Hello
a perfect working L2TP connection, to a Windows Server 2012 R2 , fails Phase 2, after update from 6.37 tot 6.38 or 6.38.1 !
Any idea's whats changed specifically for this ?
Log says "failed to pre-process ph2 packet"
I have searched for hours now..
downgrade to 6.37 worked again.. nothing else changed..
Tnx 4 hlp
Jempi

Hello,
I'm exactly in the same position as Jempi: after updating to 6.38.5 (from 6.37.X) the IPSEC tunnel used for L2TP to a Windows Server doesn't come up.
Mikrotik in my case is the client.
In IPSec log, just before the "failed to pre-process ph2 packet", I get "mismatched IDcr was returned".

I cannot find any clue on how to fix this, I guess it's just a bug, probably due to a specific Windows implementation. Can anyone confirm?

Enrico.

6.37.4 -> 6.38.5 on RB201 same problem.

Windows & Android clients cannot cannect with "failed to pre-process ph2 packet" in Mikrotik logs.

Downgraded

6.39rc72 same problem btw.

Solution google translate from here: http://bozza.ru/art-247.html

The default policy glitch on the mikrotik

With absolutely correct settings for the L2TP / IPSec connection on the client (for example, Windows 7) and on the server (Mikrotik), you can not establish a VPN connection. In this case, the message "failed to pre-process ph2 packet" goes to the Mikrotik log, and the error on the Windows 7 client is 789: the L2TP connection attempt failed because of an error that occurred at the security level ... This problem can occur on Firmware up to the last stable at the current time (6.30).

Solution: delete the default group in the IP - IPSec - Groups menu, create a new one and specify it in IP - IPSec - Peers in the Policy Template Group field.

According to Hopy, another solution to the problem with groups may be the execution of this command after re-creating the group: Perhaps this is a legacy from the old configurations, there is no exact answer, but nevertheless, this is an option. By the way, it is possible for this reason (and similar) that you should still perform a complete reset of the device before the initial setup. But this is not a requirement, that's for sure.

Hello, I have tried both the proposed solutions but I still get the same error.
In my case Windows is the server and Mikrotik is the client.

As soon as I have a chance I will try with a new device so that there will be no traces of old configurations.

It looks like the problem started when upgrading from 6.38rc19 -> 6.38rc24 (wherein it seems large parts of ipsec were re-written in ROS). I have some details about it though from the ipsec debug log on 6.40rc4:

may/05 22:58:59 ipsec,debug proposal #1: 1 transform
may/05 22:58:59 ipsec,debug got the local address from ID payload 44.24.246.0[0] prefixlen=31 ul_proto=255
may/05 22:58:59 ipsec,debug got the peer address from ID payload 44.24.246.8[0] prefixlen=31 ul_proto=255
may/05 22:58:59 ipsec searching for policy
may/05 22:58:59 ipsec template lookup for selector: 44.24.246.0/31 <=> 44.24.246.8/31
may/05 22:58:59 ipsec no template matches
may/05 22:58:59 ipsec failed to get proposal for responder.
may/05 22:58:59 ipsec,error 64.119.4.114 failed to pre-process ph2 packet.

Meanwhile, the policy template is right there:

11 T group=OPP-KD7KAB src-address=44.24.246.8/31 dst-address=44.24.246.0/31 protocol=all proposal=vpn-ah template=yes

So whatever was done with the matcher / selector code is probably the problem.