And again L2TP+IPSec 'wrong password' when password is fine
Posted: Thu Jan 25, 2024 6:33 pm
Hi all.
I've encountered a very strange problem. There are a few MikroTik CHRs; they are all hosted by the same provider, Hetzner, but in different regions. EoIP and IPIP tunnels are configured between them. Everything works flawlessly if you first start tunnels without IPSec and only then enable IPSec.
Problems begin when you reboot one of Mikrotik. After this, either both tunnels do not up, or only EoIP do not up. Everything in the logs allegedly points to an incorrect password, although the L2TP passwords and IPSec secrets are identical on both sides, which has been checked a million times. For simplicity, the password was '123' with manual entry. No luck.
Eliminating the cause is easy and quick; just remove the IPSec key. This is the only reliable solution to the problem. And if you turn off IPSec and let the tunnel up, then after that you can turn on IPSec back, and everything will work for at least weeks until you reboot any of the routers.
Below are more details:
I read all similar topics here on the forum and did not find a solution to the problem there, except for mentioning that this is a bug in the ROS beta version or a bug that was fixed a long time ago (which is clearly not my case).
Here are the log files from both sides: L2TP server log and L2TP client log. They may not be synchronous with each other, but they have the same errors all the time if the tunnels are not up.
Also, I can record logs with the 'l2tp' and 'ipsec' topics enabled, if this helps in any way. But perhaps someone will still have ideas without this information.
I've encountered a very strange problem. There are a few MikroTik CHRs; they are all hosted by the same provider, Hetzner, but in different regions. EoIP and IPIP tunnels are configured between them. Everything works flawlessly if you first start tunnels without IPSec and only then enable IPSec.
Problems begin when you reboot one of Mikrotik. After this, either both tunnels do not up, or only EoIP do not up. Everything in the logs allegedly points to an incorrect password, although the L2TP passwords and IPSec secrets are identical on both sides, which has been checked a million times. For simplicity, the password was '123' with manual entry. No luck.
Eliminating the cause is easy and quick; just remove the IPSec key. This is the only reliable solution to the problem. And if you turn off IPSec and let the tunnel up, then after that you can turn on IPSec back, and everything will work for at least weeks until you reboot any of the routers.
Below are more details:
- ROS version 6.49.10, 6.49.11, or 6.49.12 (currently, the entire fleet is aligned to version 6.49.12).
- All Mikrotik CHRs use different time zones but are synchronized using the same NTP source (synchronized status on all CHRs).
- If the routers are not rebooted, then everything works for weeks or even more.
- All Mikrotik have real (white) static IP addresses.
I read all similar topics here on the forum and did not find a solution to the problem there, except for mentioning that this is a bug in the ROS beta version or a bug that was fixed a long time ago (which is clearly not my case).
Here are the log files from both sides: L2TP server log and L2TP client log. They may not be synchronous with each other, but they have the same errors all the time if the tunnels are not up.
Also, I can record logs with the 'l2tp' and 'ipsec' topics enabled, if this helps in any way. But perhaps someone will still have ideas without this information.