Community discussions

MikroTik App
  4. RouterOS
  5. General

VPN Server: Problems with L2TP IPsec: failed to pre-process ph2 packet

Post Reply
 
horstkevin
newbie
Topic Author
Posts: 26
Joined: Thu Feb 23, 2017 2:52 am

VPN Server: Problems with L2TP IPsec: failed to pre-process ph2 packet

Wed Oct 28, 2020 1:50 am

Hi there,
I have an easy setup of a Mikrotik hEX behind a Router FritzBox 7590 as you can see here:
schema.jpg
RouterOS: 6.47.6
FritzOS: 7.21

The Mikrotik router is to be the vpn server (L2TP IPSec) and I am trying with the win 10 built-in-vpn-client to connect to the vpn server.
So I did a Port-Forwarding on FritzBox 7590:
UDP: 500, 1701, 4500 and ESP-Protocol.

When I try to connect I get this error: "failed to pre-process ph2 packet".
error-msg.PNG

I also searched for a solution for this error message, but I couldn't find a clear answer for that.

So maybe you can tell me if there are any errors in my setup or what other things can be the reason for this connection problem.
L2TP-Server setup:
1.png
2.png
3.png
4.png
5.png


here is the IPsec-setup:
6.png
7.png
8.png
9.png
10.png
11.png
12.png
Finally I added some filter rules:
13.png
I dont know if it is important, but I wonder that there are no packets count on port 1701 and for protocol 50. But maybe its normal at this time.

If you need further information just let me know.
Thx in advance!

Regards
horstkevin
You do not have the required permissions to view the files attached to this post.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Server: Problems with L2TP IPsec: failed to pre-process ph2 packet

Wed Oct 28, 2020 3:30 am

I'm not completely sure if that's it, because I don't use it like this. But Windows client doesn't like L2TP/IPsec servers behind NAT and needs small config change:

https://docs.microsoft.com/en-us/troubl ... t-t-device

Now few things I'm sure about:

- Don't forward port 1701 at all, that's for L2TP and it will be coming encrypted inside IPSec. FritzBox will never see any port 1701 traffic.
- You don't see any hits on router for port 1701, because IPSec part didn't finish, so no L2TP came yet.
- You won't see ESP packets either, because when there's NAT on either side, ESP packets are encapsulated in UDP (port 4500).
- Config export (/export hide-sensitive file=yourconfig) is usually better than screenshots, much less work and less chance to miss something.
Top
 
horstkevin
newbie
Topic Author
Posts: 26
Joined: Thu Feb 23, 2017 2:52 am

Re: VPN Server: Problems with L2TP IPsec: failed to pre-process ph2 packet

Wed Oct 28, 2020 8:59 am

https://docs.microsoft.com/en-us/troubl ... t-t-device
Thanks for that, but unfortunately it doesnt solve the problem yet.
(as DWORD-Value I took "2")
- Config export (/export hide-sensitive file=yourconfig) is usually better than screenshots, much less work and less chance to miss something.
OK - so here we go:
Code: Select all
# oct/28/2020 07:50:32 by RouterOS 6.47.6
# software id = GBIZ-4PLB
#
# model = RouterBOARD 750G r2
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-LAN speed=100Mbps
set [ find default-name=ether3 ] name=ether3-backupserver1 speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface list
add name=LANs
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=ec2n185,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-192,3des
add dh-group=ec2n185,modp2048,modp1024 enc-algorithm=aes-256,aes-192,3des \
    name=profile1-vpn1
/ip ipsec peer
add name=peer1 passive=yes profile=profile1-vpn1
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc
add enc-algorithms=aes-256-cbc,aes-192-cbc,3des name=proposal1 pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.55.101-192.168.55.149
add name=VPN-Clients ranges=192.168.55.51-192.168.55.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2-LAN name=dhcp1
/ip ipsec mode-config
add address-pool=VPN-Clients name=cfg1
/ppp profile
add change-tcp-mss=yes dns-server=192.168.55.1 local-address=192.168.55.1 \
    name=L2TP-VPN1 remote-address=VPN-Clients use-encryption=required \
    use-mpls=yes
set *FFFFFFFE dns-server=192.168.55.1 local-address=192.168.55.1 \
    remote-address=VPN-Clients use-encryption=required use-mpls=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=bridge1 interface=ether3-backupserver1
add bridge=bridge1 interface=ether4-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP-VPN1 enabled=yes max-mru=1460 \
    max-mtu=1460 use-ipsec=yes
/interface list member
add interface=ether2-LAN list=LANs
add interface=ether3-backupserver1 list=LANs
add interface=ether4-slave-local list=LANs
add interface=ether5-slave-local list=LANs
add interface=ether2-LAN list=discover
add interface=ether3-backupserver1 list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether2-LAN list=mactel
add interface=ether3-backupserver1 list=mactel
add interface=ether2-LAN list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-backupserver1 list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether5-slave-local list=mac-winbox
/ip address
add address=192.168.55.1/24 interface=ether2-LAN network=192.168.55.0
add address=192.168.44.2/24 interface=ether1-gateway network=192.168.44.0
add address=192.168.66.1/24 interface=ether3-backupserver1 network=\
    192.168.66.0
add address=10.5.50.1/24 comment="hotspot network" interface=\
    ether5-slave-local network=10.5.50.0
/ip dhcp-server network
add address=192.168.55.0/24 gateway=192.168.55.1
/ip dns
set allow-remote-requests=yes servers=192.168.44.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input dst-port=1701 in-interface=ether1-gateway \
    protocol=udp
add action=accept chain=input dst-port=500 in-interface=ether1-gateway \
    protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1-gateway \
    protocol=udp
add action=accept chain=input in-interface=ether1-gateway protocol=ipsec-esp
add action=accept chain=input  protocol=icmp
add action=accept chain=input  \
    connection-state=established,related
add action=accept chain=input  \
    in-interface=ether2-LAN
add action=drop chain=input  \
    disabled=yes in-interface=!ether2-LAN
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=accept chain=forward comment="home1 webserver" disabled=yes \
    dst-address=192.168.66.10 dst-port=21,22,80,443 protocol=tcp
add action=accept chain=forward comment="home1 backup" dst-address=\
    192.168.55.2 dst-port=59071 protocol=tcp
add action=accept chain=forward disabled=yes dst-address=192.168.66.10 \
    dst-port=123 protocol=udp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface=ether1-gateway
add action=drop chain=forward  \
    disabled=yes in-interface-list=LANs out-interface=!ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=59071 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.55.2 to-ports=59071
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec identity
add peer=peer1
/ip ipsec policy
set 0 disabled=yes proposal=proposal1
add proposal=proposal1 template=yes
/ip route
add distance=1 gateway=192.168.44.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=user1 profile=L2TP-VPN1 service=l2tp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=router
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Server: Problems with L2TP IPsec: failed to pre-process ph2 packet

Wed Oct 28, 2020 7:32 pm

I didn't examine it closely the first time, but aren't you mixing two things together? When you enable IPSec in L2TP server config, all IPSec config should be created automatically, you shouldn't need any manual modifications.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 82 guests
  4. RouterOS
  5. General