Good morning
i have a problem with vpns.
In my lan there are several vlans. I need vlan40 for a vpn tunnel with a remote office, i use vlan70 as a pc lan.
When the tunnel is active, in vlan70 it is not possible to establish a vpn connection.
The error is: "The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer."
How to solve this problem?
This is my config:
# mar/14/2023 13:55:57 by RouterOS 7.8
# software id = KY0P-YIRJ
#
# model = RB5009UG+S+
# serial number = EC190F3992F3
/interface bridge
add comment=Bridge igmp-snooping=yes multicast-querier=yes name=LAN-Bridge \
protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] advertise=1000M-full comment="Porta 4" \
disabled=yes l2mtu=9796 mtu=9796 name=LA-NAS3-1
set [ find default-name=ether5 ] advertise=1000M-full comment="Porta 5" \
l2mtu=9796 mtu=9796 name=LA-NAS3-2
set [ find default-name=ether6 ] advertise=1000M-full comment="Porta 6" \
l2mtu=9796 mtu=9796 name=LA-NAS3-3
set [ find default-name=ether3 ] advertise=1000M-full comment="Porta 3" \
l2mtu=9796 mtu=9796 name=LINK-ASUS-RT-WIFI
set [ find default-name=ether8 ] advertise=1000M-full comment="Porta 8" \
l2mtu=9796 mtu=9796 name=MGMT_PORT
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full comment=SFP+ \
l2mtu=9796 mtu=9796 name=TRUNK_RT5009-RT326 sfp-shutdown-temperature=70C
set [ find default-name=ether7 ] advertise=100M-full comment="Porta 7" l2mtu=\
9796 mtu=9796 name=TV
set [ find default-name=ether1 ] advertise=1000M-full comment="Porta 1" \
l2mtu=9796 mtu=9796 name=WAN-OUT
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-f\
ull,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" comment=\
"Porta 2 - Link con RT326 - Trunk" disabled=yes l2mtu=9796 mtu=9796 name=\
old_TRUNK_RT5009-RT326
/interface wireguard
add comment="WireGuard Interface VPN" listen-port=13231 mtu=9796 name=\
WIREGUARD1
/interface vlan
add comment="Vlan99 Gestione" interface=LAN-Bridge mtu=9792 name=MGMT_VLAN \
vlan-id=99
add comment="Vlan60 Nas e Tv" interface=LAN-Bridge mtu=9792 name=NAS-TV_VLAN \
vlan-id=60
add comment="Vlan70 Pc" interface=LAN-Bridge mtu=9792 name=PC_VLAN vlan-id=70
add comment="Vlan40 Bck from SS" interface=LAN-Bridge mtu=9792 name=SS_VLAN \
vlan-id=40
add interface=WAN-OUT mtu=9792 name=VLAN-TIM vlan-id=xxx
add comment="Vlan90 Voip" interface=LAN-Bridge mtu=9792 name=VOIP_VLAN \
vlan-id=90
add comment="Vlan80 WiFi" interface=LAN-Bridge mtu=9792 name=WIFI_VLAN \
vlan-id=80
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLAN-TIM name=WAN-TIM user=\
xxxxxx
/interface list
add name=WAN
add name=BASE
add name=VLAN
add comment="Trusted network interfaces (internal, clients vpn, etc)." name=\
InternalInterfaces
add comment="Untrusted network interfaces (internet, external etc)." name=\
ExternalInterfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
"Profile SS"
/ip ipsec peer
add address=xxxxxx/32 exchange-mode=ike2 local-address=yyyyyyy \
name=Peer-SS profile="Profile SS"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,aes-128-ctr,3des \
pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=\
Proposal-SS pfs-group=modp2048
/ip pool
add name=PC_POOL ranges=192.168.70.2-192.168.70.254
add name=NAS-TV_POOL ranges=192.168.60.2-192.168.60.254
add name=MGMT_POOL ranges=192.168.0.10-192.168.0.20
add name=WIFI_POOL ranges=192.168.80.2-192.168.80.254
add name=OVPN ranges=172.16.100.2-172.16.100.254
add name=VPN-IPSEC ranges=172.16.101.2-172.16.101.255
add name=VOIP_POOL ranges=192.168.90.2-192.168.90.254
add name=SS_POOL ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=PC_POOL interface=PC_VLAN lease-time=1d name=PC_DHCP
add address-pool=NAS-TV_POOL interface=NAS-TV_VLAN lease-time=1d name=\
NAS-TV_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN lease-time=1d name=MGMT_DHCP
add address-pool=WIFI_POOL interface=WIFI_VLAN lease-time=1d name=WIFI_DHCP
add address-pool=VOIP_POOL interface=VOIP_VLAN lease-time=1d name=VOIP_DHCP
add address-pool=SS_POOL interface=SS_VLAN lease-time=1d name=SS_DHCP
/ppp profile
add dns-server=172.16.100.1 local-address=OVPN name=OPEN_VPN remote-address=\
OVPN use-compression=no use-encryption=required
add change-tcp-mss=yes local-address=VPN-IPSEC name=L2TP_VPN remote-address=\
VPN-IPSEC use-ipv6=no
add dns-server=8.8.8.8 local-address=192.168.70.1 name=ipsec_vpn use-ipv6=no
/queue tree
add max-limit=1500M name=Download parent=LAN-Bridge priority=1 queue=default
add limit-at=10M max-limit=10M name=Download_pri_1 packet-mark=RTP_PACKET \
parent=Download priority=1 queue=default
add limit-at=4M max-limit=4M name=Download_pri_2 packet-mark=SIP_PACKET \
parent=Download priority=2 queue=default
add max-limit=1200M name=Download_pri_8 packet-mark=no-mark parent=Download \
queue=default
add max-limit=120M name=Upload parent=WAN-OUT queue=default
add limit-at=5M max-limit=5M name=Upload_pri_1 packet-mark=RTP_PACKET parent=\
Upload priority=1 queue=default
add limit-at=5M max-limit=5M name=Upload_pri_2 packet-mark=SIP_PACKET parent=\
Upload priority=2 queue=default
add max-limit=110M name=Upload_pri_8 packet-mark=no-mark parent=Upload queue=\
default
/interface bridge port
add bridge=LAN-Bridge comment=eth2 disabled=yes fast-leave=yes frame-types=\
admit-only-vlan-tagged interface=old_TRUNK_RT5009-RT326
add bridge=LAN-Bridge comment=eth3 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LINK-ASUS-RT-WIFI pvid=\
80
add bridge=LAN-Bridge comment=eth6 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LA-NAS3-3 pvid=40
add bridge=LAN-Bridge comment=eth4 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LA-NAS3-1 pvid=99
add bridge=LAN-Bridge comment=eth5 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=LA-NAS3-2 pvid=40
add bridge=LAN-Bridge comment=eth7 fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=TV pvid=60
add bridge=LAN-Bridge comment=eth8 fast-leave=yes interface=MGMT_PORT pvid=99
add bridge=LAN-Bridge comment=sfp+ fast-leave=yes frame-types=\
admit-only-vlan-tagged interface=TRUNK_RT5009-RT326
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=TV \
vlan-ids=60
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=70
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=LA-NAS3-1 \
vlan-ids=99
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=\
LINK-ASUS-RT-WIFI vlan-ids=80
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 vlan-ids=90
add bridge=LAN-Bridge tagged=LAN-Bridge,TRUNK_RT5009-RT326 untagged=\
LA-NAS3-2,LA-NAS3-3 vlan-ids=40
/interface l2tp-server server
set allow-fast-path=yes default-profile=ipsec_vpn use-ipsec=required
/interface list member
add interface=WAN-TIM list=WAN
add interface=MGMT_VLAN list=BASE
add interface=MGMT_VLAN list=VLAN
add interface=PC_VLAN list=VLAN
add interface=NAS-TV_VLAN list=VLAN
add interface=WIFI_VLAN list=VLAN
add interface=VOIP_VLAN list=VLAN
add interface=WIREGUARD1 list=VLAN
add interface=SS_VLAN list=VLAN
add disabled=yes interface=MGMT_VLAN list=InternalInterfaces
add disabled=yes interface=PC_VLAN list=InternalInterfaces
add disabled=yes interface=NAS-TV_VLAN list=InternalInterfaces
add disabled=yes interface=*14 list=InternalInterfaces
add disabled=yes interface=VOIP_VLAN list=InternalInterfaces
add disabled=yes interface=WIFI_VLAN list=InternalInterfaces
add disabled=yes interface=WIREGUARD1 list=InternalInterfaces
add disabled=yes interface=WAN-TIM list=ExternalInterfaces
/interface ovpn-server server
set auth=sha1 certificate=*3 cipher=aes256-cbc
/interface wireguard peers
add allowed-address=10.10.10.2/32 endpoint-port=13231 interface=WIREGUARD1 \
public-key="xxxxxxxxxxxxxxxx"
add allowed-address=10.10.10.3/32 endpoint-port=13232 interface=WIREGUARD1 \
public-key="xxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.0.1/24 interface=MGMT_VLAN network=192.168.0.0
add address=192.168.70.1/24 interface=PC_VLAN network=192.168.70.0
add address=192.168.80.1/24 interface=WIFI_VLAN network=192.168.80.0
add address=192.168.60.1/24 interface=NAS-TV_VLAN network=192.168.60.0
add address=192.168.90.1/24 interface=VOIP_VLAN network=192.168.90.0
add address=10.10.10.1/24 interface=WIREGUARD1 network=10.10.10.0
add address=192.168.40.1/24 interface=SS_VLAN network=192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.80.254 client-id=1:3c:7c:3f:db:77:b0 mac-address=\
3C:7C:3F:DB:77:B0 server=WIFI_DHCP
add address=192.168.70.253 client-id=1:0:1b:21:c2:8:ea mac-address=\
00:1B:21:C2:08:EA server=PC_DHCP
add address=192.168.70.252 client-id=1:0:1b:21:c2:4:66 mac-address=\
00:1B:21:C2:04:66 server=PC_DHCP
add address=192.168.80.241 client-id=1:38:b4:d3:d3:15:90 mac-address=\
38:B4:D3:D3:15:90 server=WIFI_DHCP
add address=192.168.80.239 mac-address=DC:4F:22:DF:D1:5B server=WIFI_DHCP
add address=192.168.80.231 mac-address=DC:4F:22:2A:1C:DC server=WIFI_DHCP
add address=192.168.80.234 mac-address=80:91:33:9A:B2:E6 server=WIFI_DHCP
add address=192.168.80.228 client-id=1:b8:27:eb:8:2e:3d mac-address=\
B8:27:EB:08:2E:3D server=WIFI_DHCP
/ip dhcp-server network
add address=172.16.100.0/24 comment=vpn dns-server=8.8.8.8 gateway=\
172.16.100.1 netmask=24
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.40.0/24 dns-server=192.168.0.1 gateway=192.168.40.1
add address=192.168.60.0/24 dns-server=192.168.0.1 gateway=192.168.60.1
add address=192.168.70.0/24 dns-server=192.168.0.1 gateway=192.168.70.1
add address=192.168.80.0/24 dns-server=192.168.0.1 gateway=192.168.80.1
add address=192.168.90.0/24 dns-server=192.168.0.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.0.1-192.168.0.254 list=allowed_to_router
add address=192.168.0.0/24 list=Sottoreti_Ammesse
add address=192.168.60.0/24 list=Sottoreti_Ammesse
add address=192.168.70.0/24 list=Sottoreti_Ammesse
add address=192.168.80.0/24 list=Sottoreti_Ammesse
add address=172.16.101.0/24 disabled=yes list=Sottoreti_Ammesse
add address=10.10.10.0/24 list=allowed_to_router
add address=192.168.60.0/24 list=AL-VLAN60
add address=192.168.70.0/24 list=AL-VLAN70
add address=192.168.90.0/24 list=AL-VLAN90
add address=192.168.0.0/24 list=AL-VLAN99
add address=192.168.0.0/24 list=Vlan80_Negate
add address=192.168.60.0/24 list=Vlan80_Negate
add address=192.168.70.0/24 list=Vlan80_Negate
add address=192.168.90.0/24 list=Vlan80_Negate
add address=192.168.80.0/24 list=AL-VLAN80
add address=192.168.40.0/24 list=AL-VLAN40
/ip firewall filter
add action=accept chain=input comment="Default Configuration" \
connection-state=established,related
add action=accept chain=forward comment=\
"IpSec policy out,ipsec (da portare in posizione 3)" ipsec-policy=\
out,ipsec
add action=drop chain=input comment="Chain: Input. Rule #1 \"Drop Invalid Pack\
et\": drop packets connection state: invalid." connection-state=invalid \
log-prefix=DROP_
add action=accept chain=input log-prefix=ALLOW_ src-address-list=\
allowed_to_router
add action=accept chain=input comment="Allow whitelisted-admin" \
in-interface-list=WAN log-prefix=ALLOW_WL_ src-address-list=\
whitelisted-admin
add action=accept chain=input log-prefix=IPSEC_ protocol=ipsec-esp
add action=accept chain=input dst-port=4500 log=yes log-prefix=L2tp_ \
protocol=udp
add action=accept chain=input dst-port=500 log=yes log-prefix=L2tp_ protocol=\
udp
add action=accept chain=input dst-port=1701 log=yes log-prefix=L2tp_ \
protocol=udp
add action=accept chain=input in-interface-list=WAN log=yes log-prefix=GRE_ \
protocol=gre
add action=accept chain=input comment=WireGuard dst-port=13231,13232 \
log-prefix=WireGuard_ protocol=udp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" disabled=\
yes in-interface=MGMT_VLAN
add action=drop chain=input comment="Pacchetti scartati" log-prefix=\
drop_input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward protocol=gre
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=LAN-Bridge log-prefix=!public_from_LAN \
out-interface=!LAN-Bridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN-OUT log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
log-prefix=Jump_ protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=WAN-OUT \
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=LAN-Bridge \
log-prefix=LAN_!LAN src-address-list=!Sottoreti_Ammesse
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=mark-connection chain=forward dst-address=192.168.90.200 dst-port=\
4569,5060,5160 new-connection-mark=SIP_CONNECTION passthrough=yes \
protocol=udp
add action=mark-packet chain=forward connection-mark=SIP_CONNECTION \
new-packet-mark=SIP_PACKET passthrough=yes
add action=mark-connection chain=forward new-connection-mark=RTP_CONNECTION \
passthrough=yes port=10000-10050 protocol=udp
add action=mark-packet chain=forward connection-mark=RTP_CONNECTION \
new-packet-mark=RTP_PACKET passthrough=yes
add action=change-dscp chain=postrouting dst-address=192.168.90.200 new-dscp=\
46 out-interface=WAN-OUT packet-mark=RTP_PACKET passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.25.0/24 src-address=\
192.168.40.0/24
add action=accept chain=srcnat dst-address=192.168.40.0/24 src-address=\
192.168.25.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WIREGUARD1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.25.0/24 src-address=\
192.168.40.0/24
add action=notrack chain=prerouting dst-address=192.168.40.0/24 src-address=\
192.168.25.0/24
/ip firewall service-port
set sip ports=5060,5061,4569
set rtsp disabled=no
/ip ipsec identity
add peer=Peer-SS
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.25.0/24 peer=Peer-SS proposal=Proposal-SS \
src-address=192.168.40.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set www port=8081
set ssh port=22
set winbox port=8291
set api-ssl disabled=yes
/ppp secret
add name=VpnUser profile=OPEN_VPN service=ovpn
add name=Laptop profile=ipsec_vpn remote-address=192.168.70.100 service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system clock manual
set time-zone=+01:00
/system identity
set name="MikroTik RT5009"
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=ntp1.inrim.it
add address=ntp2.inrim.it
add address=time.inrim.it
add address=0.it.pool.ntp.org
/system package update
set channel=development
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes
/user settings
set minimum-password-length=10