- phase 1 (profile): SHA256 AES-256-CBC modp1024
- phase 2 (proposal): SHA1 AES-256-CBC none
I cannot find a way to change the phase 1 ipsec profile that is assigned to l2tp-server. There is a "/interface l2tp-server server default-profile" setting, but that is for the ppp profile and not the ipsec profile.
The only option I see is to change the default ipsec profile and hope that it will be used by the l2tp-server. (???)
Here is an example config (addresses and passwords hidden):
Code: Select all
# Change the default phase1 ipsec profile and hope that it will be used by l2tp-server.
/ip ipsec profile
set [ find default=yes] \
name="profile_l2tp" \
hash-algorithm=sha256 \
enc-algorithm=aes-256 \
dh-group=modp1024
# phas2 ipsec proposal
/ip ipsec proposal
add name=proposal-l2tp auth-algorithms=sha1 \
enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none
# This is just a manual policy, I want to limit this strictly to two fixed addresses on the two sides.
/ip ipsec policy group
add name=group-l2tp
/ip ipsec policy
add comment=l2tp dst-address=1.2.3.100 group=group-l2tp proposal=proposal-l2tp \
src-address=1.2.3.4 template=yes
# The "default-encryption" profile cannot be removed or disabled, but it won't be used.
/ppp profile
add dns-server=1.2.3.4 local-address=1.2.3.4 name=l2tp_vpn
/ppp secret
add name=test-client password="********" profile=l2tp_vpn remote-address=1.2.3.100 service=l2tp
# Here I can give the default ppp profile, but I can't give the ipsec profile????
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes \
ipsec-secret=***** use-ipsec=required
Code: Select all
2:55:52 ipsec,info respond new phase 1 (Identity Protection): 5.6.7.8[500]<=>9.10.11.12[7412]
12:55:52 ipsec,error no suitable proposal found.
12:55:52 ipsec,error 9.10.11.12 failed to get valid proposal.
12:55:52 ipsec,error 9.10.11.12 failed to pre-process ph1 packet (side: 1, status 1).
12:55:52 ipsec,error 9.10.11.12 phase1 negotiation failed.
Either the l2tp-server is not using the default ipsec profile, or the windows 10 client cannot use the given phase 1 settings.
After adding l2tp and ipsec to logging:
Code: Select all
13:08:56 ipsec,info respond new phase 1 (Identity Protection): 5.6.7.8[500]<=>9.10.11.12[7412]
13:08:56 ipsec,debug begin.
13:08:56 ipsec,debug seen nptype=1(sa) len=212
13:08:56 ipsec,debug seen nptype=13(vid) len=24
13:08:56 ipsec,debug seen nptype=13(vid) len=24
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug seen nptype=13(vid) len=20
13:08:56 ipsec,debug succeed.
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug 01528bbb c0069612 1849ab9a 1c5b2a51 00000001
13:08:56 ipsec received MS NT5 ISAKMPOAKLEY ID version: 9
13:08:56 ipsec received Vendor ID: RFC 3947
13:08:56 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
13:08:56 ipsec received Vendor ID: FRAGMENTATION
13:08:56 ipsec Fragmentation enabled
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug fb1de3cd f341b7ea 16b7e5be 0855f120
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug 26244d38 eddb61b3 172a36e3 d0cfb819
13:08:56 ipsec,debug received unknown Vendor ID
13:08:56 ipsec,debug e3a5966a 76379fe7 07228231 e5ce8652
13:08:56 ipsec 9.10.11.12 Selected NAT-T version: RFC 3947
13:08:56 ipsec,debug total SA len=208
13:08:56 ipsec,debug 00000001 00000001 000000c8 01010005 03000028 01010000 80010007 800e0100
13:08:56 ipsec,debug 80020002 80040014 80030001 800b0001 000c0004 00007080 03000028 02010000
13:08:56 ipsec,debug 80010007 800e0080 80020002 80040013 80030001 800b0001 000c0004 00007080
13:08:56 ipsec,debug 03000028 03010000 80010007 800e0100 80020002 8004000e 80030001 800b0001
13:08:56 ipsec,debug 000c0004 00007080 03000024 04010000 80010005 80020002 8004000e 80030001
13:08:56 ipsec,debug 800b0001 000c0004 00007080 00000024 05010000 80010005 80020002 80040002
13:08:56 ipsec,debug 80030001 800b0001 000c0004 00007080
13:08:56 ipsec,debug begin.
13:08:56 ipsec,debug seen nptype=2(prop) len=200
13:08:56 ipsec,debug succeed.
13:08:56 ipsec,debug proposal #1 len=200
13:08:56 ipsec,debug begin.
13:08:56 ipsec,debug seen nptype=3(trns) len=40
13:08:56 ipsec,debug seen nptype=3(trns) len=40
13:08:56 ipsec,debug seen nptype=3(trns) len=40
13:08:56 ipsec,debug seen nptype=3(trns) len=36
13:08:56 ipsec,debug seen nptype=3(trns) len=36
13:08:56 ipsec,debug succeed.
13:08:56 ipsec,debug transform #1 len=40
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug,packet encryption(aes)
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
13:08:56 ipsec,debug dh(ecp384)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #2 len=40
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug,packet encryption(aes)
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=128
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
13:08:56 ipsec,debug dh(ecp256)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #3 len=40
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug,packet encryption(aes)
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug dh(modp2048)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #4 len=36
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug,packet encryption(3des)
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug dh(modp2048)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug transform #5 len=36
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug,packet encryption(3des)
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug hash(sha1)
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
13:08:56 ipsec,debug dh(modp1024)
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug pair 1:
13:08:56 ipsec,debug 0xa2128: next=(nil) tnext=0xa3f60
13:08:56 ipsec,debug 0xa3f60: next=(nil) tnext=0x99c78
13:08:56 ipsec,debug 0x99c78: next=(nil) tnext=0x998a0
13:08:56 ipsec,debug 0x998a0: next=(nil) tnext=0x9c030
13:08:56 ipsec,debug 0x9c030: next=(nil) tnext=(nil)
13:08:56 ipsec,debug proposal #1: 5 transform
13:08:56 ipsec,debug -checking with pre-shared key auth-
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=1, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:AES-CBC
13:08:56 ipsec,debug (encklen = 256:256)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:384-bit random ECP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=2, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=128
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:AES-CBC
13:08:56 ipsec,debug (encklen = 256:128)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:256-bit random ECP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=3, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:AES-CBC
13:08:56 ipsec,debug (encklen = 256:256)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=4, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:3DES-CBC
13:08:56 ipsec,debug (encklen = 256:0)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=5
13:08:56 ipsec,debug trns#=5, trns-id=IKE
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec,debug -compare proposal #1: Local:Peer
13:08:56 ipsec,debug (lifetime = 86400:28800)
13:08:56 ipsec,debug (lifebyte = 0:0)
13:08:56 ipsec,debug enctype = AES-CBC:3DES-CBC
13:08:56 ipsec,debug (encklen = 256:0)
13:08:56 ipsec,debug hashtype = 4:SHA
13:08:56 ipsec,debug authmethod = pre-shared key:pre-shared key
13:08:56 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=384-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:384-bit random ECP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=128
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=256-bit random ECP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:256-bit random ECP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
13:08:56 ipsec,debug type=Key Length, flag=0x8000, lorv=256
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=2048-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 4:SHA
13:08:56 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
13:08:56 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
13:08:56 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
13:08:56 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
13:08:56 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
13:08:56 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
13:08:56 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
13:08:56 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
13:08:56 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 4:SHA
13:08:56 ipsec,error no suitable proposal found.
13:08:56 ipsec,error 9.10.11.12 failed to get valid proposal.
13:08:56 ipsec,error 9.10.11.12 failed to pre-process ph1 packet (side: 1, status 1).
13:08:56 ipsec,error 9.10.11.12 phase1 negotiation failed.
Any idea what might be causing this problem?