Community discussions

MikroTik App

Search found 10 matches

by hike
Tue Jun 23, 2020 1:28 pm
Forum: General
Topic: IKEv2: initiator CONFIG payload only contains IPv6 attributes
Replies: 0
Views: 369

IKEv2: initiator CONFIG payload only contains IPv6 attributes

The vast majority of our roadwarrior clients provide the following CONFIG payload during IKEv2 AUTH: 11:57:58 ipsec processing payload: CONFIG 11:57:58 ipsec attribute: internal IPv4 address 11:57:58 ipsec attribute: internal IPv4 DNS 11:57:58 ipsec attribute: internal IPv4 NBNS 11:57:58 ipsec attri...
by hike
Thu Jun 11, 2020 3:11 pm
Forum: General
Topic: IPSec: Cert Revocation through CRL
Replies: 0
Views: 256

IPSec: Cert Revocation through CRL

How does the ROS IPSec stack handle a revoked client certificate that is used during a IKEv2 handshake?

I assume that new sessions that use a revoked cert are rejected but what about sessions that were established before the cert was revoked?
by hike
Fri May 29, 2020 6:10 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1453

Re: packet sniffer missing outgoing ESP datagrams

I just did, same result. Many more missing ESP UDP datagrams on the sending than on the receiving side.
If so, it looks like an overload of the device or a bug of the sniffer.
I assume the latter, the device is not in use and mostly idle.
by hike
Fri May 29, 2020 5:35 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1453

Re: packet sniffer missing outgoing ESP datagrams

Try filtering on the remote IP address only, not on UDP 4500, and see what happens.

I just did, same result.
Many more missing ESP UDP datagrams on the sending than on the receiving side.
by hike
Fri May 29, 2020 5:03 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1453

Re: packet sniffer missing outgoing ESP datagrams

First fragments usually contain the L4 header (8 bytes UDP in this case), ip.flags.mf=1 and ip.offset=0.
If ip.flags.mf is not set anywhere, no fragments will follow.
by hike
Fri May 29, 2020 2:56 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1453

Re: packet sniffer missing outgoing ESP datagrams

You filter on UDP and port number, but if IP packets are fragmented (which is likely the case here), the L4 addresses (ports) are only present in the first fragment, so the second fragment doesn't match the filter. But since the first fragment is not a complete packet, it doesn't make it to the sni...
by hike
Fri May 29, 2020 1:17 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1453

packet sniffer missing outgoing ESP datagrams

/tool sniffer seems to miss hundreds of UDP encapsulated ESP datagrams that are about to leave the device: ros-sniffer-missing-esp.png (80. is the RouterOS device, 85. is the Windows client) each of the lines above is Wireshark reporting that a different ESP sequence number was expected, implying on...
by hike
Tue May 19, 2020 12:06 pm
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 2632

Re: CCR 1009 - IPSEC throughput

Found the test. Windows client using a AES-128-CBC/SHA256 tunnel Linux client not using a tunnel nuttcp using TCP in both directions: More than 300mbps was indeed only possible in one direction (where Windows did all the encryption): . # win -> lin PS C:\nuttcp-8.1.4.win64> .\nuttcp-8.1.4.exe -w500k...
by hike
Mon May 18, 2020 3:16 pm
Forum: General
Topic: CCR 1009 - IPSEC throughput
Replies: 16
Views: 2632

Re: CCR 1009 - IPSEC throughput

You don't mention the transport protocol but I assume you tried TCP. Try multiple TCP connections or try UDP and you'll probably approach 1gbps. AFAIR, encryption of IP packets containing a TCP payload will be bound to one core in order to "enforce" ordered output. I remember getting ~350mbps with C...
by hike
Mon May 18, 2020 2:36 pm
Forum: General
Topic: IKE daemon on CCR routers limited by one core
Replies: 0
Views: 413

IKE daemon on CCR routers limited by one core

First off, this post is not about thrashing Mikrotik. We are generally very happy with ROS, Mikrotik hardware and Mikrotik's support. In this case I'd like to document a hard limit on the CCR routers we've purchased so others don't make the same mistake. If you ever think about using one of the CCR ...