Feature request for /tool sniffer. Please make it possible to submit a filter-port range to the sniffer to allow sniffing like this:

Had the same issue. It has been solved by setting pfs-group for RW to none under IPsec Proposal menu

*) ipsec - renamed "remote-dynamic-address" to "dynamic-address";
is this 'dynamic-adress' feature already documented ? Did not found any note in Wiki.

+1
It's time for IKEv2

We have released 6.34 version. What's new in 6.34 (2016-Jan-29 10:25): *) ipsec - allow my-id address specification in main mode; *) ipsec - prioritize proposals; *) ipsec - support multiple DH groups for phase 1; /ip ipsec peers display problem for enc-algorithm. Peers configured with enc-algorith...

restored https://twitter.com/mikrotik_com/status ... 0737845248

Confirmed. Can't reach ns1,kissthenet.net and ns2.kissthenet.net from Germany. *.sn,mynetname.net names are unresolvable.

Hi,

I've discovered some problems with authentication. If SHA256 is configured, then ROS uses HMAC-SHA256-96 and StrongSwan HMAC-SHA256-128.

Does the recent ROS 6 allow the use of individual PSKs for each road warrior?

i would appreciate it very much!

Phase2 settings differ. On ROS you have 3des in Phase2 (default proposal), in pfSense is aes-128 chosen.

NAT is really not configured on your MikroTik?

I think your problem is caused by the NAT made ​​on the Fritzbox. Remove the Fritzbox and assign your public ip to the MikroTik RB.

Same problem here with the following ipsec,debug messages 14:29:51 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client 14:29:51 ipsec,debug auth method 65005 isn't supported. 14:29:51 ipsec,debug no Proposal found. 14:29:51 ipsec,debug failed to get valid proposal. 1...

maybe you need to upgrade your MC8790 firmware to K2_0_7_35AP C:/WS/FW/K2_0_7_35AP/MSM6290/SRC
for me it works with this card.

you may send the MC8790 an global reset command (helps for this old firmware sometimes): 1.) disable your dialout-interface ppp-out1 2.) open the serial terminal: /system serial-terminal channel=3 usb2 3.) enter the following chars and press enter AT!GRESET 4.) exit from serial-terminal and reboot t...

0 chain=srcnat action=masquerade add your outgoing interface: /ip firewall nat set 0 out-interface=ppp-out1 because you only want the traffic leaving the router out of ppp-out1 be masqed 1 chain=dstnat action=dst-nat to-addresses=10.0.0.222 to-ports=0-60000 protocol=udp dst-address=91.135.1.10 in-i...

Hello, you may try this, if you have static ip-addresses on your pppoe-client interfaces # on side1 /ip ipsec peer add addr=93.138.77.119 secret="your_very_strong_secret" nat-traversal=yes /ip ipsec policy add src-addr=172.16.1.0/24 dst-addr=192.168.2.0/24 sa-src-addr=78.0.208.170 sa-dst-a...

The following may work: RB1: /ip ipsec peer add address=8.8.1.1/32 secret="test" nat-traversal=yes send-initial-contact=no /ip ipsec policy add sa-dst-address=8.8.1.1 sa-src-address=8.8.0.1 src-address=192.168.0.0/24 dst-address=192.168.1.0/24 tunnel=yes /ip firewall nat add chain=srcnat a...

I think the problem is the mikrotik kernel or the l2tp-server does not implement ipsec saref. File a feature request for ipsec saref!

I can't explain why but it seems to be impossible to call out more than 1 times from behind one WAN-IP to IPsec-L2TP even with NAT-T. :/

Hello,
what is the most effective IPsec encryption algorithm for MIPS 24Kc V7.4 cpu related boards? It seems 3des which is the default setting consumes lots of cpu cycles.

Is on your mikrotik NAT-T active?
/ip ipsec peer ... nat-traversal=yes

Hi,

if src-nat is active between 'my router' and 'internet' then 'their router' must not dst-nat any vpn related protocol to 'their router'. Because of the NAT 'their router' will fall back to NAT-Traversal (ESP over 4500/udp). This also means 'their router' only can do outcalls.

I am having problem to setup IPSec VPN MacOS client ----> Mikrotik, which seems no one can help

For me l2tp-ipsec works great between MacOS road warriors and ROS. Do you use PSKs or Certs?

Same here. The problem stil exists in ROS 4.13. RB hangs when ovpn-client tries to connect to a OpenVPN 2.1.x server with x.509-certs.

here the kernel oops in 4.10 AT!GRESET OK Oops[#1]: Cpu 0 $ 0 : 00000000 1000de01 00000000 00000001 $ 4 : c05ca800 c1acfe00 c1f73b80 c05ca890 $ 8 : c03233e0 0000de00 00000000 c1df4000 $12 : c037db50 00000000 0007762c 00010000 $16 : c1fd4f00 00000000 c1acfe3c c1acfe00 $20 : c05ca800 c1aee410 00000002...

If you do an AT!GRESET to the MC8775 the 3G-Modem-card goes way for a second and comes up again with another device name in /dev. This causes a Kernel-Oops in RouterOS 4.x in certain circumstances.

Hi, have the same problem. The sierra wireless mc8775 sometimes just hangs. I also have seen on some RB411u's with this card that the serial port usb2 disappeared. /port print shows in this state just serial0. and the log says Jan/02/1970 01:03:49 async,ppp,info ppp-out1: initializing... Jan/02/1970...