The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,613 other followers

some notes on L2TP IPSEC on Mikrotik

Posted by jpluimers on 2017/09/01

For debugging purposes:

/log print where buffer=memory && (message~"l2tp" || message ~"L2TP"))

This will result in an answer like this:

13:43:59 l2tp,info first L2TP UDP packet received from
13:43:59 l2tp,ppp,info,account l2tp-jeroenp logged in,
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: authenticated
13:43:59 l2tp,ppp,info <l2tp-l2tp-jeroenp>: connecteda

Some links for when you cannot get connections to work:

Before digging deeper, check the output of settings like these:

/system logging add topics=ipsec

/ip ipsec policy group print
/ip ipsec peer print
/ip ipsec remote-peers print
/ip ipsec proposal print
/ip ipsec installed-sa print

It will give you answers like these (note that a Mac OS X 10.9.5 won’t connect with camelia encryption algorithms and not do better hashing than sha1):

> /ip ipsec policy group print
Flags: * - default
0 * default
1 pfs-modp1024

> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address= local-address=:: passive=no port=500 auth-method=pre-shared-key secret="someLoooooooongPasssssword" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

> /ip ipsec remote-peers print
0 local-address= port=4500 remote-address= port=15390 state=established side=responder established=22m16s

> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

> /ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x965F243 src-address= dst-address= state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="7f15b06179d0365cd8b7d8f046201703b2ba93f1" enc-key="ffc56f51397f60002d4bc3d7b95f14ede7eaa542" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=24928 replay=128

1 E spi=0xE0A95C3 src-address= dst-address= state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key="bd936b323131dea53d26791829640471c03154bc" enc-key="cb1a3e3b21d033c39390aa48b7efe64e835fc404" addtime=oct/17/2016 13:43:58
expires-in=36m34s add-lifetime=48m/1h current-bytes=3120 replay=128

In order to switch away from default as Policy Template Group, you will have to:

  1. add a new IPSec group (in /ip ipsec policy group)
  2. add a new IPSec proposal (in /ip ipsec proposal) with the same PFS group name as the policy group.
  3. add a new IPSec policy (in /ip ipsec policy group) with (under General) the same group name as the policy group. *and* (under Action) the same proposal name as the proposal.

Some links on hardening IPSEC with DH algorigthm:

Miscellaneous links:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: