Community discussions

MikroTik App

Search found 18 matches

by zerobase
Thu Dec 17, 2020 5:21 pm
Forum: General
Topic: IPsec policy status Invalid [SOLVED]
Replies: 4
Views: 347

Re: IPsec policy status Invalid [SOLVED]

@emils: That explains it all. I was not expecting an invalid status on an inactive policy. Screenoutput above the output mentions the I means invalid, however it means Inactive in this case.
by zerobase
Thu Dec 17, 2020 2:25 pm
Forum: General
Topic: IPsec policy status Invalid [SOLVED]
Replies: 4
Views: 347

Re: IPsec policy status Invalid [SOLVED]

@erkexzcx: The link you refer to use certificates, I plan on using PSK. Not as secure as certificates, but it is just a private link. I have two other policies with exactly the same configuration and they do not give an error. One is to another mikrotik router and the other is StrongSwan running on ...
by zerobase
Wed Dec 16, 2020 1:56 pm
Forum: General
Topic: IPsec policy status Invalid [SOLVED]
Replies: 4
Views: 347

IPsec policy status Invalid [SOLVED]

I am trying to setup another GRE over IPSEC tunnel, but run into the issue that the policy I want to create immediately gets the status 'Invalid': [admin@router] /ip ipsec policy> print detail Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 0 T X* gro...
by zerobase
Fri Nov 27, 2020 6:51 pm
Forum: Forwarding Protocols
Topic: MPLS neighbour addresses 'leaking'?
Replies: 4
Views: 458

Re: MPLS neighbour addresses 'leaking'?

@CZfan: Rebooted the router (R1), but still all local addresses of router R1 show up on router R2 in the '/mpls ldp neighbor' menu (and v.v.)
by zerobase
Thu Nov 26, 2020 7:55 am
Forum: Forwarding Protocols
Topic: MPLS neighbour addresses 'leaking'?
Replies: 4
Views: 458

Re: MPLS neighbour addresses 'leaking'?

@mducharme: advertise-filters have been set, but still all addresses show up in the neigbor status page. Not a big issue, but I was just wondering whether this is normal behaviour or not.
by zerobase
Sat Nov 21, 2020 10:51 am
Forum: Forwarding Protocols
Topic: Trying to route multicast
Replies: 1
Views: 301

Re: Trying to route multicast

What you probably need is an mDNS reflector.

Open-WRT supports this, not sure if DD-WRT does also.

More on mDNS: https://en.wikipedia.org/wiki/Multicast_DNS
by zerobase
Sat Nov 21, 2020 9:24 am
Forum: Forwarding Protocols
Topic: MPLS neighbour addresses 'leaking'?
Replies: 4
Views: 458

MPLS neighbour addresses 'leaking'?

I am new to MPLS/VPLS, so bear with me regarding the following question: I have MPLS running between two sites (testing a VPLS tunnel) and noticed that when checking the ldp neighbor status on router R2 it shows all local addresses that are configured on router R1 (and v.v.): R2: [admin@R2] /mpls ld...
by zerobase
Tue Nov 03, 2020 8:03 am
Forum: Forwarding Protocols
Topic: Multicast routing through GRE tunnel [SOLVED]
Replies: 1
Views: 490

Re: Multicast routing through GRE tunnel [SOLVED]

Managed to get it working: The vlan interface carrying the multicast traffic should be added to the list of interfaces too (under ' /routing pim interfaces '; Previously, I only added the bridge interface for the physical ports, assuming the bridge vlan filtering would take care of moving the traffi...
by zerobase
Sun Nov 01, 2020 2:45 pm
Forum: Forwarding Protocols
Topic: Multicast routing through GRE tunnel [SOLVED]
Replies: 1
Views: 490

Multicast routing through GRE tunnel [SOLVED]

Issue: I cannot get multicast routing to work between 2 Mikrotik routers. I am using the example provided in the Mikrotik Wiki: Example Router A: Type: RB750Gr3 (hEX) Subnet I = 192.168.10.0/24 Tunnel IP: 10.0.0.5/30 Router B: Type: RB760iGS (hEX S) Subnet III = 192.168.11.0/24 Tunnel IP: 10.0.0.6/3...
by zerobase
Wed Aug 19, 2020 10:47 am
Forum: General
Topic: IPSec not working [SOLVED]
Replies: 4
Views: 1278

Re: IPSec not working [SOLVED]

Does your server certificate contain a SAN dns entry? From the wiki (/ip ipsec identity): my-id=auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections When generating the server (and client) certificate, be sure to add an SAN dn...
by zerobase
Mon Aug 17, 2020 4:02 pm
Forum: General
Topic: IKE2 identity not found (IOS to Mikrotik) [SOLVED]
Replies: 22
Views: 7827

Re: IKE2 identity not found (IOS to Mikrotik) [SOLVED]

Got it working. This is how: Create a self-signed CA certificate: /certificate add name="My CA" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="My...
by zerobase
Fri Aug 14, 2020 11:47 am
Forum: General
Topic: IKE2 identity not found (IOS to Mikrotik) [SOLVED]
Replies: 22
Views: 7827

Re: IKE2 identity not found (IOS to Mikrotik) [SOLVED]

Been a while since I got to play any further with connecting my iPhone to a Mikrotik router, but today I gave it another try. Unfortunately I do not have it working yet. The IPSEC tunnel seems to live (SA's are established), but the iPhone still disconnects with a 'User Authentication failed'. 1.1.1...
by zerobase
Sun Mar 15, 2020 9:26 am
Forum: General
Topic: IPsec Mikrotik to Linux (Racoon): No traffic through tunnel
Replies: 1
Views: 1164

Re: IPsec Mikrotik to Linux (Racoon): No traffic through tunnel

Problem solved! Turns out that lowering the crypto level for phase 1 (profile) and phase 2 (proposal) solves the issue. I made the following changes: Profile: [admin@router] /ip ipsec profile print Flags: * - default 4 name="vpn-s2s" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=...
by zerobase
Sat Mar 14, 2020 10:22 pm
Forum: General
Topic: IPsec Mikrotik to Linux (Racoon): No traffic through tunnel
Replies: 1
Views: 1164

IPsec Mikrotik to Linux (Racoon): No traffic through tunnel

I am trying to setup an GRE over IPsec tunnel between a Mikrotik router (RB750Gr3; Running RouterOS 6.46.4) and a Raspberry Pi running IPsec-Tools and Racoon (The Pi is still running Raspbian Stretch). While setting up a GRE tunnel is fairly easy (and so is IPsec when you get the hang of it), the co...
by zerobase
Sun Jan 12, 2020 9:55 am
Forum: General
Topic: IKE2 identity not found (IOS to Mikrotik) [SOLVED]
Replies: 22
Views: 7827

Re: IKE2 identity not found (IOS to Mikrotik) [SOLVED]

Setting 'my-id=auto' and 'remote-id=auto' did not work, it keeps erroring out with the previous mentioned error. Just for the sake of it I also recreated all certificates (including the CA) on the router itself, did not help either. For now I reverted back to OpenVPN (running on my server, not on th...
by zerobase
Wed Jan 08, 2020 7:01 pm
Forum: General
Topic: IKE2 identity not found (IOS to Mikrotik) [SOLVED]
Replies: 22
Views: 7827

IKE2 identity not found (IOS to Mikrotik) [SOLVED]

I am trying to setup a VPN between my iPhone and my Mikrotik router, but the process fails with the following error: ' error identity not found for server:server.example.com peer: FQDN: iphone . Here is the full ipsec log from the Mikrotik router: 17:35:12 ipsec -> ike2 request, exchange: SA_INIT:0 ...
by zerobase
Thu Jun 01, 2017 9:15 pm
Forum: General
Topic: IPsec Draytek/Mikrotik with multiple subnets
Replies: 1
Views: 1573

Re: IPsec Draytek/Mikrotik with multiple subnets

To answer my own question: Turns out that setting the 'IKE phase 1 proposal' to a fixed setting in the Draytek did the trick: http://i.imgur.com/3XtiAwu.png There are several options, even a combination of proposals or 'auto', but setting it to a fixed value did the trick. Both tunnels stay up, the ...
by zerobase
Tue May 30, 2017 4:16 pm
Forum: General
Topic: IPsec Draytek/Mikrotik with multiple subnets
Replies: 1
Views: 1573

IPsec Draytek/Mikrotik with multiple subnets

I am experiencing some change behaviour with an IPsec Lan2Lan tunnel between a Draytek router (remote) and a Mikrotik RB750Gr3 (local), where the tunnel for the second subnet disconnects after approximately 45 seconds. The local router (Mikrotik) has two subnets (192.168.88.0/24 and 192.168.130.0/24...