3.0beta7: ipsec in tunnel mode still not working...

amode · April 10, 2007, 7:34am

Hi,

this is a public request for getting more info about support tickets Ticket#2007040566000286 and Ticket#2007031666000249.

These tickes are still open and still officially unanswered by support!

(A) Short analysis

The problem is that we cannot reach any hosts behind the router (btw: router is set as default gw on both sides of the link).

From technical analysis (see below) it seems that the decryped packets appear at the ‘outside’ interface and we’re not sure if this is correct.

Same confiuration works in 2.9.42. What is different in 3.0beta7? Or bug? Any fix?

(B) Technical analysis

We’re trying to use ipsec in tunnel mode to connect network 172.17.0.0/16 to 172.16.0.0/16 via ipsec. The SAs get installed and we have the packet counter increasing on both sides to indicate running traffic across the ipsec link.

Now, we’re trying to reach hosts ‘behind’ the router. For example, we’re trying to ping from 172.17.2.113 to 172.16.1.4 across the ipsec link.

For debugging purposes, we’re checking the ping answer ‘return’ coming from the 172.16.1.4 host: For this, we have a test rule on the 172.17.0.0 router which should show that there’s a valid packet (the ping response packet) received by this router.

/ip firewall mangle
 1   chain=prerouting src-address=172.16.1.4 action=log log-prefix=""    // check if packet is coming from other host....

Output in log is then:

time=18:34:30 topics=firewall,info message=prerouting: in:outside out:(none), src-mac 00:04....  proto ICMP (type 0, code 0), 172.16.1.4->172.17.2.113, len 60

So, from my view, this says the the return packet via ‘ipsec’ was sucessfully received and decrypted by the router and is in the prerouting chain now. This also seems true, because of the increasing ipsec packet counters.

Next, I was expecting to “find” this ping-response packet in the forward chain, but moving the above rule to the ‘forward’ chain does not log the packet. But if it is not found in the ‘forward’ chain, it cannot be found by any host ‘behind’ the router. Notice the “in:outside” text above. The ipsec decrypted ping-resonse is coming via the ‘outside’ interface. Is this okay?

Anyone having same trouble? Or even better: Anyone having a working ipsec config in tunnel mode for 3.0beta7?

I’m still confused, because all this worked in 2.9.42.

Thanks for any info here…
Achim

NathanA · April 13, 2007, 1:44am

I, too, have a couple of tickets open (for different issues) that also seem to have fallen by the wayside. At least I’ve never gotten any response from a human yet, even to a simple licensing question.

Not sure what’s going on over there in the Riga offices. They must be really busy right now, swamped with work. I mean, Normis hasn’t even made a post to the forums since the 5th!

Sorry for going off-topic here…

– Nathan

changeip · April 13, 2007, 2:13pm

too many mums.

amode · April 17, 2007, 7:40am

But support - or at least feedback - is essential for a beta product, isn’t it?

We cannot recommend any more licenses to our clients if support is so sluggish…

Achim

normis · April 17, 2007, 7:40am

emails are getting answered fast. hold on for a few hours

NathanA · April 17, 2007, 7:44pm

I can attest to that…both of my open tickets (not beta-related) were responded to within the last couple days, and the responses were more than satisfactory. Thanks, guys!

Actually, I would say that the opposite is the case: support is essential for a production or stable product. Otherwise, what am I paying for? Feedback is essential to beta testers, yes, but if I were a software company, I would give my highest priority to customers paying for my “stable” code. Although I agree to some extent with Scott’s argument, it still surprises me when people roll out code labelled BETA and then gripe when something goes wrong. Beta code is put up for you to test. If you want to risk it on your production network with your paying customers, then go right ahead, but MikroTik released the code to you with the disclaimer that it isn’t finished!

– Nathan

amode · April 18, 2007, 7:26am

Glad to hear. Unfortunately, my beta-related tickets are stil open.
Normis?

Yes, you are right. But if you want to use the Community as (non-paid) beta testers, feedback (or at least some sort of “yes, this is bug…”) would be fine.

Achim

PS: Umpf - quite off-topic here, right?

amode · April 30, 2007, 1:33pm

Thanks guys for this feedback.

Achim