Community discussions

MikroTik App

Search found 41 matches

by seho
Wed Jul 13, 2022 3:05 pm
Forum: General
Topic: Windows NDES /SCEP Certificate Renewal
Replies: 1
Views: 1262

Windows NDES /SCEP Certificate Renewal

Hi, we were retrieving Certificates using Windows Server 2012R2 based NDES-Server (SCEP) Certificates can be installed using the following commands: certificate add name=MikroTik common-name=MikroTik key-usage= certificate add-scep name=SECP template=MikroTik scep-url=http://10.0.1.121/certsrv/mscep...
by seho
Tue Feb 23, 2021 9:58 pm
Forum: General
Topic: IPSec Connection: Data is not corretly "transmitted" trough policy
Replies: 3
Views: 726

Re: IPSec Connection: Data is not corretly "transmitted" trough policy

The Router is running some of the latest ROS6.4x stable release, which exactly I don't know. I have currently no access to the device. @sindy It depends on how much packets are transmitted per seconds. Further investigation showed that repeatedly every 10 seconds a packet is arrives on the interface...
by seho
Mon Feb 22, 2021 4:23 pm
Forum: General
Topic: IPSec Connection: Data is not corretly "transmitted" trough policy
Replies: 3
Views: 726

IPSec Connection: Data is not corretly "transmitted" trough policy

Hi, today I discovered a strange behaviour between a linux client using strongSwan and an RB1100AHx4. One of our customers is using the MikroTik as IPSec concentrator, were many IPSec connections were terminated and routed from the MikroTik into the customers network. While analyzing another Problem...
by seho
Tue Feb 09, 2021 4:14 pm
Forum: General
Topic: IPSec - Peer: failed to bind to ::[500] Bad file descriptor [SOLVED]
Replies: 2
Views: 1988

Re: IPSec - Peer: failed to bind to ::[500] Bad file descriptor [SOLVED]

IPv6 has to enabled to use IPSec but the package is disabled by default. Doesn't matter if you don't use it somewhere else, but the package needs to be enabled.

A more explaining error message would have been great.
by seho
Mon Feb 08, 2021 4:07 pm
Forum: General
Topic: IPSec - Peer: failed to bind to ::[500] Bad file descriptor [SOLVED]
Replies: 2
Views: 1988

IPSec - Peer: failed to bind to ::[500] Bad file descriptor [SOLVED]

Hello everyone, i got an RB1100AHx4 running here as a VPN concentrator. After I updated the Router to the latest Firmware (6.48 / 6.48.1) I got following error printed out in the log 14:48:52 ipsec,debug 0.0.0.0[500] used as isakmp port (fd=25) 14:48:52 ipsec,debug 0.0.0.0[4500] used as isakmp port ...
by seho
Fri Mar 20, 2020 1:30 am
Forum: General
Topic: Hotspot tickets management
Replies: 1
Views: 1333

Re: Hotspot tickets management

I never used the hotspot feature, but you can try this:

Use print on the terminal.
ip hotspot print file=AllOfHotSpot
That will create a file which contains everything you can see in Winbox.

Remove the file=... and you will get the informations printed out in terminal.
by seho
Fri Mar 20, 2020 1:22 am
Forum: General
Topic: IPSec Ike2 - Roadwarrior clients on 4G - Does it works ?
Replies: 2
Views: 1345

Re: IPSec Ike2 - Roadwarrior clients on 4G - Does it works ?

Sure that will work when it is set up properly. For pushing routes have look at the IPSec - ModeConfig and the Split-Include parameter. NAT isn't a big deal, usually NAT is automatically detected. See NAT-Traversal I only used it with strongSwan for the remote side and this integrates NAT-Traversal,...
by seho
Fri Mar 20, 2020 1:13 am
Forum: General
Topic: IPSec IKE2 tunnel behind ISP router- can't ping, can't reach internet from VPN
Replies: 5
Views: 2973

Re: IPSec IKE2 tunnel behind ISP router- can't ping, can't reach internet from VPN

Have detailed look what happens with the packets arriving trough the IPSec connection on the MikroTik. Maybe only DNS is not working.. Are the clients connected per IKEv2 able to ping an IP-Address in the WAN? Try ping 8.8.8.8 (Google DNS) or a another public IP that responds to pings from a connect...
by seho
Fri Mar 20, 2020 1:03 am
Forum: General
Topic: Basic question about L2TP + IPsec VPN
Replies: 13
Views: 4845

Re: Basic question about L2TP + IPsec VPN

One idea is to setup a NAT rule. So data to the devices connected per L2TP looks like its originated by the MikroTik. Example: Network for L2TP 10.0.0.0/24 10.0.0.254/24 is the MikroTik /ip firewall nat add action=src-nat chain=srcnat dst-address=10.0.0.0/24 to-addresses=10.0.0.254 So you don't have...
by seho
Thu Feb 27, 2020 12:49 pm
Forum: General
Topic: RB4011 and RB1100 AHx4 "bricks" randomly
Replies: 222
Views: 78276

Re: RB4011 and RB1100 AHx4 "bricks" randomly

I got some supouts from our customer which has reported the problem with non responding device. One with a device running in non error state and one in error state. Because of an NDA i'm currently not allowed to share the supout with MikroTik. I had a look to the supout.rif locally on my pc using Mi...
by seho
Fri Feb 07, 2020 2:36 pm
Forum: General
Topic: RB4011 and RB1100 AHx4 "bricks" randomly
Replies: 222
Views: 78276

Re: RB4011 and RB1100 AHx4 "bricks" randomly

I also got a report from customer that is running two RB1100AHx4 as VPN concentrators (L2TP over IPSec+ IPSec IKEv2) in a VRRP Setup. The VRRP Master device stopped accepting VPN connections, but unfortunately the VRRP has continued working - it stayed master device and the fail-over to the slave de...
by seho
Tue Nov 26, 2019 9:38 pm
Forum: General
Topic: IPSec - Certificate constraint checking
Replies: 0
Views: 987

IPSec - Certificate constraint checking

Hey, i got question about the usage of the authentification using certificates. Can RouterOS be configured to authenticate the IPSec remote by trust to issuing CA and trough certificates CN or SAN? And can this be configured using a single IPSec Peer. Currently i got following configuration on the m...
by seho
Tue Nov 19, 2019 7:37 pm
Forum: General
Topic: IPSec peer unable to specify port [SOLVED]
Replies: 4
Views: 1656

Re: IPSec peer unable to specify port [SOLVED]

Thank very much you for your explanation.

Embarrassing for me, that I completely overlooked that. Maybe I need to get some more sleep.

Thanks again and have a nice evening!

Kind regards,
Sebastian
by seho
Tue Nov 19, 2019 3:03 pm
Forum: General
Topic: IPSec peer unable to specify port [SOLVED]
Replies: 4
Views: 1656

Re: IPSec peer unable to specify port [SOLVED]

Okay.. thanks for your response, I missed that point when I read the documentation from the wiki. I tried that because a customer wished to use certificates from two different CAs on the same device, for IKEv2 authentication. I just thought I could specify the port for IKE in the peer. Create anothe...
by seho
Tue Nov 19, 2019 2:10 pm
Forum: General
Topic: IPSec peer unable to specify port [SOLVED]
Replies: 4
Views: 1656

IPSec peer unable to specify port [SOLVED]

It seams that RouterOS v6.45.6) ignores the port parameter for an ipsec peer. I tried to setup a specific port for the ipsec peer using winbox, but it's not shown in the configuration when i look at the ipsec in the cli. Also adding a peer on the cli doesn't use the specified port ip ipsec peer add ...
by seho
Fri Sep 27, 2019 9:17 pm
Forum: General
Topic: CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid
Replies: 3
Views: 1967

Re: CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid

The CPU usage goes to 100% after setting up the ipsec identity. And for small remote tasks like commiting to git reposistorties and accessing some webservices the performance was completly enough. I used the same CRS for inbounding IPSec connections in the past. I know that device hasn't a lot power...
by seho
Fri Sep 27, 2019 2:42 pm
Forum: General
Topic: CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid
Replies: 3
Views: 1967

CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid

Hi all, i have a CRS125-24G here. On which i'm trying to setup an IPSec connection to a CRS326. I need to set up the connection with "RSA Signature Hybrid", but as soon as a add the ipsec identity the cpu load goes to 100% and will stick there. Only thing that helps is resetting the config...
by seho
Thu Apr 25, 2019 3:00 pm
Forum: General
Topic: WinBox memory consumption
Replies: 1
Views: 673

WinBox memory consumption

Hey,

today is saw that my WinBox that is running for about two weeks consumes 1.7GB of memory.

See attached screenshot.

There is probably a problem in the resource management with in WinBox.


Kind regards,
Sebastian
by seho
Fri Nov 09, 2018 12:05 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Hey, Okay. I'll give the beta Firmware another try. With the removed PFS group from the Policy Proposal. A side annotation. When I setup VRRP with an /32 Address, like mentioned in Configuration Examples from the Wiki, the Router doesn't respond at this IP-Address. In my lab the VRRP is only working...
by seho
Thu Nov 08, 2018 4:59 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Bump... @normis: Have you tried to send data when the ChildSA were recreated? I made another test against an Linux machine running openSWAN and it's working also flawlessly. And I've played arround with the problem. And noticed that it usally happens, when I start the data transmission (ICMP ping) w...
by seho
Thu Nov 08, 2018 4:49 pm
Forum: General
Topic: VPN with Linux
Replies: 3
Views: 6185

Re: VPN with Linux

Hey, i'm using the MikroTik with IKEv2 and EAP + RADIUS (FreeRADIUS). Radius is used for the authentication and assigning fixed (virtual) IP-Addreses to the RoadWarriors. In this configuration, strongSwan clients and Windows clients can establish a connection to Router. Also strongSwan running on An...
by seho
Tue Nov 06, 2018 3:50 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Here log file where you can also see the ping problem. Nov/06/2018 14:43:30 firewall,info output: in:(unknown 0) out:vrrp1, proto ICMP (type 8, code 0), [RouterOS IP]->[strongSwan IP], len 56 Nov/06/2018 14:43:30 firewall,info input: in:vrrp1 out:(unknown 0), src-mac 00:04:a7:09:8c:3a, proto ICMP (t...
by seho
Tue Nov 06, 2018 3:23 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Do you have also tried to send data? Rekeying looks from the RouterOS side is looking like it has worked. But no data goes through. ChildSA for both directions were created. But no data exchange is possible. Here is the log file: Nov/06/2018 14:14:38 ipsec IPsec-SA established: [strongSwan IP][500]-...
by seho
Tue Nov 06, 2018 2:07 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

When I renable the PFS group, the log differ. But from my opinion that because the behavior changes completly: With enabled PFS group, it happens from time, that no data flows through the created ChildSA. And on the strongSwan side, I can see that there is package that is retransmitted, but never an...
by seho
Tue Nov 06, 2018 1:10 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Are there any news according to my problem?

Are the posted logs ok? Can provide anything else for solving my problem?

Kind regards,
Sebastian
by seho
Mon Nov 05, 2018 11:26 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Ok. Here they are: ipsec.conf from strongSwan: conn connection1 keyexchange=ikev2 esp=aes256ctr-sha256-modp4096! ike=aes256-sha256-modp4096! ikelifetime=720m keylife=6m rekeymargin=3m keyingtries=3 left=[strongSwan IP] leftcert=station4crt.pem leftid="[Local Cert DN]" right=[RouterOS IP] r...
by seho
Fri Nov 02, 2018 4:10 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Ok. I removed the PFS group from the Policy Proposal. The Child SAs are negotiated properly on connect. Flags: H - hw-aead, A - AH, E - ESP 0 E spi=0xF79B8D5 src-address=[strongSwan] dst-address=[ROS IP] state=mature auth-algorithm=sha256 enc-algorithm=aes-ctr enc-key-size=288 auth-key="936efec...
by seho
Fri Nov 02, 2018 3:08 pm
Forum: General
Topic: Winbox-Traffic - 200kbit/s
Replies: 14
Views: 2449

Re: Winbox-Traffic - 200kbit/s

How are you connecting with Winbox?

When I connect to the Router I can also see, up to 250kbits but only when I use the MAC-ADDRESS for connecting.

Greets,
Sebastian
by seho
Fri Nov 02, 2018 2:59 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

Re: IPSec IKEv2 rekeying problem

Yes, the PFS group for the proposal is set to: MODP4096, that was a requirement from the customer. Comparing the spi and the keys brought me to the problem that i'm not able to find out the spi or the keys from the strongSwan log. I tried it now for a few hours. I could only provide a log with maxim...
by seho
Thu Nov 01, 2018 3:23 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 19
Views: 10995

IPSec IKEv2 rekeying problem

I'm currently fighting with a re-keying problem in my IPSec configuration. I'm using IKEv2, certificate authentication on ROS6.43.4 I got a connection from a strongSwan linux ipsec client to my customers RB2011 running. From time to it happens that, when a new ChildSA is negotiated, no data arrives ...
by seho
Thu Mar 08, 2018 3:50 pm
Forum: General
Topic: IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]
Replies: 1
Views: 5423

Re: IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]

I finally found the solution. It doesn't had anything to do with MikroTik Router itself.

The StrongSWAN eap-mschapv2 plugin was missing.

Installing the libcharon-extra-plugins package fixed the problem.

Kind regards,
Sebastian
by seho
Thu Mar 08, 2018 12:39 pm
Forum: General
Topic: SSH Development [SOLVED]
Replies: 6
Views: 2540

Re: SSH Development [SOLVED]

I'm able to change the default ports for the different services using Winbox.

They were located under IP -> Services

Kind regards,
Sebastian
by seho
Thu Mar 08, 2018 12:05 pm
Forum: General
Topic: IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]
Replies: 1
Views: 5423

IKEv2 EAP-MsCHAPv2 issues with strongSwan [SOLVED]

Hi to all, i'm currently fighting with the eap-radius authentication with strongSwan clients. Windows clients are able to connect. I set up the ipsec peer to use eap radius as authentication mode. strongSwan output when trying to connect is: server requested EAP_IDENTITY (id0x00) sending '<username>...
by seho
Wed Sep 13, 2017 3:23 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 3481

Re: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

I finally found the error. I changed the proposal for dynamic policy generation and it's working in both modes. I don't realy understand why it has worked with "computer certificate" authentication and with EAP it came to the "proposal not found" problem. For now I assume that is...
by seho
Tue Sep 12, 2017 5:30 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 3481

Re: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

Thanks again for your response. I set up an external RADIUS server using FreeRadius. The authentication is generally working now. But the client isn't able to establish the connection. The log message says ipsec,error no proposal chosen When try to establish the connection using "RSA Auth"...
by seho
Tue Sep 12, 2017 3:28 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 3481

Re: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

Thanks for your reply. Can I use the ROS integrated RADIUS Server for that? Or do I need an external RADIUS server like FreeRADIUS? Is there any documentation about the procedure how to setup the ROS? Is there any documentation about the RADIUS Server provided with ROS? I tried to setup ROS with the...
by seho
Mon Sep 11, 2017 2:45 pm
Forum: General
Topic: IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]
Replies: 5
Views: 3481

IKEv2 Roadwarrior, assign "static" modeconf ip-address to user [SOLVED]

Hey all, i want to assign our roadwarriors a specific ip address when they are establishing their ipsec connection. IPSec is currently as in the IKEv2, RSA with mode conf Roadwarrior example from the wiki. When I use strongSwan or OpenVPN an ip-address for the user can be defined by assigning the ce...
by seho
Tue Nov 22, 2016 7:54 pm
Forum: General
Topic: How to use multiple IPSec instances with different "Exchange Mode"
Replies: 1
Views: 1136

Re: How to use multiple IPSec instances with different "Exchange Mode"

Basically i nailed it down the base problem - adding another ipsec peer screws up the login of the L2TPoIPSec clients. If the ipsec peer is manually created or dynamic ("Use IPSec" in "L2TP-Server" Button in ppp) doesn't matter. I don't if it know if matters here, but the clients...
by seho
Tue Nov 22, 2016 1:47 pm
Forum: General
Topic: How to use multiple IPSec instances with different "Exchange Mode"
Replies: 1
Views: 1136

How to use multiple IPSec instances with different "Exchange Mode"

Hi all, i need to run two IPSec Peers Configurations with different "Exchange Modes" in paralell. One in "main l2tp" exchange mode for connecting "L2TP over IPSec" clients. And another one using "main" as Exchange Mode, for default IPSec clients. Its generally...
by seho
Fri Feb 06, 2015 6:08 pm
Forum: General
Topic: L2TP IPSec Server problem using ROS V6.25
Replies: 1
Views: 894

Re: L2TP IPSec Server problem using ROS V6.25

Hey,

the MT support helped me out.

The problem was that encryption on the l2tp level was enabled. It has worked with ROS 6.17, since ROS 6.19 it has to be disabled.

Regards,
Sebastian
by seho
Tue Feb 03, 2015 2:54 pm
Forum: General
Topic: L2TP IPSec Server problem using ROS V6.25
Replies: 1
Views: 894

L2TP IPSec Server problem using ROS V6.25

Hi, i've encountered a problem using L2TP over IPSec with latest firmware. I've got an RB2011UiAS hardware running ROS 6.17, everything is working fine - my clients Windows CE 6.0 SP3 can connect and the data can be transmitted. My customer who runs this router has a problem that router sometimes be...