Не работает l2tp с андроид устройств

[redwave]

Доброго времени суток.
Имеется микротик RB951Ui-2HND v6.46.6
На нем поднят l2tp + ipsec, и вся проблема в том что при подключении клиента с виндовс никаких проблем нет, но ни одно андроид устройство подключать к нему не хочет. Подскажите как это победить.

[MaxoDroid]

А яблочники работают?

[redwave]

на яблоках тоже нет

[MaxoDroid]

Конфиг - в студию!

[redwave]

 

# jun/09/2020 13:43:00 by RouterOS 6.46.6
# software id = 4JM6-C0D8
#
# model = 951Ui-2HnD
# serial number = B8710BFB8C73
/interface bridge
add admin-mac=C5:AD:34:73:7D:29 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
/interface pppoe-client
add add-default-route=yes interface=ether5 name=pppoe-out1 password=30092016 \
use-peer-dns=yes user=61011085
/interface pptp-server
add name=pptp-in1 user=NikolayVPN
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
ap-bridge ssid=TP-LINK_7D68 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=968691** \
wpa2-pre-shared-key=968691**
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=vpn_pool ranges=192.168.112.1-192.168.112.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile \
remote-address=vpn_pool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/interface l2tp-server server
set authentication=mschap1,mschap2 caller-id-type=number default-profile=\
l2tp_profile enabled=yes ipsec-secret=***** use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0
add address=91.189.1**.**/29 interface=ether1 network=91.189.1**.**
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.128 client-id=1:9c:14:63:94:ce:b9 comment="cam 196" \
mac-address=9C:14:63:94:CE:B9 server=defconf
add address=192.168.0.51 comment=Canon mac-address=D0:C5:D3:C7:3F:DA server=\
defconf
add address=192.168.0.46 client-id=1:14:a7:8b:40:95:ad comment="cam 104" \
mac-address=14:A7:8B:40:95:AD server=defconf
add address=192.168.0.18 client-id=1:9c:14:63:f2:51:99 comment=registrator \
mac-address=9C:14:63:F2:51:99 server=defconf
add address=192.168.0.108 client-id=1:9c:14:63:94:ce:c0 comment="cam 260" \
mac-address=9C:14:63:94:CE:C0 server=defconf
add address=192.168.0.30 client-id=1:48:ba:4e:e5:df:76 comment=\
"Nout Aleksandra" mac-address=48:BA:4E:E5:DF:76 server=defconf
add address=192.168.0.54 client-id=1:a0:bd:1d:d:12:dc comment="cam 197" \
mac-address=A0:BD:1D:0D:12:DC server=defconf
add address=192.168.0.153 comment=Julia mac-address=B4:B5:2F:77:EF:4C server=\
defconf
add address=192.168.0.48 client-id=1:9c:14:63:94:ce:b5 comment="222 cam2" \
mac-address=9C:14:63:94:CE:B5 server=defconf
add address=192.168.0.50 client-id=1:9c:14:63:94:ce:5 comment="222 cam1" \
mac-address=9C:14:63:94:CE:05 server=defconf
add address=192.168.0.16 client-id=1:a8:be:27:c9:7f:24 comment=MAC \
mac-address=A8:BE:27:C9:7F:24 server=defconf
add address=192.168.0.41 client-id=1:a4:17:31:ac:e4:c5 comment="Nout Ichar" \
mac-address=A4:17:31:AC:E4:C5 server=defconf
add address=192.168.0.45 comment="Canon ethernet" mac-address=\
74:BF:C0:1F:2E:56 server=defconf
add address=192.168.0.47 client-id=1:d4:6a:6a:67:a3:75 comment="Nout Dmitriy" \
mac-address=D4:6A:6A:67:A3:75 server=defconf
add address=192.168.0.17 client-id=1:0:25:56:b9:9f:cf comment="Nout Victoria" \
mac-address=00:25:56:B9:9F:CF server=defconf
add address=192.168.0.39 client-id=1:9c:b7:d:13:f7:1f comment="Nout magazin" \
mac-address=9C:B7:0D:13:F7:1F server=defconf
add address=192.168.0.42 client-id=1:64:5a:4:ac:c7:de comment="Nout Olga" \
mac-address=64:5A:04:AC:C7:DE server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=input comment=WebFig dst-port=80 packet-mark="" \
protocol=tcp
add action=accept chain=input in-interface=ether1 log=yes protocol=gre
add action=accept chain=input dst-port=1723 in-interface=ether1 protocol=tcp
add action=accept chain=input protocol=udp src-port=1701,500,4500
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=netmap chain=dstnat comment=Registrator dst-port=9978 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.18 to-ports=37777
add action=netmap chain=dstnat comment="RDP Nikolay" dst-port=9999 \
in-interface=ether1 protocol=tcp src-address=45.128.**.** to-addresses=\
192.168.0.203 to-ports=3389
add action=netmap chain=dstnat comment="Vasya RDP" dst-port=9999 \
in-interface=ether1 protocol=tcp src-address=192.162.**.** \
to-addresses=192.168.0.203 to-ports=3389
/ip firewall raw
add action=notrack chain=prerouting protocol=gre
/ip route
add distance=1 gateway=91.189.**.**
/ip service
set www address=45.128.1**.**/32,192.168.0.0/24
/ppp secret
add local-address=192.168.0.1 name=NikolayVPN password=********* profile=\
default-encryption remote-address=192.168.0.100 service=pptp
add name=JuliaVPN password=********* profile=l2tp_profile service=l2tp
add name=Operator1VPN password=********* profile=l2tp_profile service=l2tp
add name=Operator2VPN password=********* profile=l2tp_profile service=l2tp
add name=NadiaVPN password=********* profile=l2tp_profile service=l2tp
/system clock
set time-zone-name=Europe/Zaporozhye
/system logging
add topics=pptp
add disabled=yes topics=l2tp
add disabled=yes topics=ipsec
/system scheduler

/tool graphing resource
add allow-address=***8/32
add allow-address=****/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

[xvo]

А что в логах по теме?

P.s.: вы бы ipsec-secret тоже замазали звездочками от греха подальше
И MAC-адреса... :)

[redwave]

 

phase1 negotiation failed due to time up ******[500]<=>********[500] 6de2bf6813ef0e35:e205ab94b5ded912

[xvo]

/interface l2tp-server server
set authentication=mschap1,mschap2 caller-id-type=number default-profile=\
l2tp_profile enabled=yes ipsec-secret=***** use-ipsec=yes

попробуйте здесь use-ipsec=required

А вообще, как тестируете?
Клиенты подключаются из разных мест или из одного?

[redwave]

Сменил на required, теперь ошибку выдает такую:
purging ISAKMP-SA *[4500]<=>*[4500] spi=14e7d0622982a6b2:f879b3db36d7d365.
ISAKMP-SA deleted *[4500]-*4500] spi:14e7d0622982a6b2:f879b3db36d7d365 rekey:1

Тестирую с разных устройств, 2 разных телефона на андроиде и планшет от эппл. Пробую из под вай фай и из под 3ж.

[xvo]

Это не ошибки.
Запостите больший кусок лога - с момента начала попытки подключения устройства (respond new phase 1 (Identity Protection):...) и дальше.

И не подключайтесь одновременно двумя устройствами из-за одного NAT - L2TP+IPSec так работать не может.