Hi Masters!
I successfully set up a private VPN (IPsec/IKE2v) server for myself, which works normally from all platforms, except on my Mikrotik router (hAP ac2).
The connection seems to be established successfully, but I still can't ping the remote IP address (Timeout).
And now comes the interesting point, which took several days before I realized that if I just turn off the policy rule and re-enable it while the VPN connection is active, it improves and works fine.
I tried to change the value of the proposal and the policy, but unfortunately it didn't work.
In the error log, it is clear from the server side that it cannot establish a negotiation connection the first time, but the second time it can, if I only turn off the policy and then turn it on:
Here is my Mikrotik router config:
My question is, has anyone encountered such an error, is it an error from the Mikrotik side?
Thank you!
Regards: DrCyberg
I successfully set up a private VPN (IPsec/IKE2v) server for myself, which works normally from all platforms, except on my Mikrotik router (hAP ac2).
The connection seems to be established successfully, but I still can't ping the remote IP address (Timeout).
And now comes the interesting point, which took several days before I realized that if I just turn off the policy rule and re-enable it while the VPN connection is active, it improves and works fine.
I tried to change the value of the proposal and the policy, but unfortunately it didn't work.
In the error log, it is clear from the server side that it cannot establish a negotiation connection the first time, but the second time it can, if I only turn off the policy and then turn it on:
Code:
...Feb 19 04:59:14 vpn charon: 13[IKE] expected a virtual IP request, sending FAILED_CP_REQUIREDFeb 19 04:59:14 vpn charon: 13[IKE] configuration payload negotiation failed, no CHILD_SA builtFeb 19 04:59:14 vpn charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA...Code:
/ip/ipsec/policy> print1 CP-VPN yes 10.10.2.1/32 10.10.2.2/32 all encrypt require 0Code:
/ip/ipsec/proposal> print1 name="MyConfig" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=noneThank you!
Regards: DrCyberg
Statistics: Posted by drcyberg — Mon Feb 19, 2024 8:52 am