Community discussions

Search found 293 matches

by emils
Tue Jan 15, 2019 4:04 pm
Forum: General
Topic: Ping count parameter invalid
Replies: 3
Views: 144

Re: Ping count parameter invalid

It is simply /ping, not /tool ping. /tool ping is a shortcut for /tool ping-speed.
/ping 8.8.8.8 count=1
by emils
Tue Jan 15, 2019 11:09 am
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 40
Views: 3816

Re: v6.42.11 [long-term] is released!

You do not need the fix_space.npk package. Simply reboot the router and it should regain the free space.
by emils
Wed Jan 09, 2019 1:17 pm
Forum: Announcements
Topic: v6.42.10 [long-term] is released!
Replies: 25
Views: 8266

Re: v6.42.10 [long-term] is released!

New version 6.42.11 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=143805
by emils
Wed Jan 09, 2019 1:16 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 40
Views: 3816

v6.42.11 [long-term] is released!

RouterOS version 6.42.11 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Tue Jan 08, 2019 8:27 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

mutiple mode-config doesn't be as intended with certificate matching. I've tried to add 2 mode-configs and i want to assign a different ip pool each. apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple cl...
by emils
Mon Jan 07, 2019 4:47 pm
Forum: General
Topic: L2tp Ipsec intruders
Replies: 6
Views: 348

Re: L2tp Ipsec intruders

These are scans performed by Shadowserver. The scan does not harm you in any way, but if you want, you can obviously block it in your firewall's input chain, however they have multiple IP addresses and it will be hard to do.

https://isakmpscan.shadowserver.org/
by emils
Mon Jan 07, 2019 2:09 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Version 6.44beta54 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Jan 02, 2019 7:39 am
Forum: General
Topic: ikev2 multiple client dhcp pool
Replies: 3
Views: 221

Re: ikev2 multiple client dhcp pool

Not quite yet. I suspect it may appear in beta versions in like two to three weeks from now.
by emils
Tue Dec 25, 2018 12:19 pm
Forum: General
Topic: ikev2 multiple client dhcp pool
Replies: 3
Views: 221

Re: ikev2 multiple client dhcp pool

We are working on this feature in 6.44 versions. You will be able to specify a different mode-config configuration for different clients based on remote-id matcher.
by emils
Fri Dec 21, 2018 10:55 am
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 8572

Re: v6.43.7 [stable] is released!

New version 6.43.8 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=143042
by emils
Fri Dec 21, 2018 10:54 am
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 143
Views: 17457

v6.43.8 [stable] is released!

RouterOS version 6.43.8 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Dec 19, 2018 8:22 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
by emils
Wed Dec 19, 2018 7:27 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

mducharme, please generate a supout.rif file when the issue is present and send it to support@mikrotik.com
by emils
Tue Dec 18, 2018 12:31 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Version 6.44beta50 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Dec 18, 2018 12:22 pm
Forum: General
Topic: IKEv2 with RSA authentication > iOS > EAP is not configured [SOLVED]
Replies: 2
Views: 217

Re: IKEv2 with RSA authentication > iOS > EAP is not configured [SOLVED]

Make sure you have User Authentication set to None as in the wiki example, it should disable EAP.

Image
by emils
Mon Dec 03, 2018 4:26 pm
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 8572

Re: v6.43.7 [stable] is released!

If you are connected to the router over VPN, it is possible that you are running into some MTU related issues over the VPN link. If packets are being fragmented it can cause your described issues.
by emils
Mon Dec 03, 2018 3:39 pm
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 8572

Re: v6.43.7 [stable] is released!

After upgrade my Hex S. No firewall rules, no CAP access list, etc :( Connention via VPN very slow. I will check more if I return to home. In my case, something like this happened for the first time. What I should do now? I have backup from 6.43.4 If you experience version related issues, then plea...
by emils
Mon Dec 03, 2018 2:20 pm
Forum: Announcements
Topic: v6.43.4 [stable] is released!
Replies: 78
Views: 16999

Re: v6.43.4 [stable] is released!

New version 6.43.7 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=142316
by emils
Mon Dec 03, 2018 2:19 pm
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 8572

v6.43.7 [stable] is released!

RouterOS version 6.43.7 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Nov 30, 2018 9:35 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

anuser the parameter was not set properly and a different interval was used in the background.

msatter if there is an autosupout.rif file generated on the router after such crashes, it is worth to send it to us.
by emils
Wed Nov 28, 2018 3:32 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Version 6.44beta40 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Nov 27, 2018 9:10 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

L2TP/IPSEC no work, the message are "failed to pre-process ph2 packet" config # nov/27/2018 17:36:36 by RouterOS 6.44beta39 # # model = 951G-2HnD /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des /interface l2tp-server se...
by emils
Tue Nov 27, 2018 6:00 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

g22113 , that is not a limitation, simply the warning messages are misleading. The limitation should be - one identity per one initiator peer. We will resolve the issue in the next beta. The same goes for "this peer is unreachable" warnings - they are not working as expected. Also resolved in the n...
by emils
Tue Nov 27, 2018 5:13 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Hi,

What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.
by emils
Tue Nov 27, 2018 4:59 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

I have L2PT/IPSEC connections that are "dail on demand" and those are displayed in IPSEC-Peers as entries that are unreachable. This is true, however after the connection is up they are still seen as unreachable (colour red).
Can you post some screenshots of your peer menu?
by emils
Tue Nov 27, 2018 4:31 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

I ask myself what issues my cAP ac devices have? Can you please give some more information about it?
The router could have rebooted due to kernel failure in some rare occasions.
by emils
Tue Nov 27, 2018 4:17 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Why there are no tcp-download "remote-cpu-load"?
Current implementation allow only include this data into test connection, but waiting for it impacts results, we need to implement data collection as separate connection to get this working, it is in our to-do list.
by emils
Tue Nov 27, 2018 3:23 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Version 6.44beta39 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Nov 27, 2018 9:57 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

New beta build will be released later today. Had to polish some new features before releasing the version.
by emils
Tue Nov 20, 2018 8:19 am
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 20547

Re: v6.42.9 [long-term] is released!

New version 6.42.10 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=141792
by emils
Tue Nov 20, 2018 8:18 am
Forum: Announcements
Topic: v6.42.10 [long-term] is released!
Replies: 25
Views: 8266

v6.42.10 [long-term] is released!

RouterOS version 6.42.10 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed Nov 14, 2018 8:04 am
Forum: Beginner Basics
Topic: [l2tp ipsec] ipsec issue
Replies: 4
Views: 278

Re: [l2tp ipsec] ipsec issue

That is very nice, but you could have generate a supout.rif file so we can take a look and find out how and why that happens.
by emils
Tue Nov 13, 2018 2:50 pm
Forum: Beginner Basics
Topic: [l2tp ipsec] ipsec issue
Replies: 4
Views: 278

Re: [l2tp ipsec] ipsec issue

Which version are you using? Can you check '/ip ipsec peer print' when the issue is present? Can you send supout.rif file from your router to support@mikrotik.com?
by emils
Mon Nov 12, 2018 3:35 pm
Forum: General
Topic: [ASK] IPsec mode-config
Replies: 3
Views: 245

Re: [ASK] IPsec mode-config

Static-dns and system-dns just informs the client/initiator what DNS servers should be used when tunnel is established. If the client reaches these DNS servers over the tunnel (DNS servers are within IPsec traffic selectors/policies), then obviously DNS traffic will be sent over the tunnel and will ...
by emils
Mon Nov 12, 2018 3:18 pm
Forum: Beginner Basics
Topic: Setting up L2TP with IPsec
Replies: 1
Views: 209

Re: Setting up L2TP with IPsec

Any reason you go with static configuration instead of using "use-ipsec" parameter under L2TP configuration? The missing parameters are moved to "Peer Profile" menu in 6.43 versions, but you do not need them anyway for basic L2TP/IPsec tunnel. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Basic_L2T...
by emils
Fri Nov 09, 2018 12:17 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 16
Views: 731

Re: IPSec IKEv2 rekeying problem

Leave the pfs-group set to modp4096 on RouterOS side. If you have explicitly set to use it on strongSwan side, then it must be set in RouterOS as well. Then you have to find out what causes the router to not respond with VRRP address, because it is not correct to use VRRP interface for traffic. Mayb...
by emils
Fri Nov 09, 2018 8:11 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 16
Views: 731

Re: IPSec IKEv2 rekeying problem

Yes, traffic is flowing without any intermittence before, during and after rekeying as it should with IKEv2. Also it should not matter when you start sending the traffic since rekeying process is the same. I guess, you could try checking whether the latest beta version has any changes in your test c...
by emils
Tue Nov 06, 2018 3:08 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 16
Views: 731

Re: IPSec IKEv2 rekeying problem

Just tested your configuration between strongSwan 5.7.1 and RouterOS v6.44beta and rekeying works properly at least if initiated from strongSwan side if pfs-group=modp4096 is set in RouterOS. Can you post the logs when pfs-group=4096 is used?
by emils
Tue Nov 06, 2018 1:19 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 682

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

"Send initial contact" does not mean the peer will not initiate the connection. It controls the INITIAL_CONTACT notification behaviour. The INITIAL_CONTACT notification asserts that IKE SA is the only IKE SA currently active between the authenticated identities - which essentially removes all other ...
by emils
Tue Nov 06, 2018 1:13 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 16
Views: 731

Re: IPSec IKEv2 rekeying problem

What if you set the pfs-group back to modp4096 in RouterOS? Are the logs any different?
by emils
Mon Nov 05, 2018 8:05 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 16
Views: 731

Re: IPSec IKEv2 rekeying problem

Please post your StrongSwan and RouterOS IPsec configurations. Also enable IPsec debug logs in RouterOS (/system logging add topics=ipsec) and post logs when rekeying fails (before the no proposal choosen message).
by emils
Fri Nov 02, 2018 3:48 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 16
Views: 731

Re: IPSec IKEv2 rekeying problem

Try setting pfs-group to none on RouterOS side. It should still use the same PFS group configured under Peer Profiles when rekeying.
by emils
Fri Nov 02, 2018 12:21 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Will devices be able to handle that on its own? Or more important... Will CAPsMAN handle this for connected devices?

We will see if we can remove the dependency, but most likely users with standalone packages will have to handle the upgrade process by themselves.
by emils
Fri Nov 02, 2018 12:17 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 682

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

Most likely the second connection is dropped because the router receives initial-contact from the same address. Try setting "send-initial-contact" to "no" on both initiator peers.
by emils
Fri Nov 02, 2018 10:58 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 17
Views: 5650

Re: Help with IKEv2/IPsec client configuration

Most likely not until version 7.
by emils
Fri Nov 02, 2018 7:54 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 16
Views: 731

Re: IPSec IKEv2 rekeying problem

Is PFS group set to 'none' on RouterOS side for your IPsec proposal? If yes, can you compare spi numbers, encryption keys and authentication keys between both sides when the issue is present?
by emils
Tue Oct 30, 2018 10:39 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 318
Views: 52122

Re: v6.44beta [testing] is released!

Weird, it works for me with exact your configuration and 1803 (Pro). Did you change any of the advanced ipv4 configuration on Windows side except for disabling EAP authentication? Note that it might take a few seconds for routes to be installed. How are you checking the route presence? Can you do 'r...
by emils
Tue Oct 30, 2018 9:34 am
Forum: General
Topic: A bit confused about RB750 Gr3 IPSec
Replies: 5
Views: 343

Re: A bit confused about RB750 Gr3 IPSec

It was a little misleading. I updated the wiki page. Both 3DES and AES-CBC is supported in hardware on RB750Gr3.
by emils
Tue Oct 30, 2018 9:08 am
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 682

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

"This peer is unreachable" messages in 6.43.4 are a little misleading. The second peer should still be working fine. As I said, these messages are completely fixed in the latest beta version.
by emils
Tue Oct 30, 2018 9:06 am
Forum: General
Topic: Client to site IPSec negotiation traffic only one direction?
Replies: 4
Views: 313

Re: Client to site IPSec negotiation traffic only one direction?

Most likely misconfigured firewall is causing this. Post your IPsec policy and firewall configuration.