Endless ISAKMP-SA established/ deleted (RouterOS <-> FritzOS 7.01)

davorin · March 22, 2019, 9:52pm

Evening

I got from a new provider also a new Fritzbox called 7582…

I tested the ipsec site2site vpn which was working fine…
But now with the new model I just get endlessly those two messages in the logs:

ISAKMP-SA established
ISAKMP-SA deleted

davorin · March 23, 2019, 3:27pm

Has there been any major changes in ipsec on FritzOS > 7.0?

All I get is for PH2 state either “ready to send” and “no phase 2”…

davorin · March 23, 2019, 3:54pm

Hmm…seeing this in the debug logs:

 No address or pool specified

What address or address pool is this referring to?

Kindis · March 23, 2019, 3:56pm

What is the lifetime of the key in the proposal? On both units.

davorin · March 23, 2019, 4:13pm

First I don’t have access at the moment to the remote side..and secondly Fritzbox doesn’t offer any advanced settings…only source/dest prefix, dest address and local/remote id.

Can’t even connect remotely anymore to it with a ios/macos vpn client anymore as before with an older fritzbox running os < 7.x.

I can set the phase 1 lifetime to 30 seconds…as soon I click apply, lifetime is not set anymore.

davorin · March 25, 2019, 9:01am

Good morning…

Okay..have access now to the remote fritzbox…there I see in the logs only this:

IKE-Error 0x203D “phase 1 sa removed during negotiation”

And on the RouterOS side always the “no address or pool specified”…still don’t know what this refers to…

emils · March 25, 2019, 9:09am

Sounds like one of the sides has mode-config enabled. Please post full configuration and full ipsec debug logs.

davorin · March 25, 2019, 9:19am

This is the config on the routeros side (on fritzbox side there isn’t anything I can change):

/ip ipsec profile
add dh-group=modp1024 dpd-interval=30s enc-algorithm=aes-256 name=Wuerenlos
/ip ipsec peer
add address=83.150.26.215/32 exchange-mode=aggressive local-address=x.x.90.159 name=Wuerenlos profile=Wuerenlos
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=40m name=Wuerenlingen
/ip ipsec identity
add generate-policy=port-strict mode-config=request-only my-id=fqdn:zzzz.ddns.net peer=Wuerenlos remote-id=key-id:@MyID secret=\
    mikrotikroutervpn
/ip ipsec policy
add dst-address=192.168.178.0/24 proposal=Wuerenlingen sa-dst-address=y.y.26.215 sa-src-address=x.x.90.159 src-address=10.0.0.0/16 \
    tunnel=yes

davorin · March 25, 2019, 9:37am

Took a while for me to get the logs (o;

10:35:39 ipsec,info respond new phase 1 (Aggressive): x.x.90.159[500]<=>y.y.26.215[500] 
10:35:39 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
10:35:39 ipsec received Vendor ID: DPD 
10:35:39 ipsec received Vendor ID: RFC 3947 
10:35:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
10:35:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
10:35:39 ipsec y.y.26.215 Selected NAT-T version: RFC 3947 
10:35:39 ipsec Adding remote and local NAT-D payloads. 
10:35:39 ipsec y.y.26.215 Hashing y.y.26.215[500] with algo #2  
10:35:39 ipsec x.x.90.159 Hashing x.x.90.159[500] with algo #2  
10:35:39 ipsec Adding xauth VID payload. 
10:35:39 ipsec sent phase1 packet x.x.90.159[500]<=>y.y.26.215[500] ba1d9974f8d9957a:297c79ac4fa3b1fc 
10:35:39 ipsec x.x.90.159 Hashing x.x.90.159[500] with algo #2  
10:35:39 ipsec NAT-D payload #0 verified 
10:35:39 ipsec y.y.26.215 Hashing y.y.26.215[500] with algo #2  
10:35:39 ipsec NAT-D payload #1 verified 
10:35:39 ipsec y.y.26.215 ignore INITIAL-CONTACT notification, because it is only accepted after phase1. 
10:35:39 ipsec NAT not detected  
10:35:39 ipsec,info ISAKMP-SA established x.x.90.159[500]-y.y.26.215[500] spi:ba1d9974f8d9957a:297c79ac4fa3b1fc 
10:35:39 ipsec Configuration exchange type mode config REQUEST 
10:35:39 ipsec No address or pool specified! 
10:35:39 ipsec,info ISAKMP-SA deleted x.x.90.159[500]-y.y.26.215[500] spi:ba1d9974f8d9957a:297c79ac4fa3b1fc rekey:1 
10:35:42 ipsec,info respond new phase 1 (Aggressive): x.x.90.159[500]<=>y.y.26.215[500] 
10:35:42 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
10:35:42 ipsec received Vendor ID: DPD 
10:35:42 ipsec received Vendor ID: RFC 3947 
10:35:42 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n 
10:35:42 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
10:35:42 ipsec y.y.26.215 Selected NAT-T version: RFC 3947 
10:35:42 ipsec Adding remote and local NAT-D payloads. 
10:35:42 ipsec y.y.26.215 Hashing y.y.26.215[500] with algo #2  
10:35:42 ipsec x.x.90.159 Hashing x.x.90.159[500] with algo #2  
10:35:42 ipsec Adding xauth VID payload. 
10:35:42 ipsec sent phase1 packet x.x.90.159[500]<=>y.y.26.215[500] 286e22107955defe:1cb5e8eb24c33742 
10:35:42 ipsec x.x.90.159 Hashing x.x.90.159[500] with algo #2  
10:35:42 ipsec NAT-D payload #0 verified 
10:35:42 ipsec y.y.26.215 Hashing y.y.26.215[500] with algo #2  
10:35:42 ipsec NAT-D payload #1 verified 
10:35:42 ipsec y.y.26.215 ignore INITIAL-CONTACT notification, because it is only accepted after phase1. 
10:35:42 ipsec NAT not detected  
10:35:42 ipsec,info ISAKMP-SA established x.x.90.159[500]-y.y.26.215[500] spi:286e22107955defe:1cb5e8eb24c33742 
10:35:42 ipsec Configuration exchange type mode config REQUEST 
10:35:42 ipsec No address or pool specified! 
10:35:42 ipsec,info ISAKMP-SA deleted x.x.90.159[500]-y.y.26.215[500] spi:286e22107955defe:1cb5e8eb24c33742 rekey:1

davorin · March 25, 2019, 10:43am

No matter what I use for mode_config…either it won’t accept it or tells me that mode_config is required…
For the older FritzOS (< 7.0) it was set to default “request-only”…

emils · March 25, 2019, 11:02am

Those are not complete logs, but most likely the FritzOS does not provide a mode-config address and the connections is closed by RouterOS. For site to site tunnels mode config is not required. You will have to check configuration on FritzOS and verify whether mode config is configured and proper dynamic IP address or pool is configured.

davorin · March 25, 2019, 11:10am

Well there is no way to see the vpn config on Fritzbox…it just provides a GUI where you enter remote IP/prefix, psk and key ID.

I maybe just recreate the vpn entry on fritzos side as I now have access to it…and it worked with an older model fritzbox.

davorin · March 25, 2019, 11:14am

Interesting..recreated vpn site2site on fritzbox and now I see on routeros in the ligs:

 invalid protocol id 4

davorin · March 25, 2019, 11:16am

Okay…fixed…needed to change level to “require” instead of “use”…

PH2 established

davorin · March 25, 2019, 8:39pm

Well I must say that I am positively surprised…

First I just ordered a RB4011 in the company for exhibitions as it offers enough ports…

So for home use I just ordered a small RB750Gr-3 for testing ( I just don’t wanted any routerboard with Atheros SoC as certain CPU have a hardware bug .

I am impressed that this little bugger can handle my 600MB cable access easily and with low power consumption, so it is now installed and replaced my old SRX240

So had to order another one for testing ipsec xauth company vpn access to not interfere with current setup.

ATM current ipsec vpn to fritzbox looks stable…logging now with cacti…

Anyway…thanks for the help/suggestions here…and for a nice OS ( though I have to learn it for some time

davorin · March 26, 2019, 6:28am

Well…not that impressive after it hanged suddenly in the night…web interface working but no more telnet login…
after restart all was fine except it could not bring up ipsec tunnel…though it showed it as established…

Only clicking in the policy and then click OK brought up the tunnel again…