Community discussions

Search found 24 matches

by seho
Thu Apr 25, 2019 3:00 pm
Forum: General
Topic: WinBox memory consumption
Replies: 1
Views: 179

WinBox memory consumption

Hey,

today is saw that my WinBox that is running for about two weeks consumes 1.7GB of memory.

See attached screenshot.

There is probably a problem in the resource management with in WinBox.


Kind regards,
Sebastian
by seho
Fri Nov 09, 2018 12:05 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Hey, Okay. I'll give the beta Firmware another try. With the removed PFS group from the Policy Proposal. A side annotation. When I setup VRRP with an /32 Address, like mentioned in Configuration Examples from the Wiki, the Router doesn't respond at this IP-Address. In my lab the VRRP is only working...
by seho
Thu Nov 08, 2018 4:59 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Bump... @normis: Have you tried to send data when the ChildSA were recreated? I made another test against an Linux machine running openSWAN and it's working also flawlessly. And I've played arround with the problem. And noticed that it usally happens, when I start the data transmission (ICMP ping) w...
by seho
Thu Nov 08, 2018 4:49 pm
Forum: General
Topic: VPN with Linux
Replies: 4
Views: 870

Re: VPN with Linux

Hey, i'm using the MikroTik with IKEv2 and EAP + RADIUS (FreeRADIUS). Radius is used for the authentication and assigning fixed (virtual) IP-Addreses to the RoadWarriors. In this configuration, strongSwan clients and Windows clients can establish a connection to Router. Also strongSwan running on An...
by seho
Tue Nov 06, 2018 3:50 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Here log file where you can also see the ping problem. Nov/06/2018 14:43:30 firewall,info output: in:(unknown 0) out:vrrp1, proto ICMP (type 8, code 0), [RouterOS IP]->[strongSwan IP], len 56 Nov/06/2018 14:43:30 firewall,info input: in:vrrp1 out:(unknown 0), src-mac 00:04:a7:09:8c:3a, proto ICMP (t...
by seho
Tue Nov 06, 2018 3:23 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Do you have also tried to send data? Rekeying looks from the RouterOS side is looking like it has worked. But no data goes through. ChildSA for both directions were created. But no data exchange is possible. Here is the log file: Nov/06/2018 14:14:38 ipsec IPsec-SA established: [strongSwan IP][500]-...
by seho
Tue Nov 06, 2018 2:07 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

When I renable the PFS group, the log differ. But from my opinion that because the behavior changes completly: With enabled PFS group, it happens from time, that no data flows through the created ChildSA. And on the strongSwan side, I can see that there is package that is retransmitted, but never an...
by seho
Tue Nov 06, 2018 1:10 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Are there any news according to my problem?

Are the posted logs ok? Can provide anything else for solving my problem?

Kind regards,
Sebastian
by seho
Mon Nov 05, 2018 11:26 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Ok. Here they are: ipsec.conf from strongSwan: conn connection1 keyexchange=ikev2 esp=aes256ctr-sha256-modp4096! ike=aes256-sha256-modp4096! ikelifetime=720m keylife=6m rekeymargin=3m keyingtries=3 left=[strongSwan IP] leftcert=station4crt.pem leftid="[Local Cert DN]" right=[RouterOS IP] rightcert=m...
by seho
Fri Nov 02, 2018 4:10 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Ok. I removed the PFS group from the Policy Proposal. The Child SAs are negotiated properly on connect. Flags: H - hw-aead, A - AH, E - ESP 0 E spi=0xF79B8D5 src-address=[strongSwan] dst-address=[ROS IP] state=mature auth-algorithm=sha256 enc-algorithm=aes-ctr enc-key-size=288 auth-key="936efeca2a29...
by seho
Fri Nov 02, 2018 3:08 pm
Forum: General
Topic: Winbox-Traffic - 200kbit/s
Replies: 14
Views: 860

Re: Winbox-Traffic - 200kbit/s

How are you connecting with Winbox?

When I connect to the Router I can also see, up to 250kbits but only when I use the MAC-ADDRESS for connecting.

Greets,
Sebastian
by seho
Fri Nov 02, 2018 2:59 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

Re: IPSec IKEv2 rekeying problem

Yes, the PFS group for the proposal is set to: MODP4096, that was a requirement from the customer. Comparing the spi and the keys brought me to the problem that i'm not able to find out the spi or the keys from the strongSwan log. I tried it now for a few hours. I could only provide a log with maxim...
by seho
Thu Nov 01, 2018 3:23 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1706

IPSec IKEv2 rekeying problem

I'm currently fighting with a re-keying problem in my IPSec configuration. I'm using IKEv2, certificate authentication on ROS6.43.4 I got a connection from a strongSwan linux ipsec client to my customers RB2011 running. From time to it happens that, when a new ChildSA is negotiated, no data arrives ...
by seho
Thu Mar 08, 2018 3:50 pm
Forum: General
Topic: IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]
Replies: 1
Views: 1690

Re: IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]

I finally found the solution. It doesn't had anything to do with MikroTik Router itself.

The StrongSWAN eap-mschapv2 plugin was missing.

Installing the libcharon-extra-plugins package fixed the problem.

Kind regards,
Sebastian
by seho
Thu Mar 08, 2018 12:39 pm
Forum: General
Topic: SSH Development [SOLVED]
Replies: 6
Views: 916

Re: SSH Development [SOLVED]

I'm able to change the default ports for the different services using Winbox.

They were located under IP -> Services

Kind regards,
Sebastian
by seho
Thu Mar 08, 2018 12:05 pm
Forum: General
Topic: IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]
Replies: 1
Views: 1690

IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]

Hi to all, i'm currently fighting with the eap-radius authentication with strongSwan clients. Windows clients are able to connect. I set up the ipsec peer to use eap radius as authentication mode. strongSwan output when trying to connect is: server requested EAP_IDENTITY (id0x00) sending '<username>...
by seho
Wed Sep 13, 2017 3:23 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 1649

Re: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

I finally found the error. I changed the proposal for dynamic policy generation and it's working in both modes. I don't realy understand why it has worked with "computer certificate" authentication and with EAP it came to the "proposal not found" problem. For now I assume that is something special f...
by seho
Tue Sep 12, 2017 5:30 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 1649

Re: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

Thanks again for your response. I set up an external RADIUS server using FreeRadius. The authentication is generally working now. But the client isn't able to establish the connection. The log message says ipsec,error no proposal chosen When try to establish the connection using "RSA Auth" a proposa...
by seho
Tue Sep 12, 2017 3:28 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 1649

Re: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

Thanks for your reply. Can I use the ROS integrated RADIUS Server for that? Or do I need an external RADIUS server like FreeRADIUS? Is there any documentation about the procedure how to setup the ROS? Is there any documentation about the RADIUS Server provided with ROS? I tried to setup ROS with the...
by seho
Mon Sep 11, 2017 2:45 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 1649

IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

Hey all, i want to assign our roadwarriors a specific ip address when they are establishing their ipsec connection. IPSec is currently as in the IKEv2, RSA with mode conf Roadwarrior example from the wiki. When I use strongSwan or OpenVPN an ip-address for the user can be defined by assigning the ce...
by seho
Tue Nov 22, 2016 7:54 pm
Forum: General
Topic: How to use multiple IPSec instances with different "Exchange Mode"
Replies: 1
Views: 565

Re: How to use multiple IPSec instances with different "Exchange Mode"

Basically i nailed it down the base problem - adding another ipsec peer screws up the login of the L2TPoIPSec clients. If the ipsec peer is manually created or dynamic ("Use IPSec" in "L2TP-Server" Button in ppp) doesn't matter. I don't if it know if matters here, but the clients are connecting over...
by seho
Tue Nov 22, 2016 1:47 pm
Forum: General
Topic: How to use multiple IPSec instances with different "Exchange Mode"
Replies: 1
Views: 565

How to use multiple IPSec instances with different "Exchange Mode"

Hi all, i need to run two IPSec Peers Configurations with different "Exchange Modes" in paralell. One in "main l2tp" exchange mode for connecting "L2TP over IPSec" clients. And another one using "main" as Exchange Mode, for default IPSec clients. Its generally working when I assign a different ip-ad...
by seho
Fri Feb 06, 2015 6:08 pm
Forum: General
Topic: L2TP IPSec Server problem using ROS V6.25
Replies: 1
Views: 495

Re: L2TP IPSec Server problem using ROS V6.25

Hey,

the MT support helped me out.

The problem was that encryption on the l2tp level was enabled. It has worked with ROS 6.17, since ROS 6.19 it has to be disabled.

Regards,
Sebastian
by seho
Tue Feb 03, 2015 2:54 pm
Forum: General
Topic: L2TP IPSec Server problem using ROS V6.25
Replies: 1
Views: 495

L2TP IPSec Server problem using ROS V6.25

Hi, i've encountered a problem using L2TP over IPSec with latest firmware. I've got an RB2011UiAS hardware running ROS 6.17, everything is working fine - my clients Windows CE 6.0 SP3 can connect and the data can be transmitted. My customer who runs this router has a problem that router sometimes be...