Mikrotik L2TP over IPSec troubleshooting

Troubleshooting a MikroTik VPN configuration can be frustrating if you do not know where to look. This article is specifically about troubleshooting L2TP over IPSec Remote Access VPNs on RouterOS.

Below are RouterOS configuration areas that relate to L2TP over IPSec.

Here are the steps to verify and troubleshoot Remote VPN connections to a MikroTik Router using L2TP over IPSec.

1. Ensure that proper firewall ports are open – More info on Mikrotik L2TP/IPSec Firewall Rules here
2. Verify that the L2TP server is enabled
3. IPSec secret matches on router and client
4. Verify that a compatible IPSec proposal is configured
5. Verify that PPP Profile and IP Pool is configured
6. Make sure PPP username/password matches

Is your L2TP Server Enabled? Verify IPSec secret (PreShared Key)

1. In Winbox, click PPP > Interfaces > L2TP Server
2. [x] Enable should be checked
3. Use IPSec: yes
4. Set IPSec Secret: your-ipsec-psk

Verify IPSec proposal

1. In Winbox, click IP > IPsec > Proposals
2. Double click default
3. Auth Algorithms: [x] sha1
4. Encr. Algorithms: [x] aes-192-cbc, [x] aes-256-cbc

Note: The above proposal is compatible with iOS iPhones / iPads.
If you must support clients older operating systems (such as Windows XP), a different proposal may be required.

Verify PPP Profile & IP Pool

1. In Winbox, click PPP > Profiles
2. Default a Local Address
3. Specify VPN IP Pool
4. If a IP pool needs to be create, goto .IP > Pool

Verify PPP credentials

VPN username accounts are defined in RouterOS as PPP Secrets.
PPP > Secrets

Enable IPSec logging

/system logging add prefix="L2TPDBG===>" topics=l2tp

Enable L2TP logging

/system logging add prefix="IPSECDBG===>" topics=ipsec

IPSec Secret (PSK) Mismatch

If you have IPSec logging enable and a client is connecting with an incorrect preshared key you will see the following error in your router’s log file.

14:16:37 ipsec,error IPSECDBG===>: 10.X.X.XX parsing packet failed, possible cause: wrong password 

PPP Username/password is incorrect

If you have L2TP logging enable and a client is connecting with an incorrect username or password you will see the following errors in your router’s log file.

14:22:19 l2tp,ppp,debug,packet L2TPDBG===>:      
14:22:19 l2tp,ppp,debug,packet L2TPDBG===>:  <1X6.XXX.XXX.77>: sent CHAP Failure id=0x1 
14:22:19 l2tp,ppp,debug,packet L2TPDBG===>:     E=691 R=0 C=A9A0C9CFDEB630268F0DEEEEF55EF149 V=3 M=bad username or password 
14:22:19 l2tp,ppp,error L2TPDBG===>: <1X6.XXX.XXX.77>: user vpnuser1 authentication failed 

I hope this short guide has helped you troubleshoot & debug Mikrotik L2TP/IPSec VPN configurations. If you have questions, leave a comment below & checkout my other MikroTik Tutorials.

---

---

This site uses Akismet to reduce spam. Learn how your comment data is processed.