verified 
21:13:19 ipsec NAT not detected  
21:13:19 ipsec sent phase1 packet 93.81.205.164[500]<=>46.243.217.1[500] 9277bae67aebdffd:79128b3a33d1dada 
21:13:19 ipsec,info ISAKMP-SA established 93.81.205.164[500]-46.243.217.1[500] spi:9277bae67aebdffd:79128b3a33d1dada 
21:13:49 l2tp,ppp,info l2tp_apple_m: initializing... 
21:13:49 l2tp,ppp,info l2tp_apple_m: connecting... 
21:13:49 system,info device changed by sas 
21:14:09 ipsec,info initiate new phase 1 (Identity Protection): 93.81.205.164[500]<=>46.243.217.1[500] 
21:14:09 ipsec sent phase1 packet 93.81.205.164[500]<=>46.243.217.1[500] 74f031a795e8d4f3:0000000000000000 
21:14:09 ipsec received long Microsoft ID: MS NT5 ISAKMPOAKLEY 
21:14:09 ipsec received Vendor ID: RFC 3947 
21:14:09 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
21:14:09 ipsec received Vendor ID: FRAGMENTATION 
21:14:09 ipsec 46.243.217.1 Selected NAT-T version: RFC 3947 
21:14:09 ipsec 46.243.217.1 Hashing 46.243.217.1[500] with algo #2  
21:14:09 ipsec 93.81.205.164 Hashing 93.81.205.164[500] with algo #2  
21:14:09 ipsec Adding remote and local NAT-D payloads. 
21:14:09 ipsec sent phase1 packet 93.81.205.164[500]<=>46.243.217.1[500] 74f031a795e8d4f3:04d8d77b4ea6e634 
21:14:09 ipsec 93.81.205.164 Hashing 93.81.205.164[500] with algo #2  
21:14:09 ipsec NAT-D payload #0 verified 
21:14:09 ipsec 46.243.217.1 Hashing 46.243.217.1[500] with algo #2  
21:14:09 ipsec NAT-D payload #1 verified 
21:14:09 ipsec NAT not detected  
21:14:09 ipsec sent phase1 packet 93.81.205.164[500]<=>46.243.217.1[500] 74f031a795e8d4f3:04d8d77b4ea6e634 
21:14:09 ipsec,info ISAKMP-SA established 93.81.205.164[500]-46.243.217.1[500] spi:74f031a795e8d4f3:04d8d77b4ea6e634 
21:14:13 l2tp,ppp,info l2tp_apple_m: terminating... - session closed 
21:14:13 l2tp,ppp,info l2tp_apple_m: disconnected 
21:14:13 l2tp,ppp,info l2tp_apple_m: initializing... 
21:14:13 l2tp,ppp,info l2tp_apple_m: connecting... 
21:14:13 l2tp,ppp,info l2tp_apple_m: terminating... - old tunnel is not closed yet 
21:14:13 l2tp,ppp,info l2tp_apple_m: disconnected 
21:14:13 l2tp,ppp,info l2tp_apple_m: initializing... 
21:14:13 l2tp,ppp,info l2tp_apple_m: connecting... 
21:14:37 l2tp,ppp,info l2tp_apple_m: terminating... - session closed 
21:14:37 l2tp,ppp,info l2tp_apple_m: disconnected 
21:14:38 l2tp,ppp,info l2tp_apple_m: initializing... 
21:14:38 l2tp,ppp,info l2tp_apple_m: connecting... 
21:15:02 l2tp,ppp,info l2tp_apple_m: terminating... - session closed 
21:15:02 l2tp,ppp,info l2tp_apple_m: disconnected 
21:15:04 l2tp,ppp,info l2tp_apple_m: initializing... 
21:15:04 l2tp,ppp,info l2tp_apple_m: connecting... 
21:15:28 l2tp,ppp,info l2tp_apple_m: terminating... - session closed 
21:15:28 l2tp,ppp,info l2tp_apple_m: disconnected 
21:15:31 l2tp,ppp,info l2tp_apple_m: initializing... 
21:15:31 l2tp,ppp,info l2tp_apple_m: connecting... 
21:15:55 l2tp,ppp,info l2tp_apple_m: terminating... - session closed 
21:15:55 l2tp,ppp,info l2tp_apple_m: disconnected 
21:16:01 l2tp,ppp,info l2tp_apple_m: initializing... 
21:16:01 l2tp,ppp,info l2tp_apple_m: connecting...
Why is a dynamic policy not created from a template?
If I use ipsec-secret with l2tp interface connect established and trafic received, but very often rebuild ipsec-sa with log
23:23:39 ipsec,error 46.243.205.2 failed to pre-process ph2 packet.
23:23:46 ipsec respond new phase 2 negotiation: 93.81.205.164[500]<=>46.243.205.2[500]
23:23:46 ipsec searching for policy for selector: 93.81.205.164:1701 ip-proto:17 <=> 46.243.205.2:1701 ip-proto:17
23:23:46 ipsec policy not found
23:23:46 ipsec failed to get proposal for responder.