hAP ac³ IPSEC VPN problem

Rockyboa · October 1, 2020, 7:33pm

I recently updated my home router RB951G-2HnD to a hAP AC³ LTE Router.

I purchased the unit one day before the announcement of the none LTE version, which I would not use. But I would expect the same issue with it.

I have copied all my config from exporting the appropriate section to my new rtouter. Everything worked fine.

I have an issue with my NordVPN and was forced to go back to my old 951G since many web pages such as Facebook / messenger would take long time to load or not even showing. Especially, the messenger section no longer showing the message and waiting forever.

I previously lowered my computer MTU to a fragmentation size that would fit 1438 (used mturoute.exe) to figured out this value, I had similar issue before. Nonetheless working perfectly fine with the old 951G and this MTU size. Anyone having similar issue with the latest arm architecture router. Both router use the same routerOS version (6.47.4).

Where should I start to find what is wrong with my newly acquired hAP AC³

R.

sindy · October 1, 2020, 8:35pm

I haven’t seen any issues like this on the arm architecture, and I use IPsec routinely also on it. Hence my first question would be whether you haven’t changed the cipher suite on the new machine as compared to the old one, which could explain a change in the amount of bytes occupied by the IPsec overhead in a packet. Placing the new router behind the existing one may also cause a change of the overhead size if the existing router is on a public IP and the new one is not so NAT traversal is necessary.

Other than that, there should be no need to manually reduce LAN MTU if you make sure that path MTU discovery is not broken by IPsec handling due to a missing part of IPsec configuration. See this post for a brief explanation.

Rockyboa · October 1, 2020, 11:22pm

Sindy,

thanks for trying to help me. I would start by saying that my hAP ac³ was swapped with the 951G, so there is no other other equipment between the CPE and the router in both scenario. I’m putting back my default computer interface to MTU 1500 and try to see if that would work.

Here is my NordVPN script.

# model = 951G-2HnD
# serial number = 4185025BF77A

#must be executed alone
/tool fetch url="https://downloads.nordcdn.com/certificates/root.der"

/ip firewall address-list
add address=192.168.92.13 disabled=yes list=Through_US_VPN
add address=192.168.92.13 list=Through_CA_VPN

/certificate import file-name=root.der
/ip ipsec mode-config
add name=NordVPN_US_ModeConfig responder=no src-address-list=Through_US_VPN
add name=NordVPN_CA_ModeConfig responder=no src-address-list=Through_CA_VPN
/ip ipsec policy group
add name=NordVPN_Group
/ip ipsec profile
add name=NordVPN_IPsecProfile
/ip ipsec peer
add address=ca1140.nordvpn.com exchange-mode=ike2 name=NordVPN_CA profile=\
    NordVPN_IPsecProfile
add address=us6141.nordvpn.com exchange-mode=ike2 name=NordVPN_US profile=\
    NordVPN_IPsecProfile
/ip ipsec proposal
add name=NordVPN_Proposal pfs-group=none
/ip ipsec identity
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN_US_ModeConfig password=\
     peer=NordVPN_US policy-template-group=\
    NordVPN_Group username=
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN_CA_ModeConfig password=\
     peer=NordVPN_CA policy-template-group=\
    NordVPN_Group username=
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN_Group proposal=NordVPN_Proposal \
    src-address=0.0.0.0/0 template=yes
add action=none disabled=yes dst-address=168.192.92.0/24 src-address=\
    0.0.0.0/0

/ip firewall address-list  
add address=192.168.92.13 list=ThroughVPN

Will report back on new MTU size.

R.

sindy · October 2, 2020, 7:45am

You have to move the policy with action=none before (above) the template from which the actual policy is dynamically generated when the VPN comes up. The policies are matched from the topmost one till the first match, like firewall rules, so the src-address=0.0.0.0/0 dst-address=192.168.92.0/24 one must be at the beginning of the list, in order to match first. The dynamically created policies are always placed right after the template from which they are generated, not to the very end of the list.