CRS125-24G 100% CPU on IPSec Configuration using RSA Signature Hybrid

seho · September 27, 2019, 11:42am

Hi all,

i have a CRS125-24G here. On which i’m trying to setup an IPSec connection to a CRS326.

I need to set up the connection with “RSA Signature Hybrid”, but as soon as a add the ipsec identity the cpu load goes to 100% and will stick there. Only thing that helps is resetting the configuration of the CRS125.

Printing anything under /ip ipsec on the Terminal is also not possible anymore.

Has someone also encoutered that problem?
Maybe someone can try to reproduce that on another CRS125 and post the results here to ensure that my hardware is generally ok.

I’m using RouterOS 6.45.6 and also the Firmware from that package.

Kind regards,
Sebastian

Edit:

/certificate print detail

Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0       T name="xxx" issuer=CN=Root CA digest-algorithm=sha512 key-type=rsa common-name="xxxx.ddns.net" key-size=4096 
           subject-alt-name=DNS:xxxx.ddns.net days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,tls-server 
           serial-number="69DF93C9E6DD2713789B9xxxxxxxxxxxx" fingerprint="a471847dd45e85d9df3ea220e558910ddc89d285610c7xxxxxxxxxxxx" 
           invalid-before=mar/08/2018 08:47:38 invalid-after=mar/05/2028 08:47:38 expires-after=3035w2d8h45m56s

/ip ipsec peer print detail

 
Flags: X - disabled, D - dynamic, R - responder 
 0     name="peer1" address=xxxx.ddns.net profile=default exchange-mode=main send-initial-contact=yes

/ip ipsec profile print detail

Flags: * - default 
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m 
     dpd-maximum-failures=5 

 1   name="profile1" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m 
     dpd-maximum-failures=5

This is only stuff changed. Everything else is unconfigured after configuration reset with no default configuration.

When I now try to setup the ipsec identity I got 100% cpu until I reset the configuration

/ip ipsec identity> add remote-certificate=new_ohp.pem_0 username=xxxpassword=xxx auth-m
ethod=rsa-signature-hybrid peer=peer1

Dude2048 · September 27, 2019, 5:28pm

It is a switch, not a router. It also doesn’t have hardware acceleration. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration. So 100% is expexted.

seho · September 27, 2019, 6:17pm

The CPU usage goes to 100% after setting up the ipsec identity. And for small remote tasks like commiting to git reposistorties and accessing some webservices the performance was completly enough. I used the same CRS for inbounding IPSec connections in the past. I know that device hasn’t a lot power.

The problem occurs on configuration. And it happens all the time. Also when the routing functions are not configured. (No IPs set, no routes defined a.s.o.)

So I assume the problem on the RouterOS side. Because the complete “ip ipsec” part becomes unconfigurable. And this happens for WinBox and SSH console.

Also I found out that happens too when the peer is configured as “passive” so the router should do anything until a remote peer try to establish a connection.

Kind regards,
Sebastian

nostromog · September 27, 2019, 7:18pm

I experienced the same bug, reset configuration and re importing it was the only solution to fix it.

Sent from my Redmi Note 5 using Tapatalk