Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    L2TP Site to Site between PFsense and Mikrotik

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      No errors on the pfSense side? Does it try to establish both ways?

      That error looks like a pretty basic mismatch though. Can you show us the setting used at each end that generated it?

      Steve

      F 1 Reply Last reply Reply Quote 0
      • F
        felipefonsecabh @stephenw10
        last edited by

        @stephenw10
        PFsense Config:
        2021-11-22_15-10-56.png

        Mikrotik config:
        2021-11-22_15-10-39.png

        Pfsense log:
        2021-11-22_15-07-44.png

        Mikrotik log:
        2021-11-22_15-11-44.png

        The autentication method is Mutual PSK and I've already checked all the settings and apparently everything is correct.

        stephenw10S 1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator @felipefonsecabh
          last edited by

          Ok, the pSense log shows the Mikrotik is using the wrong hash value at P1 when it's initiating for some reason. The settings look correct on it though so maybe something is not applied?

          You can see it's proposing SHA1. pfSense rejects it because it's set to SHA256.

          The other thing that could be an issue is the identifier. You said you had the ISP forward ports to you? Does that mean you are behind NAT? If the identifier in pfSense would have to be set to match the external IP. We can't see that in the above screenshot.

          Steve

          F 1 Reply Last reply Reply Quote 0
          • F
            felipefonsecabh @stephenw10
            last edited by

            @stephenw10 yes the mikrotik is behind nat (in the first post there is an image with the network topology rsrs).

            Basically this is the origin of everything (the existence of NAT). I need to be able to implement this VPN with this NAT enabled, the provider cannot give me a fixed IP

            F 1 Reply Last reply Reply Quote 0
            • F
              felipefonsecabh @felipefonsecabh
              last edited by

              @felipefonsecabh i try to change the encryption and hash algorithms in pfsense to sha1 and 3des (to test the functioning), and the error changes:

              2021-11-22_22-08-16.png

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Aha, OK now the proposal matches but the identifier is mismatched. The Mikcrotik is sending it's internal private IP as the identifier [192.168.188.10] and pfSense is expecting the external public IP.
                You can change that so it matches at either end but I've no idea how to do it in RouterOS. So edit the Phase 1 config in pfSense and change the 'Peer Identifier' from 'Peer IP Address' to 'IP Address' then set it to 192.168.188.10.

                It will then match when the Mikrotik tries to establish. There may be other errors after that 😉

                Steve

                F 1 Reply Last reply Reply Quote 1
                • F
                  felipefonsecabh @stephenw10
                  last edited by

                  @stephenw10 after change "Peer Identifier" as you suggested, works!
                  In mikrotik, i have to disable passive:

                  2021-11-23_09-11-23.png

                  The strange thing is that the mikrotik does not send the proposal as configured, but works! Thanks a lot!

                  F 1 Reply Last reply Reply Quote 1
                  • F
                    felipefonsecabh @felipefonsecabh
                    last edited by

                    @felipefonsecabh the connection was estabilished but devices between sites doesn't ping. I created all firewall rules necessary.

                    F 1 Reply Last reply Reply Quote 0
                    • F
                      felipefonsecabh @felipefonsecabh
                      last edited by

                      @felipefonsecabh I restared my pfsense and all works. Thanks a lot!

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Nice! Good result. Pure IPSec is waay better than trying to use L2TP over it.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.