Has anyone used TheGreenBow VPN client with Mikrotik server?

Leolo · April 27, 2020, 2:06pm

I’ve been fighting for hours with the trial version of TheGreenBow VPN client, but I cannot make it work. It will always refuse to connect to the Mikrotik VPN server.

Mikrotik server has this config:

/ip ipsec mode-config add address-pool=vpn-pool1 name=cfg1 split-include=192.168.11.0/24
/ip ipsec policy group add name=group1
/ip ipsec policy add dst-address=192.168.71.0/24 group=group1 src-address=192.168.11.0/24 template=yes
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-128 lifetime=8h name=profile1
/ip ipsec peer add name=peer1 passive=yes profile=profile1 send-initial-contact=no
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=cfg1 password=blablabla peer=peer1 policy-template-group=group1 secret=blablabla username=user1

Other clients like Shrew, Android phones and Apple iPhones can connect succesfully, but GreenBow will always fail with “NO_PROPOSAL_CHOSEN” error

Does anyone know which parameters could be tweaked to make it compatible with Mikrotik servers?

sindy · April 27, 2020, 2:36pm

No, but you can find out on your own using the following way:

Activate detailed logging of IPsec on the Tik:
/system logging add topics=ipsec,!packet

Start logging into a dedicated file:
/log print follow-only file-name=ipsec-start topics~“ipsec”

Make a connection attempt from the client; once it fails, break the /log print … command, download the file, and start reading it. It will show you the list of Phase 1 (and possibly also Phase 2 if it got that far before failing) encryption and authentication algorithms suggested by the peer and configured at the Tik, and you’ll be able to find out what to add to your /ip ipsec profile (used by the /ip ipsec peer) and/or /ip ipsec proposal (used by the /ip ipsec policy) to match the suggestion of the client.

Leolo · April 27, 2020, 3:50pm

It always fails in the same spot. I guess GreenBow is simply incompatible with Mikrotik.

ipsec searching for policy for selector: 84.141.14.0/24 <=> 77.168.162.37 
ipsec no template matches 
ipsec failed to get proposal for responder. 
ipsec,error 77.168.162.37 failed to pre-process ph2 packet.

It’s a pity, this GreenBow VPN client seems nicer than Shrew. I was considering buying it, but I guess I’ll have to look somewhere else

sindy · April 27, 2020, 4:44pm

No. The error message just says that on the Mikrotik side, there is no policy template matching the traffic selector required by GreenBow, and the missing proposal is just a consequence: the chain on the Tik is peer → identity → policy template group (if generate-policy in the identity is set to something else than no) → policy template in that group → proposal.

So something is not set properly in the configuration at Mikrotik side. Follow my automatic signature just below if you want a more detailed response.

Leolo · April 27, 2020, 9:38pm

The configuration of the Mikrotik is very very basic, I doubt there’s a problem on Mikrotik’s end (Shrew clients connect successfully, and also Android phones can connect perfectly).

Mikrotik is connected to a cablemodem, which assigns a public IPv4 from Vodafone ISP (Spain) through DHCP on ether1.

# apr/27/2020 23:24:54 by RouterOS 6.46.5
# software id = BLA-BLA
#
# model = RouterBOARD 750 r2
# serial number = BLABLABLABLA
/interface bridge
add admin-mac=E4:8D:8C:ZZ:ZZ:ZZ auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
add name=group1
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 lifetime=8h name=profile1
/ip ipsec peer
add name=peer1 passive=yes profile=profile1 send-initial-contact=no
/ip pool
add name=default-dhcp ranges=192.168.11.10-192.168.11.199
add name=vpn-pool1 ranges=192.168.71.150-192.168.71.199
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=vpn-pool1 name=cfg1 split-include=192.168.11.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.11.254/24 comment=defconf interface=bridge network=\
    192.168.11.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.11.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.11.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.11.254 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,4500 in-interface-list=WAN \
    protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    cfg1 password=blabla peer=peer1 policy-template-group=group1 secret=blabla username=user1
/ip ipsec policy
add dst-address=192.168.71.0/24 group=group1 src-address=192.168.11.0/24 template=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The problem must be some kind of incompatibility between GreenBow VPN client and Mikrotik server. Probably nobody has tried this before, and their developers aren’t aware of the incompatibility.

sindy · April 27, 2020, 10:16pm

The GreenBow asks for traffic selector 84.141.14.0/24 <=> 77.168.162.37, whereas on Mikrotik, in policy template group1, the only template available is dst-address=192.168.71.0/24 src-address=192.168.11.0/24.
So it doesn’t seem like an incompatibility to me, rather as a misconfiguration of the GreenBow, which ignores the split-include from the Tik and creates the traffic selector from some local data. Which of the two addresses in that required traffic selector is the one of your Tik and which is the one of the PC running the GreenBow?

Leolo · April 28, 2020, 11:03am

BINGO! It works now!!

Thanks for yor info, you gave me the tip to fix the problem (it was a misconfiguration in the GreenBow Client)

The public IP of the Mikrotik is the one starting with 84.141… My problem is that I was entering the address “192.168.71.0/24” in greenbow in the “Remote LAN address” box

I’ve changed it to “192.168.11.0/24” and now it works and connects correctly. YAY!!

Thanks again!