We upgraded our RB1100AH2x yesterday from 6.19 to 6.22 and lost our L2TP / IPSec tunnels in the process. The logs are now littered with IPSec errors stating
failed to pre-process ph2 packet.
In the change log for 6.21 I notice that you can no longer employ a blank value for the Policy Group in the Peer policy. We had originally configured our tunnel this way and I suspect that this is the cause of the errors.
Can anyone point me in the right direction on how to resolve this issue?
See relevant config below (note that the first entry in the ipsec peer is note relevant – entry "1" is the one I am most concerned about
/ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 X address=xx.xx.xx.xx/32 local-address=0.0.0.0 passive=no
port=500 auth-method=pre-shared-key secret="redacted"
generate-policy=no policy-template-group=*FFFFFFFF
exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
1 D address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500
auth-method=pre-shared-key secret="redacted"
generate-policy=port-strict policy-template-group=default
exchange-mode=main-l2tp send-initial-contact=yes
nat-traversal=yes hash-algorithm=sha1
enc-algorithm=3des,aes-128,aes-192,aes-256
dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5
/ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=3des,aes-256-cbc lifetime=30m
pfs-group=modp1024
Best Answer
You have to delete the group, which is in the IP/ipsec groups.
Then it will say unknown in the peer tab. After that, it should work.