Page 1 of 1

l2tp-out2 not running

Posted: Wed Mar 25, 2020 3:30 pm
by nagylzs
Below in the logs, my problematic mikrotik router has address 1.2.3.4 and name my.client.machine.com. I also have two other mikrotik routers at some_domain_1.com and some_domain_2.com (which is 9.8.7.6 in the example below). My goal is to connect my.client.machine.com (as an L2TP client) to both some_domain_1.com and some_domain_2.com

The client config is identical for some_domain_1.com and some_domain_2.com, except for the domain names and the passwords:
/interface l2tp-client> print 
Flags: X - disabled, R - running 
 0  R name="l2tp-out1" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=some_domain_1.com user="user1" password="**************" profile=default-encryption keepalive-timeout=60 
      use-ipsec=yes ipsec-secret="*******" allow-fast-path=no add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2 

 1    name="l2tp-out2" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=some_domain_2.com user="user2" password="**************" profile=default-encryption keepalive-timeout=60 
      use-ipsec=yes ipsec-secret="*******" allow-fast-path=no add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2 
As you can see, one of them is not running, the other one is. If I turn on logging for ipsec and l2tp then I see this for some_domain_2.com:
1.2.3.414:08:41 l2tp,debug tunnel 704 entering state: wait-ctl-reply 
14:08:41 l2tp,debug,packet sent control message to 1.2.3.4:1701 from 0.0.0.0:1701 
14:08:41 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
14:08:41 l2tp,debug,packet     (M) Message-Type=SCCRQ 
14:08:41 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
14:08:41 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
14:08:41 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
14:08:41 l2tp,debug,packet     Firmware-Revision=0x1 
14:08:41 l2tp,debug,packet     (M) Host-Name="my.client.machine.com" 
14:08:41 l2tp,debug,packet     Vendor-Name="MikroTik" 
14:08:41 l2tp,debug,packet     (M) Assigned-Tunnel-ID=704 
14:08:41 l2tp,debug,packet     (M) Receive-Window-Size=4 
14:08:42 l2tp,debug,packet sent control message to 1.2.3.4:1701 from 0.0.0.0:1701 
14:08:42 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
14:08:42 l2tp,debug,packet     (M) Message-Type=SCCRQ 
14:08:42 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
14:08:42 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
14:08:42 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
14:08:42 l2tp,debug,packet     Firmware-Revision=0x1 
14:08:42 l2tp,debug,packet     (M) Host-Name="my.client.machine.com" 
14:08:42 l2tp,debug,packet     Vendor-Name="MikroTik" 
14:08:42 l2tp,debug,packet     (M) Assigned-Tunnel-ID=704 
14:08:42 l2tp,debug,packet     (M) Receive-Window-Size=4 
14:08:43 l2tp,debug,packet sent control message to 1.2.3.4:1701 from 0.0.0.0:1701 
14:08:43 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
14:08:43 l2tp,debug,packet     (M) Message-Type=SCCRQ 
14:08:43 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
14:08:43 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
14:08:43 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
14:08:43 l2tp,debug,packet     Firmware-Revision=0x1 
14:08:43 l2tp,debug,packet     (M) Host-Name="my.client.machine.com" 
14:08:43 l2tp,debug,packet     Vendor-Name="MikroTik" 
14:08:43 l2tp,debug,packet     (M) Assigned-Tunnel-ID=704 
14:08:43 l2tp,debug,packet     (M) Receive-Window-Size=4 
14:08:45 l2tp,debug,packet sent control message to 1.2.3.4:1701 from 0.0.0.0:1701 
14:08:45 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
14:08:45 l2tp,debug,packet     (M) Message-Type=SCCRQ 
14:08:45 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
14:08:45 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
14:08:45 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
14:08:45 l2tp,debug,packet     Firmware-Revision=0x1 
14:08:45 l2tp,debug,packet     (M) Host-Name="my.client.machine.com" 
14:08:45 l2tp,debug,packet     Vendor-Name="MikroTik" 
14:08:45 l2tp,debug,packet     (M) Assigned-Tunnel-ID=704 
14:08:45 l2tp,debug,packet     (M) Receive-Window-Size=4 
14:08:49 l2tp,debug,packet sent control message to 1.2.3.4:1701 from 0.0.0.0:1701 
14:08:49 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
14:08:49 l2tp,debug,packet     (M) Message-Type=SCCRQ 
14:08:49 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
14:08:49 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
14:08:49 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
14:08:49 l2tp,debug,packet     Firmware-Revision=0x1 
14:08:49 l2tp,debug,packet     (M) Host-Name="my.client.machine.com" 
14:08:49 l2tp,debug,packet     Vendor-Name="MikroTik" 
14:08:49 l2tp,debug,packet     (M) Assigned-Tunnel-ID=704 
14:08:49 l2tp,debug,packet     (M) Receive-Window-Size=4 
14:08:57 l2tp,debug,packet sent control message to 1.2.3.4:1701 from 0.0.0.0:1701 
14:08:57 l2tp,debug,packet     tunnel-id=0, session-id=0, ns=0, nr=0 
14:08:57 l2tp,debug,packet     (M) Message-Type=SCCRQ 
14:08:57 l2tp,debug,packet     (M) Protocol-Version=0x01:00 
14:08:57 l2tp,debug,packet     (M) Framing-Capabilities=0x1 
14:08:57 l2tp,debug,packet     (M) Bearer-Capabilities=0x0 
14:08:57 l2tp,debug,packet     Firmware-Revision=0x1 
14:08:57 l2tp,debug,packet     (M) Host-Name="my.client.machine.com" 
14:08:57 l2tp,debug,packet     Vendor-Name="MikroTik" 
14:08:57 l2tp,debug,packet     (M) Assigned-Tunnel-ID=704 
14:08:57 l2tp,debug,packet     (M) Receive-Window-Size=4 
On some_domain_2.com (L2TP server side) I see this before it goes silent:
14:24:47 ipsec,debug === 
14:24:47 ipsec,debug dh(modp2048) 
14:24:47 ipsec,debug,packet compute DH's shared. 
14:24:47 ipsec,debug,packet 
14:24:47 ipsec,debug,packet 851770af 1a2c866f 4be4ac28 f6a5a607 bb915d55 fb88f644 63e3d06f e1d0b3d0 
14:24:47 ipsec,debug,packet da7bca2a 30dc4cc4 e281eceb 74cae7b5 3d6f912e ebb6b217 e8d26cdc b6f82c12 
14:24:47 ipsec,debug,packet 59a5f4a4 3c5f164d a59122c7 8de136e1 e002f133 865da9a2 3669b50b e75c62fd 
14:24:47 ipsec,debug,packet ea4bc30d 27e7678f 6502cae5 2b839604 2fb3e444 ceed1db5 1d9ea91c a0277d65 
14:24:47 ipsec,debug,packet 98cc1067 680820f3 4ca480fb 70374629 d9901aa1 de435886 b4c800f7 bf6ae4ac 
14:24:47 ipsec,debug,packet be21a290 1e1d1468 c98cb403 fb8433b1 506f80e5 6329e71d f225c783 3c9978cb 
14:24:47 ipsec,debug,packet 5711ad42 ee8ac072 c79eed41 50b36055 269df3e9 04845ef1 7d186380 ad35eab3 
14:24:47 ipsec,debug,packet 7971bfda 1c826bdc c1d3b78a dd4585ae 7c2f01b7 ba0659a9 3272c2f7 6a013dc6 
14:24:47 ipsec,debug,packet KEYMAT compute with 
14:24:47 ipsec,debug,packet 851770af 1a2c866f 4be4ac28 f6a5a607 bb915d55 fb88f644 63e3d06f e1d0b3d0 
14:24:47 ipsec,debug,packet da7bca2a 30dc4cc4 e281eceb 74cae7b5 3d6f912e ebb6b217 e8d26cdc b6f82c12 
14:24:47 ipsec,debug,packet 59a5f4a4 3c5f164d a59122c7 8de136e1 e002f133 865da9a2 3669b50b e75c62fd 
14:24:47 ipsec,debug,packet ea4bc30d 27e7678f 6502cae5 2b839604 2fb3e444 ceed1db5 1d9ea91c a0277d65 
14:24:47 ipsec,debug,packet 98cc1067 680820f3 4ca480fb 70374629 d9901aa1 de435886 b4c800f7 bf6ae4ac 
14:24:47 ipsec,debug,packet be21a290 1e1d1468 c98cb403 fb8433b1 506f80e5 6329e71d f225c783 3c9978cb 
14:24:47 ipsec,debug,packet 5711ad42 ee8ac072 c79eed41 50b36055 269df3e9 04845ef1 7d186380 ad35eab3 
14:24:47 ipsec,debug,packet 7971bfda 1c826bdc c1d3b78a dd4585ae 7c2f01b7 ba0659a9 3272c2f7 6a013dc6 
14:24:47 ipsec,debug,packet 03091eb0 0ac86ac9 85088b14 bb35980b 210848cd f0aeaf23 aefdebf9 c0dceab0 
14:24:47 ipsec,debug,packet d5e177f2 df15fe25 b0d775ef b270a352 7b4accb2 a0 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug encryption(aes-cbc) 
14:24:47 ipsec,debug hmac(hmac_sha2_512) 
14:24:47 ipsec,debug encklen=256 authklen=512 
14:24:47 ipsec,debug generating 960 bits of key (dupkeymat=6) 
14:24:47 ipsec,debug generating K1...K6 for KEYMAT. 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug 7b87f2d3 be8c0cd4 0f30e8dc fb1b7477 a36fe789 93d98b84 40a4510a dec83454 
14:24:47 ipsec,debug 8fd83857 184d217f d0e0612a d9240cdd cc84f84b 97ab429f b56eb94f aed43355 
14:24:47 ipsec,debug adaaea51 b70a9fdc 94d83eef b7e0780b a171fea6 62ad1991 6c6fbf84 0aa01a38 
14:24:47 ipsec,debug 1fdcec88 ade16a52 1c8fb16b 428358dc 0169c6d6 625c0366 
14:24:47 ipsec,debug,packet KEYMAT compute with 
14:24:47 ipsec,debug,packet 851770af 1a2c866f 4be4ac28 f6a5a607 bb915d55 fb88f644 63e3d06f e1d0b3d0 
14:24:47 ipsec,debug,packet da7bca2a 30dc4cc4 e281eceb 74cae7b5 3d6f912e ebb6b217 e8d26cdc b6f82c12 
14:24:47 ipsec,debug,packet 59a5f4a4 3c5f164d a59122c7 8de136e1 e002f133 865da9a2 3669b50b e75c62fd 
14:24:47 ipsec,debug,packet ea4bc30d 27e7678f 6502cae5 2b839604 2fb3e444 ceed1db5 1d9ea91c a0277d65 
14:24:47 ipsec,debug,packet 98cc1067 680820f3 4ca480fb 70374629 d9901aa1 de435886 b4c800f7 bf6ae4ac 
14:24:47 ipsec,debug,packet be21a290 1e1d1468 c98cb403 fb8433b1 506f80e5 6329e71d f225c783 3c9978cb 
14:24:47 ipsec,debug,packet 5711ad42 ee8ac072 c79eed41 50b36055 269df3e9 04845ef1 7d186380 ad35eab3 
14:24:47 ipsec,debug,packet 7971bfda 1c826bdc c1d3b78a dd4585ae 7c2f01b7 ba0659a9 3272c2f7 6a013dc6 
14:24:47 ipsec,debug,packet 030e83f4 03c86ac9 85088b14 bb35980b 210848cd f0aeaf23 aefdebf9 c0dceab0 
14:24:47 ipsec,debug,packet d5e177f2 df15fe25 b0d775ef b270a352 7b4accb2 a0 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug encryption(aes-cbc) 
14:24:47 ipsec,debug hmac(hmac_sha2_512) 
14:24:47 ipsec,debug encklen=256 authklen=512 
14:24:47 ipsec,debug generating 960 bits of key (dupkeymat=6) 
14:24:47 ipsec,debug generating K1...K6 for KEYMAT. 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug,packet hmac(hmac_sha1) 
14:24:47 ipsec,debug ade4d2b4 5357c49d 1266b673 ecaf7b02 98f968fe c38869fc a85bba32 ee3fc8b1 
14:24:47 ipsec,debug 6a7c7821 18a9cd8f a68a4d8d d6bb0c9d 7b88b290 fb37fa0a 6c375ebe 1dbb88d8 
14:24:47 ipsec,debug c5874354 6bb52563 bce2f35f d382462e 0195b46a 2050a9ea 05d66349 64f38b6b 
14:24:47 ipsec,debug bd849c45 7918b049 2b857836 73f5920e 21d75f63 29f9b9e4 
14:24:47 ipsec,debug KEYMAT computed. 
14:24:47 ipsec,debug call pk_sendupdate 
14:24:47 ipsec,debug encryption(aes-cbc) 
14:24:47 ipsec,debug hmac(hmac_sha2_512) 
14:24:47 ipsec,debug call pfkey_send_update_nat 
14:24:47 ipsec IPsec-SA established: ESP/Transport 1.2.3.4[500]->9.8.7.6[500] spi=0x91eb00a 
14:24:47 ipsec,debug pfkey update sent. 
14:24:47 ipsec,debug encryption(aes-cbc) 
14:24:47 ipsec,debug hmac(hmac_sha2_512) 
14:24:47 ipsec,debug call pfkey_send_add_nat 
14:24:47 ipsec IPsec-SA established: ESP/Transport 9.8.7.6[500]->1.2.3.4[500] spi=0xe83f403 
14:24:47 ipsec,debug pfkey add sent. 

On the L2TP server side, some_domain_1.com and also some_domain_2.com are also almost identical. The only difference is that some_domain_2.com is behind a NAT router. However, some_domain_2.com is in DMZ and I have applied to back-and-forth NAT described here: viewtopic.php?f=2&t=149863#p738065

The strangest thing is that I can connect to some_domain_1.com and also some_domain_2.com from any Windows 10 or Linux L2TP client. Even with android. I can also connect from my.client.machine.com to some_domain_1.com. The only thing that does not work is to connect from my.client.machine.com to some_domain_2.com. It might have to do something with the server being behind NAT, but I cannot figure out what it is. (Especially that Windows 10 and Linux L2TP has no problem connecting...)