Dynamic IPSec policy isn't created

Zoolander06 · October 12, 2020, 9:04am

Hello,

I try to establish a successful IPSec tunnel between a RB4011 and my laptop with the Shrew IPSec client.
Everything seems well, Shrew says that the tunnel is established, but I can’t ping the router.
So I looked at the log, and had a phase 2 failure, due to the missing of a matching policy, so I checked, and there was obviously a problem because no dynamic policy was created, even if there was an active peer.

Here is my IPSec configuration on the RB :

/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.99
add name=pool-vpn ranges=172.16.100.1-172.16.100.20

/ip firewall address-list
add address=172.16.100.1-172.16.100.20 list=VPN

/ip ipsec mode-config
set [ find default=yes ] src-address-list=VPN
add address-pool=pool-vpn address-prefix-length=32 name=vpn split-include=192.168.2.0/24 system-dns=no

/ip ipsec policy group
add name=vpn

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn

/ip ipsec peer
add exchange-mode=aggressive name=vpn passive=yes profile=vpn send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=1h name=vpn pfs-group=modp2048

/ip ipsec identity
add generate-policy=port-strict mode-config=vpn peer=vpn policy-template-group=vpn secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

/ip ipsec policy
add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=192.168.2.0/24 template=yes

What did I miss ?

Joris

sindy · October 13, 2020, 1:37pm

I cannot see anything wrong in your configuration (except that I’ve read somewhere that aggressive mode is not considered secure any more, but I’m no crypto expert, and it’s off-topic anyway), so the only issue I can imagine is a bug associated to IKE(v1)'s policy negotiation (or specifically to aggressive mode), or a mismatch between the proposed list of transforms for phase 2 (/ip ipsec proposal).

Mikrotik’s log should show you enough info if you:

terminate the Shrew connection
set /system logging add topics=ipsec,!packet
run /log print follow-only file=ipsec-start where topics~“ipsec”
start the Shrew connection and wait until it reaches a stable state (which takes less than a second if I remember well)
break the /log print …
download the file ipsec-start.txt and start studying it.

Do you have any specific reason to use Shrew rather than the Windows’ embedded VPN client in IKEv2 mode?

Zoolander06 · October 16, 2020, 4:25pm

Thanks for your answer, I will try to log this way.

And I will try to use the embedded ikev2 client, which I didn’t knew it was a thing

That’s why I was using Shrew…

Joris

Zoolander06 · October 19, 2020, 2:49pm

Hello,

So I tried with IKEv2 embedded client, but, correct me if I’m wrong, it need either a certificate or a login/password.
In ROS I use a PSK (and don’t want to use certificates), so it can’t work…

Zoolander06 · October 19, 2020, 3:26pm

So, with the logs, I found the problem !

This line was wrong :

/ip ipsec policy
add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=192.168.2.0/24 template=yes

The correct one is :

/ip ipsec policy
add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=0.0.0.0/0 template=yes

I’m not sure to understand why, but I’m happy with that…

Joris