IPSEC couldn't find configuration

allstatecomputers · January 23, 2014, 12:37am

Hello all,

We use MT routers all the time to set up IPSEC tunnels between a client’s location and our datacenter. I’m running into an issue that I’m seeing for the first time - in my datacenter router (virtualized version 4.17 on Hyper-V) I’m getting an error in the IPSEC log stating: couldn’t find configuration. Before someone says “Hyper-V isn’t supported”, I have several (6+) of these virtual routers running on Hyper-V. It works fine with ROS ver 4.17. The only difference between this one and the others is that this is running on Server 2012 R2 and the others are running on Server 2008 R2. Both of the NIC’s transmit and receive traffic just fine. I have a virtual server tied to it and I can surf the web all day long.

Does anyone have any clue as to what is causing this error?

Here’s my configuration: (the public IP addresses have been changed to protect the innocent)
Datacenter Router

/ip address
add address=50.50.50.46/28 broadcast=50.50.50.47 comment="" disabled=no interface=ether1-wan network=50.50.50.32
add address=192.168.10.1/24 broadcast=192.168.10.255 comment="" disabled=no interface=ether2-lan network=192.168.10.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=50.50.50.33 scope=30 target-scope=10

/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no

/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=aes-256 lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=60.60.60.141/32:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=aes-256 exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=1d nat-traversal=no proposal-check=obey secret=password send-initial-contact=yes

/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.20.0/24:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=60.60.60.141 sa-src-address=50.50.50.46 src-address=192.168.10.0/24:any tunnel=yes

Office Router

/ip address
add address=192.168.20.1/24 comment="default configuration" interface=bridge-local network=192.168.20.0
add address=60.60.60.60.141/29 interface=ether1-gateway network=60.60.60.60.136

/ip route
add distance=1 gateway=60.60.60.142

/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no

/ip ipsec peer
add address=50.50.50.46/32 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=md5 secret=password

/ip ipsec policy
add dst-address=192.168.10.0/24 sa-dst-address=50.50.50.46 sa-src-address=60.60.60.141 src-address=192.168.20.0/24 tunnel=yes

/ip ipsec proposal
set default auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

Any assistance would be much appreciated,

Brian

allstatecomputers · January 23, 2014, 6:55pm

Ok, I figured it out. It was being caused by what is supposed to be a transparent bridge (it appears to be routing instead of bridging) between the router in question and the outside world. I haven’t spent any time troubleshooting it yet so I’m not sure exactly what the problem is. I just bypassed the transparent bridge for now. My purpose in posting this is that if you get the “couldn’t find configuration” error, it doesn’t necessarily refer to a configuration problem INSIDE the router you’re configuring. It could be something outside of the router causing it. When I checked whatsmyip.net from the server attached to the router in question it gave me an IP address that I wasn’t expecting. So if you run into this, error message, look at all variables, not just inside the router.

Don’t ya just love ambiguous error messages!?!?

Hope this helps someone else down the road,
Brian

mrz · January 24, 2014, 10:37am

Error is valid, ipsec was unable to find configuration for received ipsec packet (most likely source address was changed). If you run packet sniffer or torch you would probably see that.

maiacpd · July 11, 2016, 6:25pm

Hi, I have two Mikrotik (“Office1”: RB 433AH and “Office2”:RB 1100AHx2) and trying IPSec VPN Site to Site connection, but have an error in the log even using step-by-step wiki by mikrotik
Log error: couldn’t find configuration

Office1 has seted:
LAN: 192.168.100.0/24
WAN Fictitious: 110.110.110.110/28
With configured Gateway and NAT firewall to internet access

/ip address
add address=110.110.110.110/24 interface=WAN
add address=192.168.100.1/24 interface=LAN

/ip route
add gateway=110.110.110.254

/ip firewall nat
add chain=srcnat out-interface=WAN action=masquerade
/ip ipsec peer
add address=220.220.220.220/32 enc-algorithm=3des hash-algorithm=md5 lifetime=8h
nat-traversal=no secret=password

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=8h pfs-group=> none
/ip ipsec policy
add src-address=192.168.100.0/24 src-port=any dst-address=192.168.200.0/24 dst-port=any
sa-src-address=110.110.110.110 sa-dst-address=220.220.220.220
tunnel=no action=encrypt proposal=default
/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=192.168.100.0/24 dst-address=192.168.200.0/24

Site2 has seted:
LAN: 192.168.200.0/24
WAN Fictitious: 220.220.220.220/28
With configured Gateway and NAT firewall to internet access

/ip address
add address=220.220.220.220/24 interface=WAN
add address=192.168.200.1/24 interface=LAN

/ip route
add gateway=220.220.220.254

/ip firewall nat
add chain=srcnat out-interface=WAN action=masquerade
/ip ipsec peer
add address=110.110.110.110/32 enc-algorithm=3des hash-algorithm=md5 lifetime=8h
nat-traversal=no secret=password

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=8h pfs-group=none
/ip ipsec policy
add src-address=192.168.200.0/24 src-port=any dst-address=192.168.100.0/24 dst-port=any
sa-src-address=220.220.220.220 sa-dst-address=110.110.110.110
tunnel=no action=encrypt proposal=default
/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=192.168.200.0/24 dst-address=192.168.100.0/24