Community discussions

MikroTik App
 
PeterEs
just joined
Topic Author
Posts: 8
Joined: Mon May 12, 2014 12:33 pm

IPSec phase1 negotiation error

Mon Jan 12, 2015 12:17 pm

We have a MikroTik CCR1009 at the office as internet router. This router is configured as L2TP IPSec VPN server. It is possible to connect Windows clients and iPhones.

I bought a few RB750 to use as L2TP IPSec VPN client. My intension is to use this devices at some home users behind their current router, to connect a few devices (such as VoIP phones) to the corporate LAN. Because of the user home router, the RB750 will be placed behind a NAT.

The connection is UP and i can send data in both directions. However every minute I see an error in the RB750 log: "phase1 negotiation failed due to time up {user LAN ip}[500]<=>{office public IP}[500]". Is this a configuration issue, or is this caused by the user's internet router?

Office
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=topsecret use-ipsec=yes
Client
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address={office public IP}/32 enc-algorithm=3des lifetime=30m nat-traversal=no secret=topsecret
/interface l2tp-client
add add-default-route=no allow=mschap2 connect-to={office public IP} dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=1600 name=VPNuser password=password profile=default-encryption user=VPNuser
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 100
Joined: Wed Nov 12, 2014 1:00 pm

Re: IPSec phase1 negotiation error

Tue Jan 13, 2015 2:18 pm

We have a MikroTik CCR1009 at the office as internet router. This router is configured as L2TP IPSec VPN server. It is possible to connect Windows clients and iPhones.

I bought a few RB750 to use as L2TP IPSec VPN client. My intension is to use this devices at some home users behind their current router, to connect a few devices (such as VoIP phones) to the corporate LAN. Because of the user home router, the RB750 will be placed behind a NAT.

The connection is UP and i can send data in both directions. However every minute I see an error in the RB750 log: "phase1 negotiation failed due to time up {user LAN ip}[500]<=>{office public IP}[500]". Is this a configuration issue, or is this caused by the user's internet router?

Office
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=topsecret use-ipsec=yes
Client
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address={office public IP}/32 enc-algorithm=3des lifetime=30m nat-traversal=no secret=topsecret
/interface l2tp-client
add add-default-route=no allow=mschap2 connect-to={office public IP} dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=1600 name=VPNuser password=password profile=default-encryption user=VPNuser

get the same error when i try to connect to my RB951 (rOS v6.24) L2TP/IPsec from my iPhone6 (3G and WiFi)
thou i can connect fia PPTP (just tested it with the same user) and i get a connection with "MPPE128 stateless"

from my Mac mini the L2TP IP sec connection works without any problems (same Wifi/LAN)

any ideas on how to properly get L2TP IPsec running? please....?
---
raiffeisen data center infrastructure and security
...stay curious
 
PeterEs
just joined
Topic Author
Posts: 8
Joined: Mon May 12, 2014 12:33 pm

Re: IPSec phase1 negotiation error

Wed Jan 14, 2015 12:56 pm

...

get the same error when i try to connect to my RB951 (rOS v6.24) L2TP/IPsec from my iPhone6 (3G and WiFi)
thou i can connect fia PPTP (just tested it with the same user) and i get a connection with "MPPE128 stateless"

from my Mac mini the L2TP IP sec connection works without any problems (same Wifi/LAN)

any ideas on how to properly get L2TP IPsec running? please....?
I think your problem is a little different. You get the errors server side, i get them on the client.
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 100
Joined: Wed Nov 12, 2014 1:00 pm

Re: IPSec phase1 negotiation error

Wed Jan 14, 2015 1:30 pm

...

get the same error when i try to connect to my RB951 (rOS v6.24) L2TP/IPsec from my iPhone6 (3G and WiFi)
thou i can connect fia PPTP (just tested it with the same user) and i get a connection with "MPPE128 stateless"

from my Mac mini the L2TP IP sec connection works without any problems (same Wifi/LAN)

any ideas on how to properly get L2TP IPsec running? please....?
I think your problem is a little different. You get the errors server side, i get them on the client.

erm ... yes, of course server side because the TIK (RB951) IS the VPN server.
i have no clue what to change in IPsec settings to get it working for my iPhone to connect via 3G/cellular .... (WiFi > no problem; other L2TP/IPsec > no problem)

even if i use the mobile iphone hotspot function and try to connect via that hotspot connection with my e.g. Mac mini.... no luck ....
but via PPTP > success
also different L2TP/IPsec connection to completely different server via 3G/cellular/iphone-hotspot > success
---
raiffeisen data center infrastructure and security
...stay curious
 
User avatar
spippan
Member Candidate
Member Candidate
Posts: 100
Joined: Wed Nov 12, 2014 1:00 pm

Re: IPSec phase1 negotiation error

Mon Feb 02, 2015 1:37 pm

still no clue ... anyone??

still no change with the newest rOS 6.25
---
raiffeisen data center infrastructure and security
...stay curious

Who is online

Users browsing this forum: alidamji, mszru, mtba204, sbr, sutrus and 93 guests