The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,953 other followers

Archive for September 1st, 2017

some notes on L2TP IPSEC on Mikrotik

Posted by jpluimers on 2017/09/01

For debugging purposes:

/log print where buffer=memory && (message~"l2tp" || message ~"L2TP"))

This will result in an answer like this:

13:43:59 l2tp,info first L2TP UDP packet received from
13:43:59 l2tp,ppp,info,account l2tp-jeroenp logged in,
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: authenticated
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: connecteda

Some links for when you cannot get connections to work:

Before digging deeper, check the output of settings like these:

/system logging add topics=ipsec

/ip ipsec policy group print
/ip ipsec peer print
/ip ipsec remote-peers print
/ip ipsec proposal print
/ip ipsec installed-sa print

It will give you answers like these (note that a Mac OS X 10.9.5 won’t connect with camelia encryption algorithms and not do better hashing than sha1):

> /ip ipsec policy group print
Flags: * - default
0 * default
1 pfs-modp1024

> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address= local-address=:: passive=no port=500 auth-method=pre-shared-key secret="someLoooooooongPasssssword" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

> /ip ipsec remote-peers print
0 local-address= port=4500 remote-address= port=15390 state=established side=responder established=22m16s

> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

> /ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x965F243 src-address= dst-address= state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="7f15b06179d0365cd8b7d8f046201703b2ba93f1" enc-key="ffc56f51397f60002d4bc3d7b95f14ede7eaa542" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=24928 replay=128

1 E spi=0xE0A95C3 src-address= dst-address= state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="bd936b323131dea53d26791829640471c03154bc" enc-key="cb1a3e3b21d033c39390aa48b7efe64e835fc404" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=3120 replay=128

In order to switch away from default as Policy Template Group, you will have to:

  1. add a new IPSec group (in /ip ipsec policy group)
  2. add a new IPSec proposal (in /ip ipsec proposal) with the same PFS group name as the policy group.
  3. add a new IPSec policy (in /ip ipsec policy group) with (under General) the same group name as the policy group. *and* (under Action) the same proposal name as the proposal.

Some links on hardening IPSEC with DH algorigthm:

Miscellaneous links:


Posted in Internet, MikroTik, Power User, routers | Leave a Comment »

Some proxmox notes: adding a new logical volume from a new HDD

Posted by jpluimers on 2017/09/01


Posted in Power User, Proxmox, Virtualization | Leave a Comment »

%d bloggers like this: