Feature Req: IKEv2 server and client

andriys · November 13, 2016, 9:20am

Currently, it is only available in the latest RC builds, and only via CLI (command line / terminal).

toto99303 · November 13, 2016, 2:21pm

Guys, it’s working fine with Windows 10 and client certificate.
But not working with iOS or MacOS

16:11:29 ipsec,debug payload seen: ID_I
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: ID_R
16:11:29 ipsec,debug payload seen: CONFIG
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: SA
16:11:29 ipsec,debug payload seen: TS_I
16:11:29 ipsec,debug payload seen: TS_R
16:11:29 ipsec,debug ike auth: respond
16:11:29 ipsec,error payload missing: AUTH
16:11:29 ipsec,error EAP not supported
16:11:29 ipsec,debug reply notify: AUTHENTICATION_FAILED

Is there plans to include EAP soon?

Thanks!

mrz · November 14, 2016, 5:54pm

ropeguru:

So I have managed to get ikev2 Phase1 connection made between routeros and a UBNT ERL3.

However, I cannot seem to get the policy working.

Here is my config:

/ip ipsec peer print                  
Flags: X - disabled, D - dynamic 
 0    address=76.27.xxx.xxx/32 passive=no auth-method=pre-shared-key secret="****" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=no 
      nat-traversal=no hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
      
 /ip ipsec policy print     
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all level=require proposal=default template=yes 

 1 T   group=Group1 src-address=192.168.2.0/24 dst-address=192.168.1.0/24 protocol=all level=unique proposal=default template=yes 

 2 T   group=Group1 src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all level=unique proposal=default template=yes 

/ip ipsec proposal  print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none 

/ip ipsec remote-peers print
 0 local-address=71.61.xxx.xxx remote-address=76.27.xxx.xxx state=established side=responder established=16m18s

Here is what I see in my log:

13:31:20 ipsec,debug payload seen: SA 
13:31:20 ipsec,debug payload seen: NONCE 
13:31:20 ipsec,debug payload seen: TS_I 
13:31:20 ipsec,debug payload seen: TS_R 
13:31:20 ipsec,debug create child: respond 
13:31:20 ipsec,debug processing payload: NONCE 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug peer wants tunnel mode 
13:31:20 ipsec,debug processing payload: CONFIG 
13:31:20 ipsec,debug payload not found! 
13:31:20 ipsec,debug processing payload: TS_I 
13:31:20 ipsec,debug 192.168.1.56:514 ipproto:17 
13:31:20 ipsec,debug 192.168.1.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: TS_R 
13:31:20 ipsec,debug 192.168.2.129:514 ipproto:17 
13:31:20 ipsec,debug 192.168.2.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: SA 
13:31:20 ipsec,debug IKE Protocol: ESP 
13:31:20 ipsec,debug  proposal #1 
13:31:20 ipsec,debug   enc: aes128-cbc 
13:31:20 ipsec,debug   auth: sha1 
13:31:20 ipsec,debug   esn: off 
13:31:20 ipsec,debug searching for policy 
13:31:20 ipsec,debug policy not found 
13:31:20 ipsec,error no policy found/generated

Is that subnet line supposed to have “/24/24” in it? Is this an RC bug?

Set generate policy in peer config, if you want policies to be generated automatically. If not then set up static policies. Currently you have only policy templates.

mrz · November 14, 2016, 5:57pm

Currently it works wit Macs with psk and should work wit certificates without eap. In the future it will be possible to use EAP with RADIUS server.

toto99303 · November 15, 2016, 11:09am

Ok, got it working with iOS with certificates (enc 3des, auth sha1, esn off), but I’m getting extremely slow speeds? ICMP pings look fine, but Speedtest gives me 0.1 MBit/s or lower speed Access to local recources is with the same slow speed… Something is generally messed up.. Can you point me how to troubleshoot this?

nicecloud · November 16, 2016, 10:30am

Any IKEv2 examples Yet for connecting to Azure?

irico · November 17, 2016, 12:57pm

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address={AZURE_IP/32} dpd-interval=disable-dpd enc-algorithm=\
    aes-256,3des exchange-mode=ike2 local-address={LOCAL_IP} \
    nat-traversal=no secret={SECRET}
/ip ipsec policy
add dst-address={AZURE_SUBNET} proposal=Azure sa-dst-address={AZURE_IP} \
    sa-src-address={LOCAL_IP} src-address={LOCAL_SUBNET} tunnel=yes

Firewall filter rules to accept IPSec and accept rule before NAT masquerade between {AZURE_SUBNET} and {LOCAL_SUBNET}

nicecloud · November 17, 2016, 1:22pm

Many Thanks,

Connect OK

Start testing traffic and multisite connection now.

nicecloud · November 18, 2016, 8:17am

Lost connection to Azure during night, reboot RB and after more then 5 minutes to get connected again, have to kill Installed SA 2 times before traffic was up

Installed SA show Auth none and Encr Algorithm none

After 3 attempt
Installed SA show Auth sha1 and Encr Algorithm aes cbc

localsnet · November 22, 2016, 3:39pm

Could somebody tell me how configure the Server-Client type connection ( between 2 Mikrotiks)?
I’ve been trying to configure it (start used the code exactly from that headline) with Road Warrior setup Ikev2 RSA auth (on http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth)
But I’m really confused, when I’ve read here that IKEv2 not supported yet in stable versions.
IKEV2 doesn’t matter for me, because I use version 6.36.3, and I need just IPSEC tunnel, so IKev1 or anything else would be fine for my purpose.
Is that manual suitable for it?
Thanks in advance.

nicecloud · November 24, 2016, 7:10am

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

Nov/24/2016 07:57:22 ipsec,debug ike2 initialize send for: 40.69.xx.xx
Nov/24/2016 07:57:22 ipsec,debug adding payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug => (size 0x1c)
Nov/24/2016 07:57:22 ipsec,debug 0000001c 3bf4f900 c8613469 8bc009a8 1b57d794 fdc60ce9 f6e9dcb9
Nov/24/2016 07:57:22 ipsec,debug adding payload: KE
Nov/24/2016 07:57:22 ipsec,debug => (size 0x88)
Nov/24/2016 07:57:22 ipsec,debug 00000088 00020000 0f4e87a5 8496dc9c 03269876 2b020be1 d00002e8 1e79da1b
Nov/24/2016 07:57:22 ipsec,debug 1503daa6 80490813 1040b8ad b1c38973 d78f185b 1c3596f2 bca14ab2 4a5a46e8
Nov/24/2016 07:57:22 ipsec,debug f432965a 6322099e 24e468fd f8b892e7 f4911f2f 0585e1b4 39710001 cc9bc48d
Nov/24/2016 07:57:22 ipsec,debug 827b44a1 d2253687 80574323 3cccfe1d d0782904 69dbdadc d3f308ce c751b8f2
Nov/24/2016 07:57:22 ipsec,debug b54c2cdf 8d3d987b
Nov/24/2016 07:57:22 ipsec,debug adding payload: SA
Nov/24/2016 07:57:22 ipsec,debug => (size 0x38)
Nov/24/2016 07:57:22 ipsec,debug 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 01000003
Nov/24/2016 07:57:22 ipsec,debug 03000008 02000002 03000008 03000002 00000008 04000002
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug sending 248 bytes from 90.230.xx.xx[500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet sockname 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet from 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet src4 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 1 times of 248 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 00000000 00000000 28202208 00000000 000000f8 2200001c
Nov/24/2016 07:57:22 ipsec,debug,packet 3bf4f900 c8613469 8bc009a8 1b57d794 fdc60ce9 f6e9dcb9 21000088 00020000
Nov/24/2016 07:57:22 ipsec,debug,packet 0f4e87a5 8496dc9c 03269876 2b020be1 d00002e8 1e79da1b 1503daa6 80490813
Nov/24/2016 07:57:22 ipsec,debug,packet 1040b8ad b1c38973 d78f185b 1c3596f2 bca14ab2 4a5a46e8 f432965a 6322099e
Nov/24/2016 07:57:22 ipsec,debug,packet 24e468fd f8b892e7 f4911f2f 0585e1b4 39710001 cc9bc48d 827b44a1 d2253687
Nov/24/2016 07:57:22 ipsec,debug,packet 80574323 3cccfe1d d0782904 69dbdadc d3f308ce c751b8f2 b54c2cdf 8d3d987b
Nov/24/2016 07:57:22 ipsec,debug,packet 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 01000003
Nov/24/2016 07:57:22 ipsec,debug,packet 03000008 02000002 03000008 03000002 00000008 04000002
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug 360 bytes message received from 40.69.xx.xx[500] to 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 21202220 00000000 00000168 2200002c
Nov/24/2016 07:57:22 ipsec,debug,packet 00000028 01010004 03000008 01000003 03000008 03000002 03000008 02000002
Nov/24/2016 07:57:22 ipsec,debug,packet 00000008 04000002 28000088 00020000 1ef4d74b 7a2324f4 38cfd8c1 057801b1
Nov/24/2016 07:57:22 ipsec,debug,packet 7ec0aa27 9133bf6f e9a3405e 146c3c11 4db05fc1 2e5765cb 014b4418 4d472344
Nov/24/2016 07:57:22 ipsec,debug,packet deffb658 39f8e919 a28613f7 da534ad0 5e6447fe 99dbea13 76a00f38 5a7a0326
Nov/24/2016 07:57:22 ipsec,debug,packet dad3de1e 4bd4d8f6 aae10ef0 9cf836a7 6ce5cfc8 aec552c9 8868f2ef 9ae89ba5
Nov/24/2016 07:57:22 ipsec,debug,packet f68f2841 f7634f9d 5d7dd9d9 2a8f1955 29000034 bcafebac f1a382fa d0531734
Nov/24/2016 07:57:22 ipsec,debug,packet 699ae223 1943659e d22c16f0 01287867 ab70da56 db0ffa4b e3c11c05 bf0558d1
Nov/24/2016 07:57:22 ipsec,debug,packet 17a87560 2900001c 00004004 a2e20be3 8c67110c 0b912f1d cb1489b8 9e842ec8
Nov/24/2016 07:57:22 ipsec,debug,packet 2b00001c 00004005 844bae0e f5c14ca6 7ea880bb beda2481 ed73ab19 2b000018
Nov/24/2016 07:57:22 ipsec,debug,packet 1e2b5169 05991c7d 7c96fcbf b587e461 00000009 00000014 fb1de3cd f341b7ea
Nov/24/2016 07:57:22 ipsec,debug,packet 16b7e5be 0855f120
Nov/24/2016 07:57:22 ipsec,debug ike2 answer exchange: SA_INIT id: 0
Nov/24/2016 07:57:22 ipsec,debug ike2 initialize recv
Nov/24/2016 07:57:22 ipsec,debug payload seen: SA
Nov/24/2016 07:57:22 ipsec,debug payload seen: KE
Nov/24/2016 07:57:22 ipsec,debug payload seen: NONCE
Nov/24/2016 07:57:22 ipsec,debug payload seen: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug payload seen: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug payload seen: VID
Nov/24/2016 07:57:22 ipsec,debug payload seen: VID
Nov/24/2016 07:57:22 ipsec,debug processing payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug processing payload: SA
Nov/24/2016 07:57:22 ipsec,debug IKE Protocol: IKE
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug prf: hmac-sha1
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug dh: modp1024
Nov/24/2016 07:57:22 ipsec,debug matched proposal:
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug prf: hmac-sha1
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug dh: modp1024
Nov/24/2016 07:57:22 ipsec,debug processing payload: KE
Nov/24/2016 07:57:22 ipsec,debug => shared secret (size 0x80)
Nov/24/2016 07:57:22 ipsec,debug 23a1422e 300e93a0 761622b9 25feede4 0ad4093c d2e6ca0e eecacdd3 2514814a
Nov/24/2016 07:57:22 ipsec,debug c177b735 ec3c3bd0 027c6e5f 8b4d476d bf76fd01 ccfaf27c bb1349e2 862cd09f
Nov/24/2016 07:57:22 ipsec,debug 0b4dc8e2 3f026a11 77b1b87d 17bf9a43 65a38c2b e845d36f 40be6363 a21b11e8
Nov/24/2016 07:57:22 ipsec,debug 1351f0a1 b211bdbd 6bfeb507 2b2852aa f2835a57 4c0b5d7c 27247e2d 2cd846fb
Nov/24/2016 07:57:22 ipsec,debug => skeyseed (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 23136c2f 6c546675 0130703a 0a81137a b14b247b
Nov/24/2016 07:57:22 ipsec,debug => keymat (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 4559909e 1d8b5b1c a2b4f740 70fb2601 31fa1285
Nov/24/2016 07:57:22 ipsec,debug => SK_ai (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug e40086cc a0eb2dde cb24a153 5e44ea7b 6f8879b6
Nov/24/2016 07:57:22 ipsec,debug => SK_ar (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 313cd9ed 9a8241d9 4ac8d984 be808d65 93a4fbc3
Nov/24/2016 07:57:22 ipsec,debug => SK_ei (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 6289b5e3 c2c2bc0d 2159685f 91ef3a2b 84f53aba cc1880f1
Nov/24/2016 07:57:22 ipsec,debug => SK_er (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 0ba7222c 93db7e76 2033ca84 6216b55c 7bdf1db8 bb2a368c
Nov/24/2016 07:57:22 ipsec,debug => SK_pi (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 5b7364db 3af28b3a 33f9e506 dd622c7e 3a14da08
Nov/24/2016 07:57:22 ipsec,debug => SK_pr (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 3556df29 f492a040 0911c3c9 432e563b 925ff52b
Nov/24/2016 07:57:22 ipsec,debug processing payloads: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug new ph1 initiator connection established
Nov/24/2016 07:57:22 ipsec,info new ike2 initiator connection: 90.230.xx.xx[4500]<->40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug init child for policy: 192.168.254.0/24/24:0 <=> 10.0.0.0/16/16:0 ipproto:255
Nov/24/2016 07:57:22 ipsec,debug GETSPI sent: 40.69.xx.xx->90.230.xx.xx
Nov/24/2016 07:57:22 ipsec,debug ikev2 got spi 0xbfe4b79
Nov/24/2016 07:57:22 ipsec,debug init child continue
Nov/24/2016 07:57:22 ipsec,debug offering proto: 3
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: aes256-cbc
Nov/24/2016 07:57:22 ipsec,debug enc: aes128-cbc
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug esn: off
Nov/24/2016 07:57:22 ipsec,debug initiator selector: 192.168.254.0/24/24 ipproto:0
Nov/24/2016 07:57:22 ipsec,debug => selector created (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff
Nov/24/2016 07:57:22 ipsec,debug responder selector: 10.0.0.0/16/16 ipproto:0
Nov/24/2016 07:57:22 ipsec,debug => selector created (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000000 0a00ffff
Nov/24/2016 07:57:22 ipsec,debug my ID (ADDR): 90.230.xx.xx
Nov/24/2016 07:57:22 ipsec,debug processing payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug => auth nonce (size 0x30)
Nov/24/2016 07:57:22 ipsec,debug bcafebac f1a382fa d0531734 699ae223 1943659e d22c16f0 01287867 ab70da56
Nov/24/2016 07:57:22 ipsec,debug db0ffa4b e3c11c05 bf0558d1 17a87560
Nov/24/2016 07:57:22 ipsec,debug => SK_p (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 5b7364db 3af28b3a 33f9e506 dd622c7e 3a14da08
Nov/24/2016 07:57:22 ipsec,debug => idhash (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 60c43fad 004a4185 588d3808 9fc2816c 9afc6931
Nov/24/2016 07:57:22 ipsec,debug => my auth (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 4397a78a a54f8842 a39aed6a dce056a7 782a122b
Nov/24/2016 07:57:22 ipsec,debug adding payload: ID_I
Nov/24/2016 07:57:22 ipsec,debug => (size 0xc)
Nov/24/2016 07:57:22 ipsec,debug 0000000c 01000000 5ae6172c
Nov/24/2016 07:57:22 ipsec,debug adding payload: AUTH
Nov/24/2016 07:57:22 ipsec,debug => (size 0x1c)
Nov/24/2016 07:57:22 ipsec,debug 0000001c 02000000 4397a78a a54f8842 a39aed6a dce056a7 782a122b
Nov/24/2016 07:57:22 ipsec,debug adding payload: SA
Nov/24/2016 07:57:22 ipsec,debug => (size 0x40)
Nov/24/2016 07:57:22 ipsec,debug 00000040 0000003c 01030405 0bfe4b79 0300000c 0100000c 800e0100 0300000c
Nov/24/2016 07:57:22 ipsec,debug 0100000c 800e0080 03000008 01000003 03000008 03000002 00000008 05000000
Nov/24/2016 07:57:22 ipsec,debug adding payload: TS_I
Nov/24/2016 07:57:22 ipsec,debug => (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff
Nov/24/2016 07:57:22 ipsec,debug adding payload: TS_R
Nov/24/2016 07:57:22 ipsec,debug => (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000000 0a00ffff
Nov/24/2016 07:57:22 ipsec,debug,packet => outgoing plain packet (size 0x200)
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 23202308 00000001 00000000 2700000c
Nov/24/2016 07:57:22 ipsec,debug,packet 01000000 5ae6172c 2100001c 02000000 4397a78a a54f8842 a39aed6a dce056a7
Nov/24/2016 07:57:22 ipsec,debug,packet 782a122b 2c000040 0000003c 01030405 0bfe4b79 0300000c 0100000c 800e0100
Nov/24/2016 07:57:22 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 01000003 03000008 03000002 00000008
Nov/24/2016 07:57:22 ipsec,debug,packet 05000000 2d000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff 00000018
Nov/24/2016 07:57:22 ipsec,debug,packet 01000000 07000010 0000ffff 0a000000 0a00ffff 6c8299b1 cae4ff1b 38567595
Nov/24/2016 07:57:22 ipsec,debug,packet a6b8cbdf f40a2139 526c87a3 c0defd1d 2e405367 7c92a9c1 daf40f2b 486685a5
Nov/24/2016 07:57:22 ipsec,debug,packet b6c8dbef 041a3149 627c97b3 d0ee0d2d 3e506377 8ca2b9d1 ea041f3b 587695b5
Nov/24/2016 07:57:22 ipsec,debug,packet
Nov/24/2016 07:57:22 ipsec,debug,packet c6d8ebff 142a4159 728ca7c3 e0fe1d3d 4e607387 9cb2c9e1 fa142f4b 6886a5c5
Nov/24/2016 07:57:22 ipsec,debug,packet d6e8fb0f 243a5169 829cb7d3 f00e2d4d 5e708397 acc2d9f1 0a243f5b 7896b5d5
Nov/24/2016 07:57:22 ipsec,debug,packet e6f80b1f 344a6179 92acc7e3 001e3d5d 00000000 00000438 77b03940 00486458
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00478530 00478328 00478294 01000000 0047c844 00000000
Nov/24/2016 07:57:22 ipsec,debug adding payload: ENC
Nov/24/2016 07:57:22 ipsec,debug => (first 0x100 of 0x138)
Nov/24/2016 07:57:22 ipsec,debug 23000138 a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c
Nov/24/2016 07:57:22 ipsec,debug fe9a846b ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9
Nov/24/2016 07:57:22 ipsec,debug 14f0c747 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e
Nov/24/2016 07:57:22 ipsec,debug 743c37af ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6
Nov/24/2016 07:57:22 ipsec,debug ddc9aa88 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565
Nov/24/2016 07:57:22 ipsec,debug 1be76a2a 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8
Nov/24/2016 07:57:22 ipsec,debug 750a959c 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840
Nov/24/2016 07:57:22 ipsec,debug 9bff07ee c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:22 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:22 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:22 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:22 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:22 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:22 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:22 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:22 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:22 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:22 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:24 ipsec,debug acquire for 90.230.xx.xx <=> 40.69.xx.xx
Nov/24/2016 07:57:24 ipsec,debug suitable policy found: 192.168.254.0/24/24:0 <=> 10.0.0.0/16/16:0 ipproto:255
Nov/24/2016 07:57:24 ipsec,debug connection found for peer: 40.69.xx.xx[500]
Nov/24/2016 07:57:24 ipsec,debug SA with policy exists, ignoring
Nov/24/2016 07:57:27 ipsec,debug ==========
Nov/24/2016 07:57:27 ipsec,debug 68 bytes message received from 40.69.xx.xx[500] to 90.230.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet dcaf5a58 5bfb5571 5fcc6125 1f57a934 2e202508 00000001 00000044 29000028
Nov/24/2016 07:57:27 ipsec,debug,packet cfc63abf 9907ec99 c63980f8 d21f1e75 3f8e8242 95c2c7cd 9684f17b b1cc06e6
Nov/24/2016 07:57:27 ipsec,debug,packet 0db1f801
Nov/24/2016 07:57:27 ipsec,debug ike2 request exchange: INFORMATIONAL id: 1
Nov/24/2016 07:57:27 ipsec,debug spi not registred
Nov/24/2016 07:57:27 ipsec,debug retransmit
Nov/24/2016 07:57:27 ipsec,debug ==========
Nov/24/2016 07:57:27 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:27 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:27 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:27 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:27 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:27 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:27 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:27 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:27 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:27 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:27 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:32 ipsec,debug retransmit
Nov/24/2016 07:57:32 ipsec,debug ==========
Nov/24/2016 07:57:32 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:32 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:32 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:32 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:32 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:32 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:32 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:32 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:32 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:32 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:32 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:37 ipsec,debug retransmit
Nov/24/2016 07:57:37 ipsec,debug ==========
Nov/24/2016 07:57:37 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:37 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:37 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:37 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:37 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:37 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:37 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:37 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:37 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:37 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:37 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:42 ipsec,debug retransmit
Nov/24/2016 07:57:42 ipsec,debug ==========
Nov/24/2016 07:57:42 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:42 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:42 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:42 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:42 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:42 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:42 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:42 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:42 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:42 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:42 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:47 ipsec,debug retransmit
Nov/24/2016 07:57:47 ipsec,info killing connection: 90.230.xx.xx[4500]<->40.69.xx.xx[500]

irico · November 24, 2016, 8:48am

Same problem here. Latest RC version can’t connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.

telnetpr · November 27, 2016, 10:39pm

Anything yet? This post is from last year. Please we need it @mikrotik

rllavona13 · November 27, 2016, 10:43pm

Hello i need this 2 ASAP. Like much other customers of yours..

Sent from my iPhone using Tapatalk

hacknix · December 6, 2016, 8:07pm

Hi,

Some feedback on IKEv2.

Firstly, thank you very much for this. After much fiddling, I have got RouterOS to talk to Strongswan, with a couple of caveats:

I can only get a Phase 1 proposal using MD5 as HMAC to work. I can’t get any of the SHA variants to work at all, I just get “no proposal chosen”. I think this has something to do with KPDK_MD5 being in the proposal that is sent, regardless of which HMAC is actually chosen in the proposal, although I am not an expert on this, so I am very happy to be proven wrong!

Also, I cannot get a child SA with a destination subnet of “0.0.0.0/0” to work, I get a TS_UNNACEPTABLE. However, if I change the expected “leftsubnet” on stongswan to simply “0.0.0.0” it works, suggesting that RouterOS is not appending the “/0” as it should. I need this as I am trying to route all traffic (IPv4 and IPv6) over the tunnel.

Thanks again.

hacknix

mrz · December 7, 2016, 10:15am

@hacknix can you enable ipsec logs, try to make a connection, generate supout file and send it to support?

hacknix · December 8, 2016, 5:28pm

@mrz - thanks for the reply. Yes, I will do that, thanks for the response.

hacknix · December 8, 2016, 5:45pm

@mrz - I have not sent a supout file before. Does this file contain my sensitive information, like keys, passwords and IP addresses?

mrz · December 8, 2016, 5:49pm

No it does not contain sensitive info.

hacknix · December 8, 2016, 5:58pm

thanks