For debugging purposes:
/log print where buffer=memory && (message~"l2tp" || message ~"L2TP"))
This will result in an answer like this:
13:43:59 l2tp,info first L2TP UDP packet received from 93.184.216.34
13:43:59 l2tp,ppp,info,account l2tp-jeroenp logged in, 192.168.73.239
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: authenticated
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: connecteda
Some links for when you cannot get connections to work:
- “first L2TP UDP packet received from”
- L2TP connection error – MikroTik RouterOS [WayBack]
- IPsec VPNs einrichten mit Cisco, Mikrotik, pfSense Firewall, FritzBox, Smartphone sowie Shrew Client Software – administrator.de [WayBack]
-
- VPN ipsec between AVM FritzBox an Mikrotik – MikroTik RouterOS [ ]
- it requires a tunnel (because LAN2LAN) [WayBack]
- mikrotik ipsec settings for Fritz!Box: 160663ipsecfritz2.png (1920×1080) [WayBack]
- Securing L2TP Server for IPSec – MikroTik Wiki [WayBack]
- MikroTik to AWS EC2 instance IPsec tunnel – framistats [WayBack]
- Tech Note: how to configure ipsec between mikrotik and strongswan, linux [WayBack]
- [Solved] L2TP/IPSec with Android – MikroTik RouterOS [WayBack]
- networking – L2TP IPSec doesn’t work from other city – Super User [WayBack]
Before digging deeper, check the output of settings like these:
/system logging add topics=ipsec
/ip ipsec policy group print
/ip ipsec peer print
/ip ipsec remote-peers print
/ip ipsec proposal print
/ip ipsec installed-sa print
It will give you answers like these (note that a Mac OS X 10.9.5 won’t connect with camelia encryption algorithms and not do better hashing than sha1):
> /ip ipsec policy group print
Flags: * - default
# NAME
0 * default
1 pfs-modp1024
> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="someLoooooooongPasssssword" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
> /ip ipsec remote-peers print
0 local-address=37.153.243.243 port=4500 remote-address=93.184.216.34 port=15390 state=established side=responder established=22m16s
> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
> /ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x965F243 src-address=93.184.216.34:15390 dst-address=37.153.243.243:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="7f15b06179d0365cd8b7d8f046201703b2ba93f1" enc-key="ffc56f51397f60002d4bc3d7b95f14ede7eaa542" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=24928 replay=128
1 E spi=0xE0A95C3 src-address=37.153.243.243:4500 dst-address=93.184.216.34:15390 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="bd936b323131dea53d26791829640471c03154bc" enc-key="cb1a3e3b21d033c39390aa48b7efe64e835fc404" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=3120 replay=128
In order to switch away from default as Policy Template Group, you will have to:
- add a new
IPSecgroup (in/ip ipsec policy group) - add a new
IPSecproposal (in/ip ipsec proposal) with the samePFS groupname as thepolicy group. - add a new
IPSecpolicy (in/ip ipsec policy group) with (underGeneral) the samegroupname as thepolicy group. *and* (underAction) the sameproposalname as the proposal.
Some links on hardening IPSEC with DH algorigthm:
- The weak DH and LogJam attack impact on IKE / IPsec (and the *swans) | Paul Wouters at more then 140 chars
- Manual:IP/IPsec – MikroTik Wiki [WayBack]
- IPSec/L2TP vpn connection starts but won’t complete – MikroTik RouterOS.
Miscellaneous links:
- Deny L2TP without IPSEC – MikroTik RouterOS [WayBack]
- Mikrotik L2TP with IPsec for mobile clients | FirstDigest [WayBack]
- [Archive.is] A Day in the Life of Just Another IT Guy » L2TP with IPSec on Mikrotik RoutersOS
- Add L2TP interface to bridge – how? – MikroTik RouterOS [WayBack]
- Manual:PPP AAA – MikroTik Wiki [WayBack]
- Configuring Firewall Rules for IPSEC / L2TP VPN – Confused – MikroTik RouterOS [WayBack]
- How to configure VPN with l2tp and ipsec using Mikrotik router [WayBack]
- [Archive.is] L2TP VPN setup cannot ping LAN devices – MikroTik RouterOS
- [WayBack] MT VPN L2TP and IPSec – cannot ping remote LAN and vice vers – MikroTik RouterOS
–jeroen
The Wiert Corner - irregular stream of stuff 
