Mikrotik L2TP over IPSec troubleshooting

Mikrotik L2TP over IPSec troubleshooting

Troubleshooting a MikroTik VPN configuration can be frustrating if you do not know where to look. This article is specifically about troubleshooting L2TP over IPSec Remote Access VPNs on RouterOS.

Below are RouterOS configuration areas that relate to L2TP over IPSec.

Click to Enlarge

Here are the steps to verify and troubleshoot Remote VPN connections to a MikroTik Router using L2TP over IPSec.

  1. Ensure that proper firewall ports are open – More info on Mikrotik L2TP/IPSec Firewall Rules here
  2. Verify that the L2TP server is enabled
  3. IPSec secret matches on router and client
  4. Verify that a compatible IPSec proposal is configured
  5. Verify that PPP Profile and IP Pool is configured
  6. Make sure PPP username/password matches

Is your L2TP Server Enabled? Verify IPSec secret (PreShared Key)

  1. In Winbox, click PPP > Interfaces > L2TP Server
  2. [x] Enable should be checked
  3. Use IPSec: yes
  4. Set IPSec Secret: your-ipsec-psk

Verify IPSec proposal

  1. In Winbox, click IP > IPsec > Proposals
  2. Double click default
  3. Auth Algorithms: [x] sha1
  4. Encr. Algorithms: [x] aes-192-cbc, [x] aes-256-cbc

Note: The above proposal is compatible with iOS iPhones / iPads.
If you must support clients older operating systems (such as Windows XP), a different proposal may be required.

Verify PPP Profile & IP Pool

  1. In Winbox, click PPP > Profiles
  2. Default a Local Address
  3. Specify VPN IP Pool
  4. If a IP pool needs to be create, goto .IP > Pool

Verify PPP credentials

VPN username accounts are defined in RouterOS as PPP Secrets.
PPP > Secrets

Enable IPSec logging

/system logging add prefix="L2TPDBG===>" topics=l2tp

Enable L2TP logging

/system logging add prefix="IPSECDBG===>" topics=ipsec

IPSec Secret (PSK) Mismatch

If you have IPSec logging enable and a client is connecting with an incorrect preshared key you will see the following error in your router’s log file.

14:16:37 ipsec,error IPSECDBG===>: 10.X.X.XX parsing packet failed, possible cause: wrong password 

PPP Username/password is incorrect

If you have L2TP logging enable and a client is connecting with an incorrect username or password you will see the following errors in your router’s log file.

14:22:19 l2tp,ppp,debug,packet L2TPDBG===>:      
14:22:19 l2tp,ppp,debug,packet L2TPDBG===>:  <1X6.XXX.XXX.77>: sent CHAP Failure id=0x1 
14:22:19 l2tp,ppp,debug,packet L2TPDBG===>:     E=691 R=0 C=A9A0C9CFDEB630268F0DEEEEF55EF149 V=3 M=bad username or password 
14:22:19 l2tp,ppp,error L2TPDBG===>: <1X6.XXX.XXX.77>: user vpnuser1 authentication failed 

I hope this short guide has helped you troubleshoot & debug Mikrotik L2TP/IPSec VPN configurations. If you have questions, leave a comment below & checkout my other MikroTik Tutorials.

Keywords: remote access vpn, l2tp, ipsec, proposal, logging, debugging, ios vpn, windows vpn, encryption
NetScout LinkRunner G2

LinkRunner G2 is the ultimate network cable test tool


CAT5 Cable Tester, Measure Cable Length,
PoE Voltage, Network Connectivity, Switch Port ID
Optional Wireless & Fiber Optics Modules
Check Price on Amazon

pictory

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ads Blocker Image Powered by Code Help Pro

πŸ™πŸ™A Humble Request to Disable AdBlock πŸ™πŸ™

You can close this message & continue reading but...
❀️❀️❀️ Please consider visiting one of my sponsors first ❀️❀️❀️

DigitalOcean πŸš€

Sign up and get a $200, 60-day credit to try DO.
Spend $25 after your credit expires and I will also get $25 in credit!
DigitalOcean Referral Badge

Pictory πŸ€–

Create amazing videos using Pictorys AI powered software.
Its FREE to create your first 3 video projects
pictory


Hi Reader, I noticed that you are using an ad blocker while visiting my website. While I completely understand that excessive ads can hinder your browsing experience, ad revenue helps pay for the cost associated with operating this website.

jcutrer.com is a labor of love, created with the primary aim to provide you with quality content, free of cost. It’s a space where I share information, ideas, and insights that I hope have a meaningful impact. However, maintaining and updating this platform incurs substantial costs.

Sincerely,
Jonathan