Community discussions

MikroTik App
 
svallverdu
just joined
Topic Author
Posts: 2
Joined: Tue Nov 21, 2017 7:09 am

L2TP IPsec ends connection immediately after Phase 2 is established

Tue May 25, 2021 11:27 pm

Hello there. I have configured a L2TP server with pubic IP, and then tried to connect from a Windows 10 and it doesn´t work. I have tried firewall tips, and the standard recommendations but nothing seems to work. I am desperate. I would appreciate any help. Here is a fragment of both log and configuration file.

Log:

jan/01 21:05:54 ipsec,info respond new phase 1 (Identity Protection): 201.217.154.76[500]<=>201.217.154.75[500]
jan/01 21:05:54 ipsec received MS NT5 ISAKMPOAKLEY ID version: 9
jan/01 21:05:54 ipsec received Vendor ID: RFC 3947
jan/01 21:05:54 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
jan/01 21:05:54 ipsec received Vendor ID: FRAGMENTATION
jan/01 21:05:54 ipsec Fragmentation enabled
jan/01 21:05:54 ipsec 201.217.154.75 Selected NAT-T version: RFC 3947
jan/01 21:05:54 ipsec Adding xauth VID payload.
jan/01 21:05:54 ipsec sent phase1 packet 201.217.154.76[500]<=>201.217.154.75[500] e4b584d222d3af1a:25567284871fca04
jan/01 21:05:54 ipsec NAT not detected
jan/01 21:05:54 ipsec Adding remote and local NAT-D payloads.
jan/01 21:05:54 ipsec sent phase1 packet 201.217.154.76[500]<=>201.217.154.75[500] e4b584d222d3af1a:25567284871fca04
jan/01 21:05:54 firewall,info L2TP input: in:WAN1 out:(unknown 0), src-mac 54:e1:ad:84:6c:64, proto UDP, 201.217.154.75:500->201.217.154.76:500, len 436
jan/01 21:05:54 ipsec,info ISAKMP-SA established 201.217.154.76[500]-201.217.154.75[500] spi:e4b584d222d3af1a:25567284871fca04
jan/01 21:05:54 ipsec respond new phase 2 negotiation: 201.217.154.76[500]<=>201.217.154.75[500]
jan/01 21:05:54 ipsec searching for policy for selector: 201.217.154.76:1701 ip-proto:17 <=> 201.217.154.75:1701 ip-proto:17
jan/01 21:05:54 ipsec generating policy
jan/01 21:05:54 ipsec sent phase2 packet 201.217.154.76[500]<=>201.217.154.75[500] e4b584d222d3af1a:25567284871fca04:00000000
jan/01 21:05:54 ipsec IPsec-SA established: ESP/Transport 201.217.154.75[500]->201.217.154.76[500] spi=0x2072dde
jan/01 21:05:54 ipsec IPsec-SA established: ESP/Transport 201.217.154.76[500]->201.217.154.75[500] spi=0x7d621e1a
jan/01 21:05:54 l2tp,info first L2TP UDP packet received from 201.217.154.75
jan/01 21:05:54 firewall,info L2TP input: in:WAN1 out:(unknown 0), src-mac 54:e1:ad:84:6c:64, proto 50, 201.217.154.75->201.217.154.76, len 184
jan/01 21:05:54 firewall,info L2TP input: in:WAN1 out:(unknown 0), proto UDP, 201.217.154.75:1701->201.217.154.76:1701, len 136
jan/01 21:06:27 ipsec purged IPsec-SA proto_id=ESP spi=0x7d621e1a
jan/01 21:06:27 ipsec purged IPsec-SA proto_id=ESP spi=0x2072dde
jan/01 21:06:27 ipsec removing generated policy
jan/01 21:06:27 ipsec,info purging ISAKMP-SA 201.217.154.76[500]<=>201.217.154.75[500] spi=e4b584d222d3af1a:25567284871fca04.
jan/01 21:06:27 ipsec purged ISAKMP-SA 201.217.154.76[500]<=>201.217.154.75[500] spi=e4b584d222d3af1a:25567284871fca04.
jan/01 21:06:27 ipsec,info ISAKMP-SA deleted 201.217.154.76[500]-201.217.154.75[500] spi:e4b584d222d3af1a:25567284871fca04 rekey:1
/interface bridge
add comment="Red administrativa" name=bridge1
add comment="Para red interna con NAS" name=bridge2
add comment=L2TP name=bridge3
/interface wireless
set [ find default-name=wlan1 ] country=uruguay ssid=MikroTik \
    wireless-protocol=nv2-nstreme-802.11
set [ find default-name=wlan2 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether2 ] comment=Administrativa name=LAN1
set [ find default-name=ether3 ] comment=Administrativa name=LAN2
set [ find default-name=ether6 ] comment="Red interna Ventus" name=NAS1
set [ find default-name=ether7 ] comment="Red interna Ventus" name=NAS2
set [ find default-name=ether5 ] comment="Acceso WAN a internet" name=WAN1
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WIFI
add name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-win
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=UYRO002
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.2.128-192.168.2.254
add name=L2TP ranges=10.99.98.2-10.99.98.210
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/ppp profile
add local-address=10.99.98.1 name=L2TP remote-address=L2TP use-encryption=\
    required
/snmp community
set [ find default=yes ] read-access=no
add addresses=0.0.0.0/0 name=snmp_group
/user group
set read policy="local,telnet,ssh,read,winbox,sniff,sensitive,api,romon,tikapp\
    ,!ftp,!reboot,!write,!policy,!test,!password,!web,!dude"
/interface bridge port
add bridge=bridge1 interface=LAN1
add bridge=bridge1 interface=LAN2
add bridge=bridge2 interface=NAS2
add bridge=bridge2 interface=NAS1
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP enabled=yes use-ipsec=\
    required
/interface list member
add interface=wlan1 list=WIFI
add interface=LAN1 list=mac-win
add interface=LAN2 list=mac-win
add interface=bridge1 list=mac-win
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=Server.Public.IP/29 interface=WAN1 network=Network.Public.IP
add address=10.99.98.1 interface=bridge3 network=10.99.98.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4,ISP.DNS.ServerIP gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,ISP.DNS.ServerIP
/ip firewall address-list
add address=192.168.2.0/24 list=redes_locales
add address=124.224.177.182 list=ssh_blacklist
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=accept chain=input in-interface=WAN1 log=yes log-prefix=L2TP \
    protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500 in-interface=WAN1 log=yes \
    log-prefix=L2TP protocol=udp
add action=accept chain=input dst-port=1701 in-interface=WAN1 log=yes \
    log-prefix=L2TP protocol=udp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=accept chain=input comment="Acceso para Winbox" dst-port=8291 \
    in-interface=WAN1 protocol=tcp
add action=accept chain=input dst-port=61893 in-interface=WAN1 protocol=tcp
add action=accept chain=input comment="abro puerto tcp 1723 para la vpn pptp" \
    dst-port=1723 in-interface=WAN1 protocol=tcp
add action=accept chain=input comment=\
    "habilito protocolo GRE para la vpn pptp" in-interface=WAN1 protocol=gre
add action=accept chain=input dst-port=1723 in-interface=WAN1 protocol=udp
add action=drop chain=input comment=test in-interface=all-wireless
add action=drop chain=input disabled=yes in-interface=WAN1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
/ip route
add distance=1 gateway=DefaultG.Public.IP
/ppp secret
add name=svallverdu profile=L2TP service=l2tp
/snmp
set enabled=yes location=Ventus trap-community=snmp_group trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=America/Montevideo
/system identity
set name=UYRO002
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add topics=ipsec,!debug
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP IPsec ends connection immediately after Phase 2 is established

Wed May 26, 2021 6:04 pm

Activate L2TP logging as well (/system logging add topics=l2tp) and try again. Since Phase 2 hasestablished successfully, the issue is most likely in the L2TP settings, the and the L2TP log should show that.
 
MrHae
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: L2TP IPsec ends connection immediately after Phase 2 is established

Wed May 26, 2021 10:43 pm

Hey, i got frustrated in maybe the same Problem last week. Windows 10 isn't able to connect from NATed Networks to L2TP/IPsec Gateways. There are a registry key to solve the Problem.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

AssumeUDPEncapsulationContextOnSendRule

You can set it to 0 = none of both sites is behind NAT, 1 = Server is behind NAT, 2=Both are behind NAT

https://docs.microsoft.com/de-de/troubl ... t-t-device

Who is online

Users browsing this forum: fredcom, mstanciu and 27 guests