Community discussions

MUM Europe 2020

Search found 31 matches

by amode
Wed Jul 15, 2009 3:00 pm
Forum: The Dude
Topic: bug in 3.4? - bitrate not showing
Replies: 30
Views: 6893

Re: bug in 3.4? - bitrate not showing

Tried this again on latest 3.26, but still no change (at least for me)

I'm confused if this bug is so low-prio for these guys that no one really cares....

:?
by amode
Mon Jun 29, 2009 4:09 pm
Forum: The Dude
Topic: bug in 3.4? - bitrate not showing
Replies: 30
Views: 6893

Re: bug in 3.4? - bitrate not showing

So, was there any feedback on this one? We also got this after updating to latest (3.25) routeros.
by amode
Sun Apr 05, 2009 11:30 am
Forum: General
Topic: How to debug ipsec/ike issues (increasing logging verbosity)
Replies: 3
Views: 10348

Re: How to debug ipsec/ike issues (increasing logging verbosity)

Yes, good catch :)

It turned out that the config on the remote end was not enabled at this point in time. Anyways, log messages at MT side was not quite helpful here. I was expecting something like "timeout because no... blah blah".

Anyways, thanks for the reply.

Amode.
by amode
Fri Mar 27, 2009 1:03 pm
Forum: General
Topic: icmp connection tracking not working (anymore?)
Replies: 1
Views: 483

icmp connection tracking not working (anymore?)

Hey, using 3.22 on RB450G configured as a plain router beween different ip networks, the icmp ping connection does not show up in the firewall "Connections" screen. But if I check with a log rule in the forwarding chain, I see the icmp packets across the router. I'm confused about this and, yes, Con...
by amode
Thu Mar 26, 2009 11:16 am
Forum: General
Topic: How to debug ipsec/ike issues (increasing logging verbosity)
Replies: 3
Views: 10348

How to debug ipsec/ike issues (increasing logging verbosity)

Hey, I'm trying to connect to a Cisco peer via ipsec/tunnel mode/public ips (not nat) on ros3.22, I only get these messages in the log: 02:08:38 ipsec IPsec-SA request for xxx.xxx.xxx.xx queued due to no phase1 found. 02:08:38 ipsec initiate new phase 1 negotiation: yy.yy.yyy.yy[500]<=>xxx.xxx.xxx.x...
by amode
Mon Nov 03, 2008 12:49 pm
Forum: General
Topic: os3.15 message: length in isakmp header too big
Replies: 1
Views: 1282

os3.15 message: length in isakmp header too big

Hey, anyone managed to setup Mikrotik as vpn gateway for latest iphones using l2tp/ipsec? I tried a setup and ipsec debug messages produces this output (nat-t enabled btw): 02:42:56 ipsec,ike IPsec-SA established: ESP/Transport xxx.xxx.xxx.xx[4500]->yy.yy.yyy.yy[4500] spi=44661093(0x2a97965) 02:42:5...
by amode
Fri Jul 20, 2007 7:59 pm
Forum: General
Topic: L2TP/IPSEC client behind NAT fw to ROS3..
Replies: 3
Views: 1818

Re: L2TP/IPSEC client behind NAT fw to ROS3..

Thanks a lot for the reply.

@Mikrotik: So, native Linux l2tp/ipsec works with windows clients. Why does the linux based ROS not work in this context?
by amode
Fri Jul 20, 2007 10:53 am
Forum: General
Topic: L2TP/IPSEC client behind NAT fw to ROS3..
Replies: 3
Views: 1818

Re: L2TP/IPSEC client behind NAT fw to ROS3..

Hm, so no answer here after one day means that this "feature" is not so easy to setup as it sounds?
Or it doesn't work at all?
I was thinking that this scenario is quite common out there, but is not...(?)

Achim
by amode
Thu Jul 19, 2007 2:32 pm
Forum: General
Topic: L2TP/IPSEC client behind NAT fw to ROS3..
Replies: 3
Views: 1818

L2TP/IPSEC client behind NAT fw to ROS3..

Hi, we have a very-typical configuration for "home" workers: Home-Laptop (using private IP) -> Home-Router doing NAT -> Office Mikrotik having static public IP. Now, the home users should be able to connect to the office by using L2TP/IPSEC (using windows xp), but I was not able to setup this config...
by amode
Mon Apr 30, 2007 4:33 pm
Forum: General
Topic: 3.0beta7: ipsec in tunnel mode still not working...
Replies: 7
Views: 2441

Hello,
IPsec will be repaired in beta8.

Regards,
Thanks guys for this feedback.

Achim
by amode
Wed Apr 18, 2007 10:26 am
Forum: General
Topic: 3.0beta7: ipsec in tunnel mode still not working...
Replies: 7
Views: 2441

I can attest to that...both of my open tickets (not beta-related) were responded Glad to hear. Unfortunately, my beta-related tickets are stil open. Normis? Actually, I would say that the opposite is the case: support is essential for a production or stable product. Yes, you are right. But if you w...
by amode
Tue Apr 17, 2007 10:40 am
Forum: General
Topic: 3.0beta7: ipsec in tunnel mode still not working...
Replies: 7
Views: 2441

But support - or at least feedback - is essential for a beta product, isn't it?

We cannot recommend any more licenses to our clients if support is so sluggish....

Achim
by amode
Tue Apr 10, 2007 10:34 am
Forum: General
Topic: 3.0beta7: ipsec in tunnel mode still not working...
Replies: 7
Views: 2441

3.0beta7: ipsec in tunnel mode still not working...

Hi, this is a public request for getting more info about support tickets Ticket#2007040566000286 and Ticket#2007031666000249. These tickes are _still_ open and _still_ officially unanswered by support! (A) Short analysis The problem is that we cannot reach any hosts behind the router (btw: router is...
by amode
Thu Apr 05, 2007 9:16 pm
Forum: General
Topic: ipsec is based on which source...?
Replies: 0
Views: 486

ipsec is based on which source...?

Hi,

RouterOS 2.9.x is based on Linux kernel version 2.4.31 (from some other post)

So, does someone know which 'ipsec' implementation from Linux is used under the hood? And which version it is?

Thanks,
Achim
by amode
Thu Apr 05, 2007 9:09 pm
Forum: General
Topic: ipsec policy match...
Replies: 3
Views: 870

Yes, I was also thinking that it _should_ work without reboot. This was driving me crazy yesterday and I was crying loudly as it worked after the reboot...

Besides the flush command for the SAs, there is no other helpful command for clearing ipsec stuff, isn't it?

Achim
by amode
Thu Apr 05, 2007 7:38 pm
Forum: General
Topic: ipsec policy match...
Replies: 3
Views: 870

Okay, I found it.

It worked, but only after REBOOTING the router. I was expecting that all the changes in ipsec should be handeled without a reboot.

Is this a bug? Or any additional info here which I'm not aware of...?

Thanks,
Achim
by amode
Thu Apr 05, 2007 12:09 am
Forum: General
Topic: ipsec policy match...
Replies: 3
Views: 870

ipsec policy match...

Hi, my understanding of ipsec is, that packets are matched against the Security Policy Database (SPD) to find a matching rule and using this for doing encryption oder other stuff. Router is at 192.168.2.1. Why does /ip ipsec policy src-address=192.168.2.0/24 dst-address=172.17.0.0/16 .... NOT work, ...
by amode
Tue Mar 27, 2007 12:27 am
Forum: General
Topic: ipsec tunnel changed?
Replies: 3
Views: 1600

Hi,

I was told by support to 'retest' this in the next v3.0 beta7.

So, any info when this is released?

Thanks,
Achim
by amode
Fri Mar 16, 2007 12:22 am
Forum: General
Topic: Matching number of tcp connections per time...
Replies: 7
Views: 1475

okay, was able to solve this by myself by just searching the forum.

Sorry for the spam..

Achim
by amode
Thu Mar 15, 2007 9:02 pm
Forum: General
Topic: Matching number of tcp connections per time...
Replies: 7
Views: 1475

Matching number of tcp connections per time...

Hi,

has someone some help how to make a filter rule which maches something like

"number of tcp connections per second"?

Is this possible at all?

Thanks for any feedback here.

Achim
by amode
Thu Mar 15, 2007 9:44 am
Forum: General
Topic: ipsec tunnel changed?
Replies: 3
Views: 1600

No, still does not work. I have this command (actual sa-src and sa-dst addresses clobbered for privacy) [admin@vpn2-de] /ip ipsec policy> add src-address=172.17.0.0/16:any dst-address=172.16.0.0/16:any p rotocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=a.b.c.d s...
by amode
Fri Mar 09, 2007 11:30 pm
Forum: General
Topic: ipsec tunnel changed?
Replies: 3
Views: 1600

ipsec tunnel changed?

Hi, while trying to connect two beta6 systems, we have troubles in setting up the required policies. Every time we enter our ipsec policy (using tunnel mode) and pressing "assign" we automatically get 'two' policies generated where one is printed in red color (marked as 'invalid') and the other show...
by amode
Sat Mar 03, 2007 6:17 pm
Forum: General
Topic: M3P to speedup ipsec?
Replies: 0
Views: 514

M3P to speedup ipsec?

Hi, do you think it's possible to use M3P for speeding up traffic across an ipsec link? It's seems that the documentation text The MikroTik Packet Packer Protocol improves network performance by aggregating many small packets into a big packet, thereby minimizing the network per packet overhead cost...
by amode
Wed Feb 28, 2007 5:34 pm
Forum: General
Topic: proposal-check=exact
Replies: 0
Views: 1076

proposal-check=exact

Hi, we have some strangeness while establishing an ipsec tunnel using peer poposal-check=exact: In the log, it says "phase 2 established" immediately followed by "phase 2 expired". The SAs are actually installed (and ipsec works), but checking the stats says "no phase 2". I checked the proposal opti...
by amode
Wed Feb 28, 2007 3:49 pm
Forum: General
Topic: ipsec lifetime clarification
Replies: 1
Views: 1560

ipsec lifetime clarification

Hi, using ipsec, there are two lifetime values which can be configured: One is the /ip ipsec proposal lifetime and the other is the /ip ipsec peer lifetime a) Can some please explain the relationship between these lifetimes values b) Should the proposal lifetime < peer lifetime c) Or any other rule ...
by amode
Tue Feb 27, 2007 8:59 pm
Forum: General
Topic: RouterOSv3 based on which Linux kernel..
Replies: 1
Views: 1356

RouterOSv3 based on which Linux kernel..

Hi,

perhaps asked somewhere (but I didn't find - sorry).

The latest RouterOS 3 beta is based on which version of the Linux kernel sources?

Thanks,
Achim
by amode
Sat Feb 24, 2007 10:20 am
Forum: General
Topic: slow ipsec bandwidth test across fiber line
Replies: 4
Views: 2218

Thanks for the info. personally i'd use l2tp/ipip for the tunneling and stick to end-to-end ipsec and not tunnel mode But we need to connect the entire company networks. Does this work with l2tp/ipip also? The box is a 3 GHz system. So encryption speed should not be the limit. For a 170 ms link you ...
by amode
Sat Feb 24, 2007 10:06 am
Forum: General
Topic: tcp window size...
Replies: 16
Views: 5065

If you want to change window size then you should change it on the machine sending the data Okay, this means if I use a http or web proxy on the RouterOS, I need to change the window size on the RouterOS system, right?. This is in contrast to the usual firewall filtering which only 'forwards' packt...
by amode
Fri Feb 23, 2007 10:07 pm
Forum: General
Topic: tcp window size...
Replies: 16
Views: 5065

tcp window size...

Hi,

please what is the reason that there is absolutely no information about how to adjust the TCP send and receive window size?

Is this 'parameter' really not usefull for tweaking on RouterOS?

Thanks for getting some info here.

Achim
by amode
Fri Feb 23, 2007 7:44 pm
Forum: General
Topic: slow ipsec bandwidth test across fiber line
Replies: 4
Views: 2218

>Were the IPSec endpoints also the bandwidth test client/server, or were you testing 'thru' them ? Yes, the routerOS box (intel/3GHz) is doing the ipsec and i'm using the bandwith test tools on the same boxes. >Was the OpenBSD hardware similiar to that of the Mikrotik hardware ? Yes, exactely the sa...
by amode
Fri Feb 23, 2007 6:18 pm
Forum: General
Topic: slow ipsec bandwidth test across fiber line
Replies: 4
Views: 2218

slow ipsec bandwidth test across fiber line

Hi, we're using RouterOS 2.9.39 for connecting two company subsidiaries via ipsec. We're using a 10 Mbit/sec fiber line, but because of the transatlatic "jump" we have latencies around 170 ms. The ipsec connection works, but now we would like to do a bandwidth test using the RouterOS provided servic...