Mikrotik L2TP / IPSec for NAT: ipsec, error failed to pre-process ph2 packet
When using Mikrotik for NAT (in particular, for all sorts of USB GSM modems) in L2TP / IPSec client mode, for some operators in certain modes, I got a problem with the ipsec error, error failed to pre-process ph2 packet.
But with the advent of RoS 6.38, it became possible to cope with an error.
So, the error appears in the usual L2TP client configuration as in the picture:
The main problem is that the IPSec policy used in this configuration is nailed and uses ike1. Ike1, in turn, in the implementation of RoS, has a problem when passing NAT without port forwarding, and as an aggravating circumstance: multiple tunnels with l2tp also do not work out of a single NAT (and the number of clients on the modem is huge).
You can solve the problem when using IKE2 (and for a heap of clients with one NAT, you need to abandon PSK authorization in favor of RSA Signature), which cannot be configured from the menu above, but you can do the trick: go to IP -> IPSec
Copy the dynamically created peer, and change the settings in it as shown below:
Namely, we change Exchange Mode to IKE2, in the Encryption tab, configure the necessary encryption settings.
It remains to disable the use of IPSec in the L2TP / IPSec settings.
That's all, the connection rises, encryption works.
But with the advent of RoS 6.38, it became possible to cope with an error.
So, the error appears in the usual L2TP client configuration as in the picture:
The main problem is that the IPSec policy used in this configuration is nailed and uses ike1. Ike1, in turn, in the implementation of RoS, has a problem when passing NAT without port forwarding, and as an aggravating circumstance: multiple tunnels with l2tp also do not work out of a single NAT (and the number of clients on the modem is huge).
You can solve the problem when using IKE2 (and for a heap of clients with one NAT, you need to abandon PSK authorization in favor of RSA Signature), which cannot be configured from the menu above, but you can do the trick: go to IP -> IPSec
Copy the dynamically created peer, and change the settings in it as shown below:
Namely, we change Exchange Mode to IKE2, in the Encryption tab, configure the necessary encryption settings.
It remains to disable the use of IPSec in the L2TP / IPSec settings.
That's all, the connection rises, encryption works.
More posts:
All Posts