Community discussions

MikroTik App
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

How can I use a custom ipsec profile for L2TP server?

Sun Jun 27, 2021 2:21 pm

I would like to use a custom (phase 1) ipsec profile for my l2tp server. The most secure settings that are compatible with Windows 10 and RouterOs are probably:
  • phase 1 (profile): SHA256 AES-256-CBC modp1024
  • phase 2 (proposal): SHA1 AES-256-CBC none
This info was taken from: https://wiki.mikrotik.com/wiki/Manual:I ... figuration

I cannot find a way to change the phase 1 ipsec profile that is assigned to l2tp-server. There is a "/interface l2tp-server server default-profile" setting, but that is for the ppp profile and not the ipsec profile.

The only option I see is to change the default ipsec profile and hope that it will be used by the l2tp-server. (???)

Here is an example config (addresses and passwords hidden):
# Change the default phase1 ipsec profile and hope that it will be used by l2tp-server.
/ip ipsec profile 
set [ find default=yes] \
	name="profile_l2tp" \
	hash-algorithm=sha256 \
	enc-algorithm=aes-256 \
	dh-group=modp1024
	
# phas2 ipsec proposal
/ip ipsec proposal
add name=proposal-l2tp auth-algorithms=sha1 \
	enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none

# This is just a manual policy, I want to limit this strictly to two fixed addresses on the two sides.
/ip ipsec policy group
add name=group-l2tp

/ip ipsec policy
add comment=l2tp dst-address=1.2.3.100 group=group-l2tp proposal=proposal-l2tp \
	src-address=1.2.3.4 template=yes

# The "default-encryption" profile cannot be removed or disabled, but it won't be used.
/ppp profile
add dns-server=1.2.3.4 local-address=1.2.3.4 name=l2tp_vpn

/ppp secret
add name=test-client password="********" profile=l2tp_vpn remote-address=1.2.3.100 service=l2tp

# Here I can give the default ppp profile, but I can't give the ipsec profile????
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes \
    ipsec-secret=***** use-ipsec=required
I see this in the logs if I try to connect from Windows 10:
2:55:52 ipsec,info respond new phase 1 (Identity Protection): 5.6.7.8[500]<=>9.10.11.12[7412]
12:55:52 ipsec,error no suitable proposal found.
12:55:52 ipsec,error 9.10.11.12 failed to get valid proposal.
12:55:52 ipsec,error 9.10.11.12 failed to pre-process ph1 packet (side: 1, status 1).
12:55:52 ipsec,error 9.10.11.12 phase1 negotiation failed.
I guess the "phase1 proposal" actually means "/ip ipsec profile".

Either the l2tp-server is not using the default ipsec profile, or the windows 10 client cannot use the given phase 1 settings.

After adding l2tp and ipsec to logging:
13:08:56 ipsec,info respond new phase 1 (Identity Protection): 5.6.7.8[500]<=>9.10.11.12[7412]
13:08:56 ipsec,debug begin.
13:08:56 ipsec,debug seen nptype=1(sa) len=212
13:08:56 ipsec,debug seen nptype=13(vid) len=24
13:08:56 ipsec,debug seen nptype=13(vid) len=24
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug succeed.
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug 01528bbb c0069612 1849ab9a 1c5b2a51 00000001
13:08:56 ipsec received MS NT5 ISAKMPOAKLEY ID version: 9
13:08:56 ipsec received Vendor ID: RFC 3947
13:08:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
13:08:56 ipsec received Vendor ID: FRAGMENTATION
13:08:56 ipsec Fragmentation enabled
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug fb1de3cd f341b7ea 16b7e5be 0855f120
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug 26244d38 eddb61b3 172a36e3 d0cfb819
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug e3a5966a 76379fe7 07228231 e5ce8652
13:08:56 ipsec 9.10.11.12 Selected NAT-T version: RFC 3947
13:08:56 ipsec,debug total SA len=208
13:08:56 ipsec,debug 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
13:08:56 ipsec,debug 80020002 80040014 80030001 800b0001 000c0004 00007080 03000028 02010000
13:08:56 ipsec,debug 80010007 800e0080 80020002 80040013 80030001 800b0001 000c0004 00007080
13:08:56 ipsec,debug 03000028 03010000 80010007 800e0100 80020002 8004000e 80030001 800b0001
13:08:56 ipsec,debug 000c0004 00007080 03000024 04010000 80010005 80020002 8004000e 80030001
13:08:56 ipsec,debug 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
13:08:56 ipsec,debug 80030001 800b0001 000c0004 00007080
13:08:56 ipsec,debug begin.
13:08:56 ipsec,debug seen nptype=2(prop) len=200
13:08:56 ipsec,debug succeed.
13:08:56 ipsec,debug proposal #1 len=200
13:08:56 ipsec,debug begin.
13:08:56 ipsec,debug seen nptype=3(trns) len=40
13:08:56 ipsec,debug seen nptype=3(trns) len=40
13:08:56 ipsec,debug seen nptype=3(trns) len=40
13:08:56 ipsec,debug seen nptype=3(trns) len=36
13:08:56 ipsec,debug seen nptype=3(trns) len=36
13:08:56 ipsec,debug succeed.
13:08:56 ipsec,debug transform #1 len=40
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug,packet encryption(aes)
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
13:08:56 ipsec,debug dh(ecp384)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #2 len=40
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug,packet encryption(aes)
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=128
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
13:08:56 ipsec,debug dh(ecp256)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #3 len=40
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug,packet encryption(aes)
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug dh(modp2048)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #4 len=36
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug,packet encryption(3des)
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug dh(modp2048)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #5 len=36
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug,packet encryption(3des)
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
13:08:56 ipsec,debug dh(modp1024)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug pair 1:
13:08:56 ipsec,debug  0xa2128: next=(nil) tnext=0xa3f60
13:08:56 ipsec,debug   0xa3f60: next=(nil) tnext=0x99c78
13:08:56 ipsec,debug    0x99c78: next=(nil) tnext=0x998a0
13:08:56 ipsec,debug     0x998a0: next=(nil) tnext=0x9c030
13:08:56 ipsec,debug      0x9c030: next=(nil) tnext=(nil)
13:08:56 ipsec,debug proposal #1: 5 transform
13:08:56 ipsec,debug -checking with pre-shared key auth-
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=1, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:AES-CBC
13:08:56 ipsec,debug (encklen = 256:256)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:384-bit random ECP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=2, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=128
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:AES-CBC
13:08:56 ipsec,debug (encklen = 256:128)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:256-bit random ECP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=3, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:AES-CBC
13:08:56 ipsec,debug (encklen = 256:256)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=4, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:3DES-CBC
13:08:56 ipsec,debug (encklen = 256:0)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=5, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:3DES-CBC
13:08:56 ipsec,debug (encklen = 256:0)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=128
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 4:SHA
13:08:56 ipsec,error no suitable proposal found.
13:08:56 ipsec,error 9.10.11.12 failed to get valid proposal.
13:08:56 ipsec,error 9.10.11.12 failed to pre-process ph1 packet (side: 1, status 1).
13:08:56 ipsec,error 9.10.11.12 phase1 negotiation failed.
On the Windows client side, I have selected "Require encryption (disconnect if server declines)."

Any idea what might be causing this problem?
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: How can I use a custom ipsec profile for L2TP server?

Sun Jun 27, 2021 4:13 pm

After going though the logs, I could finish phase1 with this:
 /ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 name=profile_l2tp
Maybe Windows can do modp2048 in phase1 after all? But it can't use sha256? If that is the case, then the MikroTik documentation needs to be changed.

Now I'm getting "failed to pre-process ph2 packet" errors, so I guess that information about phase 2 algorithms is also wrong?
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: How can I use a custom ipsec profile for L2TP server?

Sun Jun 27, 2021 4:45 pm

I cloud also eliminate the "failed to pre-process ph2 packet" error by removing the manual policy and the group-l2tp group, re-enabling the default ::0/0 policy template, and rebooting the router.

It seems that the default ipsec profile is always used for l2tp server. But I don't see this documented anywhere. I'm not sure if the original question is still valid or not. I can change ipsec profile settings as long as I do this on the default ipsec profile.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How can I use a custom ipsec profile for L2TP server?

Sun Jun 27, 2021 7:28 pm

It's "all or nothing". Either you ask RouterOS to create the IPsec configuration for the L2TP server "dynamically" by setting use-ipsec=yes or required and non-empty ipsec-secret, and it uses the default rows of /ip ipsec profile and /ip ipsec policy group when creating the peer and identity items, or you set use-ipsec=no and create the complete IPsec configuration for the L2TP server manually.

I've described multiple times here how to create a manual IPsec configuration by cloning and then modifying the dynamic one, the second part of this post should give you the idea.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: How can I use a custom ipsec profile for L2TP server?

Sun Jun 27, 2021 11:36 pm

I have been here on this forum for a while, and got lots of help from people like you. I'm really grateful.

I had to learn a lot in the past few months, and now I think I fully understand your answer. :-)

Who is online

Users browsing this forum: 4l4R1, bashay8, Bing [Bot], cyrq, dervomsee, Energizer, jahieulislam, rogerioqueiroz and 87 guests