Community discussions

MikroTik App
 
garymikrotik
just joined
Topic Author
Posts: 11
Joined: Fri Jul 02, 2021 6:27 pm

VPN setup for Windows 10

Fri Sep 17, 2021 2:16 am

Hello,

I'm pulling my hair out trying to get this to work. Fortunately, I keep my hair short so I can't do any damage. 8)

This is in a test environment so I am not worried about passwords or IP addresses. My goal is to be able to have Windows, Android, and Apple (Macs, iPads, and iPhones) devices connect.

What am I missing?
Thanks!

Laptop attempting to connect using the Windows 10 built-in VPN connector.
- Edition Windows 10 Pro
- Version 2004
- OS build 19042.1165
- Experience Windows Feature Experience Pack 120.2212.3530.0

The following configuration represents a combination of several articles/notes.
/ip ipsec export
# sep/16/2021 18:38:51 by RouterOS 6.48.4
#
# model = RouterBOARD 750G r3
/ip ipsec profile set [ find default=yes ] \
dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024 \
   dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256

/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm\
   pfs-group=ecp256
/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
 0  DR name="l2tp-in-server" passive=yes profile=default exchange-mode=main send-initial-contact=yes
/interface l2tp-server export hide-sensitive
# sep/16/2021 18:36:57 by RouterOS 6.48.4
#
# model = RouterBOARD 750G r3
/interface l2tp-server add name=l2tp-in1 user=vpn

/interface l2tp-server server set enabled=yes ipsec-secret=vpn use-ipsec=required
/log print where topics~"ipsec"
18:27:32 ipsec,info respond new phase 1 (Identity Protection): 10.10.1.134[500]<=>10.10.1.141[500]
18:27:32 ipsec,error no suitable proposal found.
18:27:32 ipsec,error 10.10.1.141 failed to get valid proposal.
18:27:32 ipsec,error 10.10.1.141 failed to pre-process ph1 packet (side: 1, status 1).
18:27:32 ipsec,error 10.10.1.141 phase1 negotiation failed.
18:27:33 ipsec,info respond new phase 1 (Identity Protection): 10.10.1.134[500]<=>10.10.1.141[500]
18:27:33 ipsec,error no suitable proposal found.
18:27:33 ipsec,error 10.10.1.141 failed to get valid proposal.
18:27:33 ipsec,error 10.10.1.141 failed to pre-process ph1 packet (side: 1, status 1).
18:27:33 ipsec,error 10.10.1.141 phase1 negotiation failed.
18:27:36 ipsec,info respond new phase 1 (Identity Protection): 10.10.1.134[500]<=>10.10.1.141[500]
18:27:36 ipsec,error no suitable proposal found.
18:27:36 ipsec,error 10.10.1.141 failed to get valid proposal.
18:27:36 ipsec,error 10.10.1.141 failed to pre-process ph1 packet (side: 1, status 1).
18:27:36 ipsec,error 10.10.1.141 phase1 negotiation failed.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN setup for Windows 10  [SOLVED]

Sat Sep 18, 2021 7:16 pm

/system logging add topics=ipsec,!packet will make the log much more verbose, and you'll be able to see what is the contents of the Phase 1 proposal coming from Windows.

If I remember well, Windows don't support sha256, at least unless you do some PowerShell magic.
 
garymikrotik
just joined
Topic Author
Posts: 11
Joined: Fri Jul 02, 2021 6:27 pm

Re: VPN setup for Windows 10

Sat Sep 18, 2021 9:31 pm

Thanks for the logging hint Sindy.

Using the log, I was able to get the 2 sides to sync up. Now I just have to figure out how to be able to access systems on the Mikrotik ethernet ports.

My settings.
IP / IPsec / Proposals
- Auth Algo. - sha1, sha256, sha 512
- Encr. algo. - aes-128 cbc, aes-256 cbc
- lifetime - 08:00:00 (this came from the windows side)
- PFS group - ecp388

IP / IPsec / Profiles
- Hash algo. - sha1
- PRF algo. - sha1
- Encryption Algo. - sha1, sha256, sha 512
- DH group - ecp256, ecp384, ecp521
- Proposal Check - Obey
- lifetime - 08:00:00

Who is online

Users browsing this forum: anav, Andrey05, ivicask and 88 guests