Community discussions

MikroTik App
 
kelarlee
newbie
Topic Author
Posts: 29
Joined: Thu Dec 27, 2018 5:48 pm

Dynamic policies not removing with disabled L2TP+IPSEC interface

Sun Dec 04, 2022 4:39 pm

Hi, i have a strange issue or bug i dont know but for some reason dynamic ipsec policies, peers, identities not removing automatically when i disabling L2TP+IPSEC interface. In my lab i'm testing dual WAN with recursive failover and two L2TP+Ipsec tunnels running simultaneously from different ISPs for failover (no load balancing). Seems like everything working except this strange bug. The problem is when i manually deleted all policies, peers, identities that stuck with related disabled l2tp interface - i couldn't establish new connection. When i enabled this l2tp interface new dynamic peer, policies etc. just not created dynamically and log showing "Tunnel is not encrypted". Only after i reboot router this l2tp interfaces starts to creating dynamic IPSEC policies but again not removing dynamic policies. Policies and peers not creating:
2022-12-04 162021.png
ipsec policies, peers, identities not removing (sometimes it stuck with two l2tp interfaces, sometimes with one):
2022-12-04 162402.png

Just in case my config:
/interface bridge
add name=br-lo
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=SOLVER
set [ find default-name=ether2 ] comment=VAK
/interface l2tp-client
add allow=mschap2 comment=VAK connect-to=VPN_server_IP name=l2tp-out1 \
    src-address=192.168.60.140 use-ipsec=yes user=User1
add allow=mschap2 comment=Solver connect-to=VPN_server_IP name=l2tp-out2 \
    src-address=192.168.10.173 use-ipsec=yes user=User2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
    disabled=no mode=ap-bridge ssid=MikroTik
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip ipsec peer
add address=VPN_server_IP/32 disabled=yes local-address=192.168.60.140 name=VAK
add address=VPN_server_IP/32 disabled=yes local-address=192.168.10.173 name=\
    Solver
/ip pool
add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/interface l2tp-server server
set authentication=mschap2 enabled=yes one-session-per-host=yes use-ipsec=\
    required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.60.140/24 comment=VAK interface=ether2 network=\
    192.168.60.0
add address=192.168.99.1/24 interface=bridge1 network=192.168.99.0
add address=192.168.10.173/24 comment=Solver interface=ether1 network=\
    192.168.10.0
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=1.1.1.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=192.168.99.253 disabled=yes list=VAK
add address=0.0.0.0/8 comment="\"This\" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=\
    BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment=\
    "Network Interconnect Device Benchmark Testing" list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS
/ip firewall mangle
add action=mark-connection chain=input disabled=yes in-interface=ether1 \
    new-connection-mark=con_solver
add action=mark-connection chain=input disabled=yes in-interface=ether2 \
    new-connection-mark=con_VAK
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=con_solver
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=con_VAK
add action=mark-routing chain=prerouting connection-mark=con_solver \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
    rout_solver
add action=mark-routing chain=prerouting connection-mark=con_VAK \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=rout_VAK \
    tcp-flags=""
add action=mark-routing chain=output connection-mark=con_solver \
    dst-address-type=!local new-routing-mark=rout_solver
add action=mark-routing chain=output connection-mark=con_VAK \
    dst-address-type=!local new-routing-mark=rout_VAK
add action=mark-routing chain=prerouting disabled=yes dst-address-list=\
    !BOGONS new-routing-mark=rout_VAK src-address-list=VAK
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
add action=dst-nat chain=dstnat dst-address=192.168.60.140 dst-port=21 \
    in-interface=ether1 protocol=udp to-addresses=192.168.99.254 to-ports=\
    2221
add action=dst-nat chain=dstnat dst-address=192.168.60.140 dst-port=45698 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.99.253 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.242 \
    dst-port=2356 in-interface=ether2 protocol=tcp to-addresses=\
    192.168.99.254 to-ports=2221
add action=dst-nat chain=dstnat dst-address=192.168.10.242 dst-port=2356 \
    in-interface=ether2 protocol=tcp to-addresses=192.168.99.253 to-ports=80
/ip ipsec identity
add disabled=yes peer=VAK
add disabled=yes peer=Solver
/ip ipsec policy
add disabled=yes dst-port=1701 peer=VAK src-port=1701
add disabled=yes dst-port=1701 peer=Solver src-port=1701
/ip route
add distance=1 gateway=8.8.8.8 routing-mark=rout_solver target-scope=11
add distance=1 gateway=1.1.1.1 routing-mark=rout_VAK target-scope=11
add check-gateway=ping comment="Unmarked via Solver" distance=1 gateway=\
    8.8.8.8 target-scope=11
add check-gateway=ping comment="Unmarked via VAK" distance=2 gateway=1.1.1.1 \
    target-scope=11
add comment="Emergency route" distance=254 gateway=br-lo
add check-gateway=ping comment="For recursion via VAK" distance=1 \
    dst-address=1.1.1.1/32 gateway=192.168.60.25 scope=11
add check-gateway=ping comment="For recursion via Solver" distance=1 \
    dst-address=8.8.8.8/32 gateway=192.168.10.25 scope=11
add check-gateway=ping distance=1 dst-address=192.168.131.0/24 gateway=\
    172.16.1.1%l2tp-out2 pref-src=192.168.99.1
add check-gateway=ping distance=2 dst-address=192.168.131.0/24 gateway=\
    172.16.1.1%l2tp-out1 pref-src=192.168.99.1
add check-gateway=ping distance=3 dst-address=192.168.131.0/24 type=\
    unreachable
/ip route rule
add comment="to LAN" dst-address=192.168.0.0/16 table=main
add comment="to LAN" dst-address=172.16.0.0/16 table=main
add comment=VAK src-address=192.168.60.140/32 table=rout_VAK
add comment=Solver src-address=192.168.10.173/32 table=rout_solver
You do not have the required permissions to view the files attached to this post.
 
pató
just joined
Posts: 5
Joined: Mon Mar 15, 2021 11:55 am

Re: Dynamic policies not removing with disabled L2TP+IPSEC interface

Tue Jun 27, 2023 5:31 pm

Hi,

Can you fix this?

I have the same problem now. :)
 
pató
just joined
Posts: 5
Joined: Mon Mar 15, 2021 11:55 am

Re: Dynamic policies not removing with disabled L2TP+IPSEC interface

Sun Sep 03, 2023 1:52 pm

I think this isn't help for you because you're post is old, but I hope it's help for others in the future.
PPP/Interface/L2TP Server and here there is a check box if you disable it every dynamic rule will disappear.
 
ZarNi
just joined
Posts: 1
Joined: Tue Sep 05, 2023 7:53 am

Re: Dynamic policies not removing with disabled L2TP+IPSEC interface

Tue Sep 05, 2023 8:10 am

Hi everyone, I created l2tp vpn server on a mikrotik router. When I connect vpn from my windows 10 laptop, it said "The L2tp connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer". How can I solve that problem? Pls help me.
 
Carlanga92
just joined
Posts: 2
Joined: Wed Dec 27, 2023 1:08 am

Re: Dynamic policies not removing with disabled L2TP+IPSEC interface

Wed Dec 27, 2023 1:27 am

I think this isn't help for you because you're post is old, but I hope it's help for others in the future.
PPP/Interface/L2TP Server and here there is a check box if you disable it every dynamic rule will disappear.
Thanks, it worked for me.

Who is online

Users browsing this forum: baragoon, BinaryTB, Google [Bot], raphaps, rplant, Semrush [Bot] and 73 guests