General • L2TP broken after router swap

/export hide-sensitive # 2024-03-08 18:50:03 by RouterOS 7.12.1# software id = D0I7-RUA4## model = RB5009UG+S+# serial number = /interface bridgeadd admin-mac=78:9A:18:CB:0D:EE auto-mac=no comment=defconf name=bridge/interface vlanadd interface=ether8 name="WiFi domotica" vlan-id=50add interface=ether8 name="WiFi guest" vlan-id=51/interface pppoe-clientadd add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=1460151/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip ipsec profileset [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256/ip pooladd name=dhcp ranges=192.168.88.10-192.168.88.254add name=dhcp_guest ranges=192.168.99.2-192.168.99.50add name=dhcp_l2tp ranges=192.168.100.2-192.168.100.5add name=dhcp_pool3 ranges=192.168.101.50-192.168.101.254/ip dhcp-serveradd address-pool=dhcp interface=bridge lease-time=10m name=defconfadd address-pool=dhcp_guest authoritative=after-2sec-delay interface="WiFi guest" lease-time=1d name=server-guestadd address-pool=dhcp_pool3 interface="WiFi domotica" lease-time=1w3d name=dhcp1/ppp profileadd dns-server=1.1.1.1 local-address=192.168.100.1 name=l2tp/interface bridge portadd bridge=bridge comment=defconf interface=ether2add bridge=bridge comment=defconf interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=ether5add bridge=bridge comment=defconf interface=ether6add bridge=bridge comment=defconf interface=ether7add bridge=bridge comment=defconf interface=ether8add bridge=bridge comment=defconf interface=sfp-sfpplus1/ip neighbor discovery-settingsset discover-interface-list=LAN/interface l2tp-server serverset authentication=mschap1,mschap2 default-profile=l2tp enabled=yes use-ipsec=required/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1 list=WANadd interface=pppoe-out1 list=WAN/ip addressadd address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0add address=192.168.99.1/24 interface="WiFi guest" network=192.168.99.0add address=192.168.101.1/24 interface="WiFi domotica" network=192.168.101.0/ip dhcp-clientadd comment=defconf disabled=yes interface=ether1/ip dhcp-server lease[... some leases ...]/ip dhcp-server networkadd address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1add address=192.168.99.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.99.1add address=192.168.101.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.101.1/ip dnsset allow-remote-requests=yes servers=1.1.1.1,8.8.8.8/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment="Per L2TP" dst-port=1701,500,4500 in-interface-list=all protocol=udpadd action=accept chain=input comment="Per L2TP" in-interface-list=all protocol=ipsec-espadd action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANadd action=accept chain=forward comment="Da LAN a L2TP NAS" dst-address=192.168.100.0/24 src-address=192.168.88.0/24add action=accept chain=forward comment="Autorizza da rete casa a domotica" dst-address=192.168.101.0/24 src-address=192.168.88.0/24add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="Blocca navigazione alla foscam" out-interface=pppoe-out1 src-address=192.168.88.43add action=drop chain=forward comment="Blocco per rete ospiti" dst-address=192.168.88.0/24 src-address=192.168.99.0/24add action=drop chain=forward comment="Blocco per rete ospiti" dst-address=192.168.99.0/24 src-address=192.168.88.0/24add action=drop chain=forward comment="Blocca WiFi Domotica vs WiFi casa" connection-state=new dst-address=192.168.88.0/24 src-address=192.168.101.0/24add action=drop chain=forward comment="Blocca WiFi Domotica vs Guest" dst-address=192.168.99.0/24 src-address=192.168.101.0/24add action=accept chain=forward comment="OpenVPN con Pi-VPN" dst-address=192.168.88.11 dst-port=50000 log=yes protocol=tcpadd action=accept chain=forward comment=Zabbix disabled=yes dst-address=192.168.88.24 dst-port=10051 log=yes protocol=tcpadd action=accept chain=forward comment="Backup SCP su Frannuc" disabled=yes dst-address=192.168.88.20 dst-port=50023 protocol=tcp/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANadd action=masquerade chain=srcnat comment="NAT per navigazione ospiti" out-interface=ether1 out-interface-list=WAN src-address=192.168.99.0/24add action=dst-nat chain=dstnat comment="NAT per accesso in VPN" dst-port=50000 log=yes protocol=tcp to-addresses=192.168.88.11 to-ports=50000add action=dst-nat chain=dstnat comment="Per Wireguard" dst-port=51820 protocol=udp to-addresses=192.168.88.52 to-ports=51820add action=dst-nat chain=dstnat comment="NAT per Zabbix" disabled=yes dst-port=10051 log=yes protocol=tcp to-addresses=192.168.88.24 to-ports=10051add action=dst-nat chain=dstnat comment="SCP per backup clienti" disabled=yes dst-port=50023 protocol=tcp to-addresses=192.168.88.20 to-ports=222/ip serviceset telnet address=192.168.88.0/24 disabled=yesset ftp address=192.168.88.0/24set www address=192.168.88.0/24set ssh address=192.168.88.0/24set api address=192.168.88.0/24set winbox address=192.168.88.0/24set api-ssl address=192.168.88.0/24/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN/ppp secretadd name=francesco profile=l2tp remote-address=192.168.100.10 routes=192.168.88.0/24add name=nasbackup profile=l2tp remote-address=192.168.100.2 routes=192.168.88.0/24/system clockset time-zone-name=Europe/Rome/system identityset name=MikroHome/system noteset show-at-login=no/tool graphing interfaceadd/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN

 18:55:12 ipsec,info respond new phase 1 (Identity Protection): local_ip[500]<=>remote_ip[58523] 18:55:12 ipsec,error no suitable proposal found. 18:55:12 ipsec,error remote_ip failed to get valid proposal. 18:55:12 ipsec,error remote_ip failed to pre-process ph1 packet (side: 1, status 1). 18:55:12 ipsec,error remote_ip phase1 negotiation failed.