R
R
Roman Alekseevich2021-05-13 15:14:40
VPN
Roman Alekseevich, 2021-05-13 15:14:40

Why are 2 Mikrotiks not connected via ipsec?

There are 2 Mikrotiks, firmware 6.48.2. one tile (server) second mipsbe (client). Between them I try to configure l2tp ipsec. The client has a regular SIM card. The server is behind vipnet. But the ports are forwarded. Phone, Windows all connects fine. But the microt doesn't want any. all profile settings, proposal are identical, nat traversal is enabled, authentication is the same on both. L2tp connection appears in IPSEC peers. but the second phase does not work...
The funny thing is that sometimes the connection takes 10 minutes - every 3 days.... and the rest of the time phase1 negotiation failed due to time up on the server and client.

these settings and the server log
609d16eb7b071083439052.jpeg

on the client, all settings are the same one to one.
plus log dump from the client with debugging.

Logs
# may/12/2021 15:34: 8 by RouterOS 6.48.2
# software id = M251-7CWQ
#
15:28:05 ipsec,debug add payload of len 20, next type 0 
15:28:05 ipsec,debug 364 bytes from 100.109.67.21[500] to 1.1.9.132[500] 
15:28:05 ipsec,debug 1 times of 364 bytes message will be sent to 1.1.9.132[500] 
15:28:05 ipsec,debug,packet 0c966237 b5591284 85ddc3ca 0c7452f5 04100200 00000000 0000016c 0a000104 
15:28:05 ipsec,debug,packet e5972e88 a66d12b7 48a8f791 8d88d640 2c5f42cc 05ddb21e 8562b001 eb087d65 
15:28:05 ipsec,debug,packet 6f6b1ba7 fbc12f53 901fa673 95f469a2 5ccf0dcd 65c5062a d04dae2b 3ba695ad 
15:28:05 ipsec,debug,packet 7fee84c5 92f981c0 c60531ce 1b3d542a 475f06d2 4d8d1ddf 80bdc204 50e500ae 
15:28:05 ipsec,debug,packet 55470b88 c0f7043c 28a1d81e 31b3edde 7e7caae1 a89afa41 85436142 a37f74ec 
15:28:05 ipsec,debug,packet f2b538b4 75edfca1 51aeee4b f120dc2a fe6bebe8 26cfb53d 5b875d34 9dfb1949 
15:28:05 ipsec,debug,packet 613ec91b f6f1fb5d 28519400 d0860efe 564f6c1e 7354c2e0 45da752f c72391c0 
15:28:05 ipsec,debug,packet 4b8aac95 4dab7f67 fbedd715 111dd3e2 01e4febf 4a4ac7b3 7f8e281d 8f42eb9b 
15:28:05 ipsec,debug,packet 8ccbf04a 8fb25e58 edcf92fa 0d646e3f a4070494 16cbfdd0 6d2fe063 b9e18284 
15:28:05 ipsec,debug,packet 1400001c ad658890 e6e1196d 85630a6b 21ec7d32 a8034d46 ae3367ef 14000018 
15:28:05 ipsec,debug,packet 545413fa 1dab848e 9c4b7fe1 e4de9f45 e18ad44e 00000018 74a50b45 a4563a73 
15:28:05 ipsec,debug,packet 28812693 2b66a83d bd96a51f 
15:28:05 ipsec,debug Deleting a Ph2... 
15:28:05 ipsec,debug Removing PH1... 
15:28:14 ipsec,debug 0.0.0.0[500] used as isakmp port (fd=25) 
15:28:14 ipsec,debug 0.0.0.0[4500] used as isakmp port with NAT-T (fd=27) 
15:28:17 ipsec,debug failed to bind to ::[500] Bad file descriptor 
15:28:17 ipsec,debug  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 
15:28:17 ipsec,debug   (trns_id=AES-CBC encklen=256 authtype=hmac-sha1) 
15:28:17 ipsec,debug   (trns_id=AES-CBC encklen=192 authtype=hmac-sha1) 
15:28:17 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1) 
15:28:17 ipsec,debug === 
15:28:17 ipsec,debug new cookie: 
15:28:17 ipsec,debug 46bcc0ef372d73bd 
15:28:17 ipsec,debug add payload of len 256, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 13 
15:28:17 ipsec,debug add payload of len 16, next type 0 
15:28:17 ipsec,debug 548 bytes from 100.109.67.21[500] to 1.1.9.132[500] 
15:28:17 ipsec,debug 1 times of 548 bytes message will be sent to 1.1.9.132[500]

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Alexander Karabanov, 2021-05-13
@karabanov

failed to bind to ::[500] Bad file descriptor
Enable IPv6 package in System > Packages or remove ::/0 from peer settings.
DIY MikroTik IKE2 VPN
Presentation

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question