Community discussions

MikroTik App
 
akschu
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Thu Mar 15, 2012 2:09 am

Is this a bug in ipsec dynamic policies?

Tue Jun 12, 2012 12:31 am

So I'm working on setting up ipsec/l2tp with an ipad. I've done it a number of times on a number of different platforms so I have a pretty good idea on what I'm doing.

The problem with the mikrotik is that you can't add an ipsec policy that has a dynamic endpoint:
[admin@MikroTik] /ip ipsec policy> add src-address=x.x.x.x/32 src-port=1701 dst-address=0.0.0.0/0 dst-port=1701 protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=x.x.x.x sa-dst-address=0.0.0.0/0 proposal=default priority=1
invalid value for argument ip
It wants to see a real ip address for the sa-dst-address. That makes sense, and probably why mikrotik gives us dynamic policies. So I go to use that, and ipsec comes up, but the policy is wrong:
[admin@MikroTik] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0x36733D4 src-address=x.x.x.x dst-address=166.147.93.225 auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="0387a82de70a46a32750b5b58629906cb7c96154" enc-key="53205926fb782cd55b4035ef36d7369b78a55a22c4382d44" add-lifetime=48m/1h 
      use-lifetime=0s/0s lifebytes=0/0 

 1 E  spi=0x77BEE75 src-address=166.147.93.225 dst-address=x.x.x.x auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="2ac9425dee01fd861f083912d84820836d84278c" enc-key="b684bf0bbbe426ec8065dbae1b5f8516943cf989f68e5fb2" addtime=jun/11/2012 13:21:23 
      add-lifetime=48m/1h usetime=jun/11/2012 13:21:23 use-lifetime=0s/0s current-bytes=158 lifebytes=0/0 

[admin@MikroTik] /ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - inactive 
 1 D src-address=10.41.150.188/32 src-port=any dst-address=x.x.x.x/32 dst-port=any protocol=udp action=encrypt level=require 
     ipsec-protocols=esp tunnel=no sa-src-address=10.41.150.188 sa-dst-address=x.x.x.x proposal=default priority=2 
In the code above you notice a few things:

1. I removed my public ip.
2. I have another policy that is static for my site to site vpn that I omitted.
3. The address that brought up the ipsec tunnel is a public address, but the policy is added for the nat address. Of course my router has no idea how to get to that address and thus none of the packets match the policy.

I do have nat traversal enabled:
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=10s dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=\
    password send-initial-contact=yes
So routeros puts the policy in transport mode, but uses the inside IP. Is this a bug? It certainly doesn't work.

Thanks,
schu
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Is this a bug in ipsec dynamic policies?

Tue Jun 12, 2012 9:56 am

generate-policy=yes ip peer configuration means that policy will be generated automatically. Do not add any policies here.

Who is online

Users browsing this forum: No registered users and 92 guests