I have a well working L2TP IPSec connection from any mobile or desktop client to my Mikrotik RB2011UiAS-2HnD-IN (RouterOS v6.30.2). It works when I connect through any mobile or stationary ISP within my city. The log of a successful connection looks approximately so:
ipsec, error key length mismatched, mine:128 peer:256.
ipsec, error authtype mismatched: my:hmac-sha1 peer:hmac-md5
l2tp, info first L2TP UDP packet received from X.X.X.X
l2tp, ppp, info, account MyUser logged in, 192.168.111.246
l2tp, ppp, info <l2tp-MyUser>: authenticated
l2tp, ppp, info <l2tp-MyUser>: connected
l2tp, ppp, info <l2tp-MyUser>: terminating... - peer is not responding
l2tp, ppp, info, account MyUser logged out, 165 157 168 26 15
l2tp, ppp, info <l2tp-MyUser>: disconnected
Some days ago I attempted to connect from other city: through one mobile and one stationary ISP. The connection didn't succeed, and log contained only one line:
l2tp, info first L2TP UDP packet received from Y.Y.Y.Y
or such lines:
ipsec, error key length mismatched, mine:128 peer:256.
ipsec, error authtype mismatched: my:hmac-sha1 peer:hmac-md5
l2tp, info first L2TP UDP packet received from Y.Y.Y.Y
l2tp, info first L2TP UDP packet received from Y.Y.Y.Y
l2tp, info first L2TP UDP packet received from Y.Y.Y.Y
What is wrong? Can ISP block or corrupt L2TP IPSec connection?
P.S. There is another interesting detail: I used to connect to Romanian PPTP VPN to bypass my home provider's web censorship and it always worked in my home city, but when I connected to the same VPN from other city (where the L2TP IPsec failed), I discovered that the site of my interest is still censored. The only explanation that comes to my mind is that provider acts like a MITM. It seems that the provider uses following tactics: tap the line, when impossible, then prevent from connecting.