Community discussions

MikroTik App
 
phuketmymac
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Thu Jun 05, 2014 7:56 pm

L2TP VPN suddenly stop working

Sun Oct 10, 2021 4:45 am

Hi,

I have an L2TP setup road warrior that has been working for months and suddenly stopped working
It's a pretty basic setup created in the PPP menu, in L2TP Server with a preshared key.

We haven't done any OS update nor any modifications to the configuration on the router side when this happened.
We are using macOS clients on the other side so there might have been some software updates done.

However I have the exact same setup (that I redid several times) which works on a different router (the one I use at home)
Also this router has a site-to-site tunnel using L2TP which still works well and this one hasn't suffered any interruption.
The other end of the tunnel has another mikrotik router on which I can connect using the same L2TP road warrior setup.
That's my only so far to access the network is to connect to the other end which routes me to my main network.

In the logs, the only error messages that I can see are the following:
08:42:54 ipsec,error no suitable proposal found.
08:42:54 ipsec,error 171.6.238.18 failed to get valid proposal.
08:42:54 ipsec,error 171.6.238.18 failed to pre-process ph1 packet (side: 1, status 1).
08:42:54 ipsec,error 171.6.238.18 phase1 negotiation failed.

I am wondering why I would have to change the proposals setup since this is working on the other router with the exact same basic setup.

I am thinking there is something wrong with the config or router itself and I already did a backup, reset the config then restore the backup but no cigar.

Ticket was created but the support replies once every 2 days and so far hasn't been able to find a solution to the point they even stop answering me...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN suddenly stop working

Sun Oct 10, 2021 5:02 pm

  1. activate detailed logging of IPsec: /system logging add topics=ipsec,!packet
  2. run /log print follow-only file=l2tp-ipsec-start where topics~"ipsec"
  3. try to connect from one of the clients, wait until it reports failure
  4. break the /log print ..., download the file l2tp-ipsec-start.txt to your PC
In the log file, you should see the reason. Either the incoming request matches on a wrong peer, or none of the encryption/hash/dh algorithms proposed by the client (initiator) is available in the /ip ipsec profile row used by the responder peer.

If you have in mind Mikrotik support, this is a typical case which should first be handled by a consultant or the forum, not by the (very limited) Mikrotik staff.
 
mimesm
just joined
Posts: 1
Joined: Sun May 21, 2023 3:24 am

Re: L2TP VPN suddenly stop working

Sun May 21, 2023 3:26 am

hi sindy i have this problem too and in my log logged terminating - peer is not responding and disconnect all of my clients is it solved when check all algorithm and ... in profile and proposal in ipsec tab ?

thank you i use version 7.1.1 and newer
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN suddenly stop working

Tue May 23, 2023 10:20 am

Do I get you right that everything works for a while, and then all the clients disconnect at about the same time?
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 18, 2022 8:17 am

Re: L2TP VPN suddenly stop working

Thu May 25, 2023 1:48 pm


I have an L2TP setup road warrior that has been working for months and suddenly stopped working
It's a pretty basic setup created in the PPP menu, in L2TP Server with a preshared key.

We haven't done any OS update nor any modifications to the configuration on the router side when this happened.
We are using macOS clients on the other side so there might have been some software updates done.
My guess is that system updates for any OS disable old \ weak ciphers for IPSEC.
I would suggest you to find out all the types of hardware acceleration for ipsec with the table:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Then you should enable all these types :
1) IP-IPSEC - Proposals - default proposal
2) IP-IPSEC - Profiles - default profile . Here also enable MODP size 1024 and 2048 or just enable all up to 2048.

If you enable some extra types, not hardware accelerated, there will be slow speeds and high cpu usage.

My example: RB760iGS (hEX S)
So hardware accelerated :
-DES and 3DES (MD5 SHA1 SHA256) - but these are too old and weak
-AES-CBC (MD5 SHA1 SHA256)
So my settings:
ipsec.png
If I enable MODP 2048 instead of 1024 - works fine , but a higher cpu usage.

Even hardware accelerated my speeds = approx 60% cpu usage when 90 mbit
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: GoogleOther [Bot], johnson73, miks, patrikg and 75 guests