Community discussions

MikroTik App
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Windows XP via L2TP/Ipsec

Wed Oct 14, 2020 9:37 pm

We have an old computer that I'd like to connect to our modern (latest 6.47 OS) router. I found things about the exchange needing to be set to main-l2tp, which doesn't seem to be an option in the later versions of RouterOS. Is there any hope or do I have to upgrade this beast to a newer version of windows?

I've done everything I can find, and I get error 792 when I try to connect.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Windows XP via L2TP/Ipsec

Wed Oct 14, 2020 10:56 pm

The exchange-mode value main-l2tp has been removed because it wasn't actually necessary, plain main is sufficient. The Win XP embedded VPN client is likely to use older=weaker ciphers so they may not be permitted in the /ip ipsec profile and /ip ipsec proposal items you use. Mikrotik log will show you what ciphers the XP is offering:
/system logging add topics=ipsec,!packet
/system logging add topics=l2tp
/log print follow-only file=l2tp-ipsec-start where topics~"ipsec|l2tp"

Now press Connect at the Win XP; once it gives you the error, break the /log print ..., download the file l2tp-ipsec-start.txt and start reading it.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Windows XP via L2TP/Ipsec

Wed Oct 14, 2020 11:19 pm

Not easy since the XP machine is on the same remote network as working machines, and I can't connect two machines simultaneously to watch the log.

I'm upgrading it to Win10.
 
Leolo
just joined
Posts: 20
Joined: Wed Aug 21, 2013 7:01 am

Re: Windows XP via L2TP/Ipsec

Fri Sep 24, 2021 8:10 pm

Hi, has anyone configured this? I need to connect an older Windows XP machine to a Mikrotik hAP lite.

I've captured the logs recommended by Sindy, and I see mainly this error:
ipsec Expecting IP address type in main mode when using preshared key for authorization (see RFC 2409 section 5.4),but FQDN. 
ipsec 80.214.39.44 invalid ID payload.

I've also seen this documentation:
https://wiki.mikrotik.com/wiki/MikroTik ... IPSec/L2TP

Which says:
Note: Windows XP does not work according to RFC. You need to set main-l2tp exchange mode, otherwise Win XP client will not be able to establish Phase 1.

Does this mean that I have to downgrade the firmware in the Mikrotik? What was the last version supporting main-l2tp mode??

Who is online

Users browsing this forum: almdandi, korg, ptoump and 84 guests