Community discussions

 
akarpas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Tue Mar 20, 2018 4:46 pm

Re: L2TP IPSec (no suit proposal found)

Wed Jun 13, 2018 4:53 pm

Check if any of configured specific ipsec peer addresses do not match office address you are connecting from.
Looks to me that you have peer with that IP and specified aes + modp1024
yes i have on the mikrotik router from where im connecting several IPSec tunnels (site to site) but they have their own proposals, and i have PPTP server for rear use.
 
sindy
Forum Guru
Forum Guru
Posts: 2411
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP IPSec (no suit proposal found)

Wed Jun 13, 2018 4:58 pm

The settings on the router in the office don't matter. The settings on the home router do. If one of the home router's peers has the remote attribute set to the public IP address of the office, any IPsec ISAKMP request coming from that address matches on that peer rather than the one with remote=0.0.0.0/0 (or ::/0).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
akarpas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Tue Mar 20, 2018 4:46 pm

Re: L2TP IPSec (no suit proposal found)

Wed Jun 13, 2018 5:20 pm

The settings on the router in the office don't matter. The settings on the home router do. If one of the home router's peers has the remote attribute set to the public IP address of the office, any IPsec ISAKMP request coming from that address matches on that peer rather than the one with remote=0.0.0.0/0 (or ::/0).
L2TP server is site A lets say HQ, B is my home, C is my office, D is neighbor, G is other location :) so im able to connect to site A from B,D,G but not from, C !
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5674
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: L2TP IPSec (no suit proposal found)

Wed Jun 13, 2018 5:28 pm

Do you have location's C IP address added as ipsec peer on the server or not??
 
akarpas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Tue Mar 20, 2018 4:46 pm

Re: L2TP IPSec (no suit proposal found)

Wed Jun 13, 2018 5:44 pm

Do you have location's C IP address added as ipsec peer on the server or not??
I have ipsec tunel between server and site C so yes there is ip on site to site peer ,i have disabled tunel on both sites i mean peers, ipsec policies , proposals on both sides it didnt help
 
akarpas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Tue Mar 20, 2018 4:46 pm

Re: L2TP IPSec (no suit proposal found)

Wed Jun 13, 2018 5:49 pm

Do you have location's C IP address added as ipsec peer on the server or not??
ok i have disabled peer with C site IP address on L2tp server and it worked but this mean my ipsec tunel is down (site to site) and its not good.
 
sindy
Forum Guru
Forum Guru
Posts: 2411
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP IPSec (no suit proposal found)

Wed Jun 13, 2018 6:07 pm

Maybe not good but that's how the universe works. The peer is chosen up to its IP address. You may try to work it around using a dirty trick but it's only theoretical, I've never tried practically yet:
  • on the server (A):
    • create a bridge interface with no member ports
    • attach to it a private IP address not used in any local subnet, a.a.a.a/32
    • create a dst-nat rule:
      /ip firewall nat
      add chain=dstnat action=dst-nat protocol=udp dst-port=5500 to-ports=500 to-addresses=a.a.a.a
    • set local-address=a.a.a.a on the peer with remote=C
  • on the client (C):
    • set the port of the peer representing A to 5500
NAT-T must be enabled at both A peer at C and C peer at A (unless you use IKEv2 where NAT-T is intrinsic).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 2411
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP IPSec (no suit proposal found)

Fri Jun 15, 2018 12:28 am

I've tried the suggestion above and it unfortunately does not work. However, there is another trick you can use. The initial packet which comes from the remote peer contains, among other things, the IKE version, and at least in 6.43rc12 where I currently test it, the IKE version (which can be derived from the exchange mode) is one of the criteria used to choose a peer. So if you configure the site2site VPN between A and C to use IKEv2, the peer with address=C and exchange-mode=ike2 on A will be ignored when handling initial packets from the l2tp-ipsec clients indicating IKEv1, so for these connection attempts, the peer with address=0.0.0.0/0 and exchange-mode=main-l2tp will be chosen.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: nomatter, tbacaicoa, vecernik87 and 46 guests