MikroTik

kmansoft

... I am using cloudflare DOH and I have uploaded the cloudflare certificate. All the regular DOH DNS queries work normally even with the verify DOH certificate option. Only CRL download does not. Not having any issues with DoH cert validation (AC^2, 6.47). I uploaded certs for both Google DNS and ...

kmansoft

For those having issues flushing the dns cache, from my experience, this is due to a winbox bug IMO. [ ... ] If I run a /ip dns cache flush, it works. Not for me (hAP AC^2, 6.47). Same as flushing the cache in web UI or Android app - the cache does get cleared, but the "Cache Used" value ...

kmansoft

hi this first post i made, i am trying using this new feature DoH DNS using Adguard DNS, seem everything work fine, but it seem using full DNS cache, i even tried to increasing the cache to 10000 KiB, it full in no time, i tried too flush the cache but it seem cache used still not decreasing, does ...

kmansoft

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.

kmansoft

Is it possible to do passwordless login via certificates? For SSH - yes. Import your SSH public key in System - Users - SSH Keys. Only RSA keys are supported it seems (my usual preference is for 25519). I've also needed this in the past in my ~/.ssh/config - until 2-3 recent version updates, Router...

kmansoft

Version 6.45beta37 has been released.

*) ike2 - fixed first child SA generation (introduced in v6.45beta34);

Confirming - appears fixed ( RB 4011, AC ^ 2 ).

kmansoft

There certainly is potential for improvement here, because when the automatic firmware upgrade is selected in the settings it is the first thing the router does after reboot to the new version, before interfaces are brought up etc. So there could be another option to immediately reboot again at tha...

kmansoft

Correction on AC ^ 2's performance.

I use some a-typical things in my setup (policy based routing, ipsec, fasttrack off).

viewtopic.php?f=2&t=147962

With no IPSec, and with fasttrack enabled, it can do ~ 850 Mbit total download, over PPPoE, with NAT (speedtest.net).

kmansoft

Hello, AC ^ 2, 6.44.3 stable Seeing an interesting performance glitch / optimization opportunity. - Basic home router setup: provider's local LAN on ether1 DHCP, PPPoE on top of that to connect to Internet, NAT, home machines - A GRE tunnel to a Linux VPS "somewhere out there" + IPSec poli...

kmansoft

FWIW - me a happy hAP AC^2 owner. It can route ~ 500 mbit downstream from the Internet provider (PPPoE with NAT). No shortage of RAM, although I have one of those "we just happened to put in 256 MB of RAM" devices... if it had 128 it'd still be just fine. About 10 wireless clients (mostly ...

kmansoft

I have the same issue with error: Server error: All slots used. Delete file to free up space. I don't know why and I can't backup on the cloud now, where I have just one backup from the beginning of the month. Maybe you must try to delete the cloud backup and create again. Yeah that's what I'm talk...

kmansoft

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue? Edit: managed to reproduce the issue without NAT as well. I sent a bug report with supout on Friday, April 19, 2019 8:49 AM (Moscow time). Don't have t...

kmansoft

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta. emils - just to be clear about the bug's scenario: My IPSec endpoints (Mikrotik client / strongSwan server) are not behind NATs. But they do use IKEv2 on ...

kmansoft

Hello, Is it possible to update an existing cloud backup with a single command? Let's say I create a backup initially like this: /system backup cloud upload-file action=create-and-upload password=... If I repeat the above command - I get Server error: All slots used. Delete file to free up space. OK...

kmansoft

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping...

kmansoft

Change main mode frome IKE2 to main for example. Should be work. I think that on the newest beta IKE2 doesn't work I think changing IPSec settings (I tried crypto) makes it more likely to "estabilsh". But then it breaks again later (when the lifetime expires? happened while I was sleeping...

kmansoft

Anyone seeing trouble with IPSec in 6.45beta34? I received a new RB 4011 today - updated to 6.45beta34 right away - rebuilt my config (copy / pasted snippets from .asc file, piece by piece). My IPSec tunnels come (GRE, cert auth) come up partially to "SA established" on the server - and th...

kmansoft

you have GRE between the L2TP and IPsec layers The GRE / IPSec tunnel exists for different reasons and it was already there. Routing L2TP into that GRE was just an experiment which seemed to work - yes inefficient but before I got your advice about mangle and stuff, it was the best I could come up ...

kmansoft

Thanks @sindy for the update. I should have been more clear... Instead of There is an IPSec transport established between the Mikrotik and the Server, so the Home computer's L2TP traffic is encrypted as it goes out to server. I perhaps should have written There is an IPSec transport established betw...

kmansoft

It can do that, but this is not what you are doing now (the router is forwarding encrypted traffic to your server). Actually no, encryption was handled by the router. There is an IPSec transport established between the Mikrotik and the Server, so the Home computer's L2TP traffic is encrypted as it ...

kmansoft

About the policy, probably not. I'm not exactly sure about behaviour of policies for unconnected peers without testing it, maybe there's a chance to do something with it that way, but IMHO it would be a dirty trick. If you want to make sure that home computer won't be able to use bare L2TP, blockin...

kmansoft

2) The ipsec-policy matcher also works only for IPSec configured on router itself. Router has no way of knowing that some packets from home computer to server should use IPSec, because IPSec is on home computer and it didn't tell router about it (there's no way how it could). And having a policy on...

kmansoft

That explains it, thanks!

kmansoft

Even more weird... I can change the rule like this, removing "ipsec-policy=out,none out-interface-list=WAN": add action=drop chain=output comment="prevent unencrypted l2tp" dst-port=1701 protocol=udp and move it to top place in filter rule list - and L2TP (still unencrypted) stil...

kmansoft

I've got a setup like this: Home computer <-> Mikrotik with NAT <-> Internet <-> Server Home connects to Server using L2TP There is an IPSec transport established between the Mikrotik and the Server, so the Home computer's L2TP traffic is encrypted as it goes out to server. So far so good. Now I'd a...

kmansoft

An AC2 Lite TC ( RB 952-Ui-5ac2nD ) seems to have trouble with WiFi on beta 31. - All ether* and wifi* are in a bridge - wifi2 ( 5 GHz ) is in pseudo bridge mode - connects to upstream AC2 - wifi1 ( 2.4 GHz) is disabled - ether1 feeds a notebook - No firewall rules - It's a basic wireless - to - wir...

kmansoft

But whether this interface not intended for use in l2tp ? It's the reason why I disabled l2tp interface, I created it when tried to create l2tp over ipsec. I guess you're saying that you gave up on l2tp (which by the way works fine with IPSec and Mikrotik has support)? But then you didn't post all ...

kmansoft

Looks like you're trying to set up an IPIP tunnel protected by IPSec. add address=192.168.10.150 disabled=yes interface=ipip-tunnel_ipsec network=\192.168.10.0 Why then is the IPIP interface's IP address set to "disabled"? You will want to: 1 - Create your IPIP (I use GRE, almost same thin...

kmansoft

... I am considering implementing is additional firewall rules to explicitly drop protocol 47 between the two public IPs of the routers so that in the scenario where case the IPSec ph2 fails, that the GRE traffic does not start flowing between the two routers encrypted... Yes makes sense. I'm not d...

kmansoft

I think new mobile app solved that issues.

Yes works in mobile app too without any updates (to the app). Works in WebFig with 6.44 as well.

It must have been the server.

kmansoft

Just for laughs this is my configuration. 1 - Mikrotik (client) side /ip ipsec peer add address=139.0.0.1/32 exchange-mode=ike2 local-address=178.0.0.1 name=my_vpn /ip ipsec profile set [ find default=yes ] dh-group=ecp256 enc-algorithm=aes-128 hash-algorithm=sha256 nat-traversal=no /ip ipsec propos...

kmansoft

solution for this: interface detect-internet edit detect-interface-list change to none "crtl o" to save and done ! No that will turn the whole feature off. Whereas what I wanted was for it to work. At this time it's working for me - my understanding is Mikrotik fixed something server side...

kmansoft

Actual running values are shown using command /interface ethernet monitor <port name> once . The command /interface ethernet print detail shows configured values. Yes this worked thank you ( "1Gbps" ). interface ethernet monitor ether1-out once name: ether1-out status: link-ok auto-negoti...

kmansoft

I've got an hAP AC2 running 6.456 beta23. My ether1-out has a gigabit connection (confirmed by its performance, also visible in WebFIG if I click into it). But, in terminal it shows with "speed=100Mbps". Does this look like a bug? /interface ethernet print detail Flags: X - disabled, R - r...

kmansoft

IPSec has two sets of encryption settings, both can (kind of, not in Mikrotik) be called "proposals" - for IKE (key exchange) and for SA (data). Your pfSense logs clearly shows two mismatches: 1) What Mikrotik proposes vs. what pfSense supports 2) What's logged as sent by Mikrotik vs. what...

kmansoft

FWIW I've been using exactly this kind of link between my home mikrotik ac2 and a linux server (first libreSwan now strongSwan). Very reliable. The setup is as described: - GRE interfaces on both sides use public IP addresses with private addresses inside the GRE - The IPSec policy on the Mikrotik a...

kmansoft

Started working for me today - both in WebFIG and Android app.

Looks like maybe Mikrotik fixed something server side

kmansoft

I've been seeing this (apparent data corruption in IPSec packets when changing configuration) on my home ac2.

It's fixed in 6.43 or 6.44 - can't remember exactly - but it was mentioned in change logs.

kmansoft

I used Torch on my Internet connection (pptp) and there is a reply coming from cloud.mikrotik.com port 30000 to the interface's port 5678 (discovery) and then port 1024. Also added this rule: 0 chain=input action=accept protocol=udp src-port=30000 log=yes log-prefix="cloud" Still, the conn...

kmansoft

Also getting "limited" on Android. UDP ports are definitely all open but what does "can reach cloud.mikrotik.com using UDP protocol port 30000" mean exactly? Does Mikrotik cloud send back some kind of response? Do I need to check my firewall rules (default config accepts related ...

kmansoft

Will this be fixed please so that EC certificates can be used for IPSec auth?

Thank you for this in beta 19!

( now support for ed25519 would be great too... hint hint... )

kmansoft

Oh and speaking of UDP traffic - my internet connection is pptp but has a "real" (not NAT-ed) IPv4 address. But what about those whose Internet connection is behind a NAT? Pretty common here in Russia and not only here I would think. Those should still detect as Internet isn't that right? ...

kmansoft

Same thing here with ac2 6.45beta20. Limited access in android app and WAN in web ui. Mikrotik support, any comments? Google's DNS servers are definitely reachable (I have them as the router's DNS servers) but I have not checked UDP traffic. It's a nice feature and I'd love to enjoy those charts and...

kmansoft

EC certificates can be used only for www services. Ipsec does not support them.

OK, any plans to make use for IPSec possible? And for ed25519 curve?

kmansoft

After seeing this > *) certificate - added support for ECC (Elliptic Curve Cryptography); in beta changelog, I'm trying to use an ECDSA certificate for IPSec authentication. Doesn't seem to work: - Key generation: openssl ecparam -genkey -name secp384r1 - Certificate generation: Same as before with ...

kmansoft

Hello, I've got a small but annoying problem with an AC2. It's not visible in WinBox Refresh. No errors, just doesn't find it. Always worked before. Router OS is 6.44rc1, think it started with 6.44 beta (66 or 75 not sure). The host is Windows 10 Pro 64 bit. I just connected up an hAP AC (not AC2) -...

kmansoft

Checking for updates in WebFig gives an error: ERROR: file not found Channel testing Installed Version 6.44beta75 Latest Version 6.44rc1 What's new in 6.43.12 (2019-Feb-08 11:46): *) winbox - improvements in connection handling to router with open winbox service; Perhaps the changelog file for 6.44r...

kmansoft

Thank you @emils

Yes lifetime in *proposal* not in *profile*

Now I see 30 minutes too.

> /ip ipsec proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=ecp256

kmansoft

lifetime in ipsec proposal Sorry don't think this is it - Lifetime is set to "1d 00:00:00" (the default) - I believe lifetime does a full reconnect - I'm asking about rekey It just rekeyed again. Rekey interval on server is much larger gre: #52, reqid 13, INSTALLED, TRANSPORT, ESP:AES_CBC...

kmansoft

Hello, I'm using an AC2 as an IPSec (GRE) clinet, IKEv2 + cert auth. The AC2 performs a rekey every 30 minutes. Is there a setting for this, to make it a longer interval? Server logs: Feb 14 12:50:37 charon-systemd[8478]: parsed CREATE_CHILD_SA request 111 [ No KE N(REKEY_SA) SA TSi TSr N(USE_TRANSP...

kmansoft

@nescafe2002, @sindy Went to check IPSec / Policy and there was one for my GRE - but it had a "D" = "dynamic". Aha! Did this: - Removed "IPSec Secret" from GRE tunnel interface properties - Manually added a policy for it /ip ipsec policy add comment=myservertunnel dst-a...

kmansoft

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check ...

kmansoft

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check ...

kmansoft

1 - Mikrotik seems to have a bug where if I changed IPSEC configuration and/or reconnected too often - I'd start getting corrupted packets (according to libreswan log), bad padding, bad checksum, that sort of thing. So maybe there is a bug there. This appears fixed in 6.44 beta (it's in the changel...

kmansoft

... I've tried using certificates but they just don't work.... I've been using a Mikrotik AC^2 client connecting to a Debian server with IPSEC-secured GRE for quite some time. Recently I switched to certificate based auth (previously, PSK and then RSA keys). Shared some tips here, hope this may be ...

kmansoft

Thank you all. My test devices are: Samsung S9, Huawei P10, Xiaomi A1 I upgraded the AC2 to latest 6.44 beta earlier today (for a different reason: IPSEC) and getting ~60-80 megabit now. Not 100% if it's related. The Xiaomi A1 loses 5GHz connectivity repeatedly, switching back and forth to and from ...

kmansoft

Hello, I'm seeing fairly unexpected low WiFi performance of hAP AC ^2... It's set up as a home router - the internet connection is PPTP on ether1, clients connect on ether2 - 5 and WiFi. On a wired client, I get about 85 megabit ( speedtest.net, internet.yandex.ru ) On wireless clients (a laptop 2.4...

kmansoft

Got it all to work, posted a fairly detailed write-up here... https://forum.mikrotik.com/viewtopic.php?f=2&t=31563&p=711471#p711471 Hope it may be useful to somebody. There are a lot of fairly casual tutorials on Mikrotik / IPSec out there on the Internet, and they all or almost all use PSK....

kmansoft

Answering my own question. Got Mikrotik client working with libreswan server using certificate auth. Had to put the IP address of each side into it cert, like this: Server cert: X509v3 Subject Alternative Name: DNS:server, email:...@..., IP Address:139.0.0.1 Client cert: X509v3 Subject Alternative N...

kmansoft

Hello, I'm trying to configure Mikrotik GRE IPSEC tunnel with a Libreswan server on Linux, using certificate auth. I understand that it's necessary for the server certificate to have a subjectAltName - and tried doing that, but on the Mikrotik side, I get this in the logs: failed to get subjectAltNa...

kmansoft

So I'm going to engage in necro-posting here :) Also trying to set up Mikrotik as an IPSec client using certificate auth. The server is Linux, LibreSwan. I've got it working with PSK just fine, but thought I'd try certs... My references are these: https://libreswan.org/wiki/HOWTO:_Using_NSS_with_lib...

Search found 61 matches