The packet is retransmitted by mikrotik что это
/ip ipsec policy group
add name=l2tp
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm,3des name=L2TP
/ip pool
add name=vpn-pool ranges=10.20.1.10-10.20.1.20
/ppp profile
add change-tcp-mss=yes dns-server=10.20.1.1 local-address=10.20.1.1 name=vpn_profile remote-address=vpn-pool use-encryption=yes use-ipv6=default
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=vpn_profile enabled=yes ipsec-secret=***** one-session-per-host=yes use-ipsec=yes
/interface pptp-server server
set default-profile=vpn_profile
/ip firewall filter
add action=accept chain=input comment=VPN protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
/ip ipsec peer
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret=*****
/ip ipsec policy
add dst-address=0.0.0.0/0 group=l2tp proposal=L2TP src-address=0.0.0.0/0 template=yes
/ppp secret
add name=user password=*** profile=vpn_profile service=l2tp
Клиенты Android подключаются. А вот Windows 8.1 выдает ошибку 789.
Помогите с настройкой пожалуйста.
Микротик в логах три раза пишет пока винда пытается подключиться: ipsec, info the packet is retransmitted by IP-адрес[500].
А после в логах микротика: ipsec, error phase1 negotiation failed due to time up IP-адрес[500]IP-адрес[500] и дальше длинный ключ.
Как правильно разрулить переключение GRE+IPSec(динамический), при работе 2 mikrotik через vrrp в master и slave режимах?
Добрый день, имеются 2 mikrotik, один выступает в роли master, другой slave, имеются 2 провайдера, на каждом из них по несколько ip, трафик промаркирован для каждого отдельного ip, созданы отдельные маршруты для каждого внешнего ip, прописаны Rule, дабы src.address от каждого внешнего ip провайдера шел по своему маршруту и промаркированный маршруту уходил по этому же промаркированному маршруту, работают по протоколу vrrp, сам vrrp настроен только на LAN интерфейсе, в нем так же прописан простой скрипт, в зависимости от роли маршрутизатора, включаются(master) или отключается(slave) wan, vpn интерфейсы. Но возникает проблема при работе с vpn(GRE+IPSec), как только slave становится master’ом vpn не поднимается, включение и отключение vpn интерфейсов на обоих сторонах не помогает, на другой стороне есть соединения, даже если их удалить дабы создались новые, на случай если они зависли, ничего не происходит. На стороне slave, который стал master в «connections» есть только попытки установить соединение на другую сторону, входящих соединений с той стороны соединений нет, в логах ошибки «phase 1 negotiation failed due to send error ip_master[500]»<=>ip_другая сторона[500]. С другой стороны в «connections», соединения в сторону master есть, но не установленные, в логах ошибки «the packet is retransmitted by IP_MASTER[500]» и «phase 1 negotiation failed due to time up ip[500]<=>ip[500]». Если вернуть работу master. то vpn соединение моментально восстанавливается. Везде стоят прошивки 6.39.3 (bugfix). Может кто то уже сталкивался с подобным?=>
- Вопрос задан более трёх лет назад
- 3565 просмотров
4 комментария
Средний 4 комментария
The packet is retransmitted by mikrotik что это
Fri Sep 16, 2022 8:49 am
Hello, I’ve tried to setup L2TP/IPsec vpn on my router. I can successfully access them through my LAN but when I tried to access them through 4G it fails.
13:13:49 ipsec,info respond new phase 1 (Identity Protection): xxx.xxx.xxx.xxx[500]175.176.67.122[28729] 13:13:52 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 13:13:55 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 13:13:58 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 13:14:01 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 13:14:04 ipsec,info the packet is retransmitted by 175.176.67.122[28729]. 13:14:19 l2tp,info first L2TP UDP packet received from 175.176.67.122 13:14:49 ipsec,error phase1 negotiation failed due to time up xxx.xxx.xxx.xxx[500]175.176.67.122[28729] dbaab16a73dbc420:29 d30f82da568583
Where x is my static IP and 175.176.67.122 is my ip from 4G
below is my config for my L2TP/IPsec packet
/ip pool add name=vpn-ipsec ranges=192.168.3.2-192.168.3.100 /ip firewall filter add action=fasttrack-connection chain=forward comment=DNS dst-port=53 protocol=tcp add action=fasttrack-connection chain=forward dst-port=53 protocol=udp add action=accept chain=input comment="Allow L2PT / IPSEC VPN access\"" dst-port=500,1701,4500 in-interface=\ pppoe-WAN log=yes protocol=udp add action=accept chain=input in-interface=pppoe-WAN protocol=ipsec-esp add action=accept chain=input in-interface=pppoe-WAN protocol=ipsec-ah /ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe-WAN /interface l2tp-server server set allow-fast-path=yes default-profile=l2tp-vpn enabled=yes use-ipsec=required /ppp profile add change-tcp-mss=yes local-address=192.168.3.1 name=l2tp-vpn remote-address=vpn-ipsec
The packet is retransmitted by mikrotik что это
Mon Apr 13, 2020 7:29 pm
Newest problem is as follows if you can point me out to what is causing this issue.
I have an L2TP with IPSEC server running on a MikroTiK RB4011.
I can connect from an android device using LTE to the L2TP without any problems BUT if the device switches to WIFI and tries to connect it fails miserably.
I read somewhere that i have to change the generate policy from port strict to port override but it creates dynamic rules which i can’t change and i can’t seem to figure out
how to add it manually and point it to the L2TP server on 6.46.x version.
On the RB4011 there is also a working IPSEC site to site tunnel.
/ppp profile
add bridge=bridge1 dns-server=8.8.8.8 local-address=192.168.0.254 name=\
l2tp_ipsec remote-address=vpnpool use-encryption=required
/ppp secret
add name=admin password=xxxxxxxx profile=l2tp_ipsec service=l2tp
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=\
l2tp_ipsec enabled=yes ipsec-secret=xxxxxxx keepalive-timeout=disabled \
max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=»IPSec enable » protocol=ipsec-esp
Thanks in advance
Forum Guru
Posts: 3459 Joined: Tue Dec 12, 2017 12:58 am Location: Greece
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 7:52 pm
i can’t seem to figure out how to add it manually and point it to the L2TP server on 6.46.x version.
You will have to create an IPsec in transport Mode, not tunnel mode, manually and then create your L2TP Tunnel over the IPsec and then add the appropriate routes.
This way you actually do what the L2TP/IPsec would do automatically.
BUT if the device switches to WIFI and tries to connect it fails miserably.
Within the same LAN where the IPsec server is ?
Forum Guru
Posts: 10206 Joined: Mon Dec 04, 2017 9:19 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 8:13 pm
I can connect from an android device using LTE to the L2TP without any problems BUT if the device switches to WIFI and tries to connect it fails miserably.
Is the Android phone connected to the WiFi provided by the very same 4011 which is the L2TP/IPsec server, or is it provided by the same Mikrotik which itself is a peer of the site-to-site IPsec tunnel, or is it totally unrelated to either of them?
Is the site-to-site tunnel an IKE(v1) or IKEv2 one?
I read somewhere that i have to change the generate policy from port strict to port override but it creates dynamic rules which i can’t change and i can’t seem to figure out how to add it manually and point it to the L2TP server on 6.46.x version.
I don’t think port override would change anything. You can create the IPsec settings for an L2TP server, ideally by letting the /ip l2tp-server server create the peer and identity, and then copying them with the same parameters:
ip ipsec peer add copy-from=l2tp-in-server name=l2tp-in-static
ip ipsec identity add copy-from=[find comment~»l2tp»] peer=l2tp-in-static
The static peer will be shadowed by the dynamically added one until you disable the auto-creation in /interface l2tp-server server.
Then, you can completely customize the settings — use a different profile for the peer, choose a different policy-generation method and policy-generation template group in identity, so you can use a different policy template with a different proposal. But I bet none of these will resolve the issue, as the Android phone itself has no reason to change the behavior of the VPN client depending on the network interface it uses.
Member Candidate
Topic Author
Posts: 114 Joined: Tue Apr 01, 2014 11:11 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 8:16 pm
i can’t seem to figure out how to add it manually and point it to the L2TP server on 6.46.x version.
You will have to create an IPsec in transport Mode, not tunnel mode, manually and then create your L2TP Tunnel over the IPsec and then add the appropriate routes.
This way you actually do what the L2TP/IPsec would do automatically.
BUT if the device switches to WIFI and tries to connect it fails miserably.
Within the same LAN where the IPsec server is ?
Different location
Member Candidate
Topic Author
Posts: 114 Joined: Tue Apr 01, 2014 11:11 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 8:18 pm
I can connect from an android device using LTE to the L2TP without any problems BUT if the device switches to WIFI and tries to connect it fails miserably.
Is the Android phone connected to the WiFi provided by the very same 4011 which is the L2TP/IPsec server, or is it provided by the same Mikrotik which itself is a peer of the site-to-site IPsec tunnel, or is it totally unrelated to either of them?
Is the site-to-site tunnel an IKE(v1) or IKEv2 one?
I read somewhere that i have to change the generate policy from port strict to port override but it creates dynamic rules which i can’t change and i can’t seem to figure out how to add it manually and point it to the L2TP server on 6.46.x version.
I don’t think port override would change anything. You can create the IPsec settings for an L2TP server, ideally by letting the /ip l2tp-server server create the peer and identity, and then copying them with the same parameters:
ip ipsec peer add copy-from=l2tp-in-server name=l2tp-in-static
ip ipsec identity add copy-from=[find comment~»l2tp»] peer=l2tp-in-static
The static peer will be shadowed by the dynamically added one until you disable the auto-creation in /interface l2tp-server server.
Then, you can completely customize the settings — use a different profile for the peer, choose a different policy-generation method and policy-generation template group in identity, so you can use a different policy template with a different proposal. But I bet none of these will resolve the issue, as the Android phone itself has no reason to change the behavior of the VPN client depending on the network interface it uses.
Different location, the site to site is IKEv2
Forum Guru
Posts: 3459 Joined: Tue Dec 12, 2017 12:58 am Location: Greece
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 8:35 pm
Does the log say anything when you try to connect through WiFi? Any errors ?
Member Candidate
Topic Author
Posts: 114 Joined: Tue Apr 01, 2014 11:11 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:01 pm
Does the log say anything when you try to connect through WiFi? Any errors ?
the packet is retransmitted about 5 times then phase1 negotiation failed
i tried creating it manually but i must be doing something wrong i dial in and it says established but the phone still tries to connect (shows connecting instead of connected) then fails.
I obviously must be doing it wrong i have to try and find out how to make it in transport mode.
/ip ipsec peer
add name=l2tpserver passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 dpd-interval=1m dpd-maximum-failures=3 enc-algorithm=\
aes-128 name=profile1
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=vpn01 exchange-mode=ike2 name=peer1 profile=\
profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=0s
add enc-algorithms=aes-128-cbc lifetime=1d name=secure-proposal
/ip ipsec identity
add generate-policy=port-override peer=peer1 secret=xxxxxxxxxx
add generate-policy=port-override peer=l2tpserver remote-id=ignore secret=\
xxxxxxxxxx
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.5.0/24 peer=peer1 proposal=secure-proposal \
sa-dst-address=xx.xx.xx.xx sa-src-address=192.168.1.235 src-address=\
192.168.0.0/24 tunnel=yes
the policy is created on its own i see dynamically the l2tp one and gets deleted when it fails.
Also when i attemp all these i switch OFF the L2TP server is that correct?
Forum Guru
Posts: 10206 Joined: Mon Dec 04, 2017 9:19 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:17 pm
the packet is retransmitted about 5 times then phase1 negotiation failed
Which «the» packet? The first response one from the Mikrotik to the phone or one of the later ones?
I’ve seen multiple cases recently which behaved similarly — the initial negotiation failed at some stage. In one case it boiled down to packets being too large and fragmented, in the other one I’ve got no feedback yet, these were both related to certificate-based authentication. Another case was also L2TP/IPsec, and it seemed to have to do with Android version, but no one has ever stated anything regarding WiFi or mobile connection of the mobile.
Also when i attemp all these i switch OFF the L2TP server is that correct?
What’s the point?
Forum Guru
Posts: 3459 Joined: Tue Dec 12, 2017 12:58 am Location: Greece
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:18 pm
the packet is retransmitted about 5 times then phase1 negotiation failed
Please check in the firewall and make sure UDP 4500 is accepted in the input chain.
ALso, from a quick look at yout config, tunnel=no, not yes. Otherwise Tunnel Mode is used and not Transport mode.
Forum Guru
Posts: 10206 Joined: Mon Dec 04, 2017 9:19 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:25 pm
ALso, from a quick look at yout config, tunnel=no, not yes. Otherwise Tunnel Mode is used and not Transport mode.
That’s a config for the site-to-site tunnel, that’s fine.
Member Candidate
Topic Author
Posts: 114 Joined: Tue Apr 01, 2014 11:11 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:33 pm
the packet is retransmitted about 5 times then phase1 negotiation failed
Which «the» packet? The first response one from the Mikrotik to the phone or one of the later ones?
I’ve seen multiple cases recently which behaved similarly — the initial negotiation failed at some stage. In one case it boiled down to packets being too large and fragmented, in the other one I’ve got no feedback yet, these were both related to certificate-based authentication. Another case was also L2TP/IPsec, and it seemed to have to do with Android version, but no one has ever stated anything regarding WiFi or mobile connection of the mobile.
Also when i attemp all these i switch OFF the L2TP server is that correct?
What’s the point?
I am trying to get my head around the concept.
So static IPSEC entries mean /ppp l2tp-server enabled but without the use of ipsec in that menu?
Member Candidate
Topic Author
Posts: 114 Joined: Tue Apr 01, 2014 11:11 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:35 pm
the packet is retransmitted about 5 times then phase1 negotiation failed
Please check in the firewall and make sure UDP 4500 is accepted in the input chain.
ALso, from a quick look at yout config, tunnel=no, not yes. Otherwise Tunnel Mode is used and not Transport mode.
I have port 500,1701,4500 in the input chain accepted and at the top of the firewall list.
The tunnel is from the site to site connection
Member Candidate
Topic Author
Posts: 114 Joined: Tue Apr 01, 2014 11:11 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:44 pm
21:34:18 ipsec,info respond new phase 1 (Identity Protection): 192.168.1.235[500]<=>xxxxxxxxxxx[500]
21:34:21 ipsec,info the packet is retransmitted by xxxxxxxxxxxxx[500].
21:34:24 ipsec,info the packet is retransmitted by xxxxxxxxxxxxx[500].
21:34:27 ipsec,info the packet is retransmitted by xxxxxxxxxxxxx[500].
21:34:30 ipsec,info the packet is retransmitted by xxxxxxxxxxxxx[500].
21:34:33 ipsec,info the packet is retransmitted by xxxxxxxxxxxxx[500].
21:34:48 l2tp,info first L2TP UDP packet received from xxxxxxxxxxxxxx
21:35:18 ipsec,error phase1 negotiation failed due to time up 192.168.1.235[500]<=>xxxxxxxxxxx[500]
=>
where x public ip that tries to come in the 4011
Forum Guru
Posts: 10206 Joined: Mon Dec 04, 2017 9:19 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 9:50 pm
So static IPSEC entries mean /ppp l2tp-server enabled but without the use of ipsec in that menu?
Correct. Setting use-ipsec to no in /ip l2tp-server server will not prevent actual use of IPsec but it will just prevent the dynamic IPsec configuration from being created. The dynamically created one uses the default peer profile, default proposal, and creates the identity with generate-policy set to port-strict. Creating these two items manually allows you to customize them, to test whether the generate-policy=port-override will resolve the issue.
If this change doesn’t help as I assume, I’d recommend you set /tool sniffer set file-name=android_startup.pcap, run /tool sniffer ip-address=the.public.ip.of.the.WiFi.where.the.phone.is.connected while you run the log (/log print follow-only file=android_startup where topics~»ipsec») and do a connection attempt from the phone.
This will show you whether the packets towards the phone actually leave the Mikrotik and if yes, which route they take. The dump on the screen will show the physical interfaces; the pcap file will allow to analyse the packets in Wireshark.
Member Candidate
Topic Author
Posts: 114 Joined: Tue Apr 01, 2014 11:11 pm
Re: L2TP/IPSEC Connectivity Issue
Mon Apr 13, 2020 10:09 pm
So static IPSEC entries mean /ppp l2tp-server enabled but without the use of ipsec in that menu?
Correct. Setting use-ipsec to no in /ip l2tp-server server will not prevent actual use of IPsec but it will just prevent the dynamic IPsec configuration from being created. The dynamically created one uses the default peer profile, default proposal, and creates the identity with generate-policy set to port-strict. Creating these two items manually allows you to customize them, to test whether the generate-policy=port-override will resolve the issue.
If this change doesn’t help as I assume, I’d recommend you set /tool sniffer set file-name=android_startup.pcap, run /tool sniffer ip-address=the.public.ip.of.the.WiFi.where.the.phone.is.connected while you run the log (/log print follow-only file=android_startup where topics~»ipsec») and do a connection attempt from the phone.
This will show you whether the packets towards the phone actually leave the Mikrotik and if yes, which route they take. The dump on the screen will show the physical interfaces; the pcap file will allow to analyse the packets in Wireshark.
1 0.000000 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
2 0.000490 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
3 2.994769 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
4 2.994863 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
5 6.015313 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
6 6.015413 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
7 9.088846 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
8 9.088926 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
9 9.999948 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
10 12.040644 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
11 12.040727 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
12 15.027681 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
13 15.027780 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
14 18.039470 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
15 20.001693 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
16 21.041981 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
17 24.077041 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
18 27.060918 xx.xx.xx.xx 192.168.1.235 ISAKMP 766 Identity Protection (Main Mode)
19 30.004169 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)
20 30.142942 xx.xx.xx.xx 192.168.1.235 L2TP 111 Control Message — SCCRQ (tunnel session > 21 30.143211 192.168.1.235 xx.xx.xx.xx L2TP 142 Control Message — SCCRP (tunnel session > 22 30.143892 xx.xx.xx.xx 192.168.1.235 L2TP 78 Control Message — StopCCN (tunnel session > 23 30.144008 192.168.1.235 xx.xx.xx.xx L2TP 54 Control Message — ZLB (tunnel session > 24 30.230285 xx.xx.xx.xx 192.168.1.235 ICMP 170 Destination unreachable (Port unreachable)
25 30.230348 xx.xx.xx.xx 192.168.1.235 ICMP 82 Destination unreachable (Port unreachable)
26 40.000199 192.168.1.235 xx.xx.xx.xx ISAKMP 190 Identity Protection (Main Mode)