IPSec FRITZ!Box connection issue: established-purging-deleted loop

dnl · March 14, 2021, 1:01pm

Dear all,

I would like to connect a MikroTik hAP lite to my FRITZ!Box IPSec VPN. The hAP shall be the client and all traffic is to be routed via the Fritz!Box internet connection. I’m not looking for a site2site VPN.

After having studied some configuration examples, I have been able to establish a connection but it will immediately be purged and deleted:

ISAKMP-SA established 192.168.178.29[4500]-xx.xxx.xxx.xxx[4500] spi:8a9ec6fb5f093d9f:1d3c79c461b21dfa
purging ISAKMP-SA 192.168.178.29[4500]<=>xx.xxx.xxx.xxx[4500] spi=8a9ec6fb5f093d9f:1d3c79c461b21dfa:5ca0b0f8.
ISAKMP-SA deleted 192.168.178.29[4500]-xx.xxx.xxx.xxx[4500] spi:8a9ec6fb5f093d9f:1d3c79c461b21dfa rekey:1

I’m using the following configuration (relevant parts only):

/ip ipsec peer
add address=[dyndnsuser].myfritz.net exchange-mode=aggressive name=FRITZBox
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict my-id=key-id:[vpnuser] password=[vpnpassword] peer=FRITZBox secret=[secret] username=[vpnuser]
/ip ipsec policy
add dst-address=[fritzbox public ipv4 ip]/32 peer=FRITZBoxl sa-dst-address=[fritzbox public ipv4 ip] sa-src-address=192.168.178.29 src-address=192.168.178.29/32 tunnel=yes

What am I overlooking?

Many thanks in advance for any advice!

Cheers,
Daniel

dnl · March 16, 2021, 5:10am

Hi again,

what do I have to do to get my topic approved?

Thank you.

dnl · April 14, 2021, 8:29pm

Still having this issue with no Phase2 connection… Here is the detailed log I have pulled today:

21:52:52 ipsec,debug 87.xxx.xxx.xxx DPD monitoring.... 
21:52:52 ipsec,debug,packet compute IV for phase2 
21:52:52 ipsec,debug,packet phase1 last IV: 
21:52:52 ipsec,debug,packet f3601756 f9ee8619 e894d9cc 1e97cbaf cea2c9d8 
21:52:52 ipsec,debug hash(sha1) 
21:52:52 ipsec,debug,packet encryption(aes) 
21:52:52 ipsec,debug,packet phase2 IV computed: 
21:52:52 ipsec,debug,packet 09357371 11866813 5a999a32 fd1c7b2b 
21:52:52 ipsec,debug,packet HASH with: 
21:52:52 ipsec,debug,packet cea2c9d8 00000020 00000001 01108d28 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 
21:52:52 ipsec,debug,packet 0000064f 
21:52:52 ipsec,debug,packet hmac(hmac_sha1) 
21:52:52 ipsec,debug,packet HASH computed: 
21:52:52 ipsec,debug,packet ed7b969c 75874bd2 b9da1341 d125f22b b920efae 
21:52:52 ipsec,debug,packet begin encryption. 
21:52:52 ipsec,debug,packet encryption(aes) 
21:52:52 ipsec,debug,packet pad length = 8 
21:52:52 ipsec,debug,packet 0b000018 ed7b969c 75874bd2 b9da1341 d125f22b b920efae 00000020 00000001 
21:52:52 ipsec,debug,packet 01108d28 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 0000064f 6b4b119f 5c6d3e07 
21:52:52 ipsec,debug,packet encryption(aes) 
21:52:52 ipsec,debug,packet with key: 
21:52:52 ipsec,debug,packet 2eae441c f1aee2d3 c65beb43 7ea3a18b d86e39f0 54102358 684c880e 616df003 
21:52:52 ipsec,debug,packet encrypted payload by IV: 
21:52:52 ipsec,debug,packet 09357371 11866813 5a999a32 fd1c7b2b 
21:52:52 ipsec,debug,packet save IV for next: 
21:52:52 ipsec,debug,packet 45c7ee15 3ac21d22 4d083d53 00940163 
21:52:52 ipsec,debug,packet encrypted. 
21:52:52 ipsec,debug 92 bytes from 192.168.0.104[4500] to 87.xxx.xxx.xxx[4500] 
21:52:52 ipsec,debug 1 times of 96 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:52:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 08100501 cea2c9d8 0000005c 15907233 
21:52:52 ipsec,debug,packet 60febaaa dc6970a9 e9612846 95a87809 543ccde5 639ebf87 b4b0fc3f 02dc867a 
21:52:52 ipsec,debug,packet 5ca2354c ca52cf96 a968672e 45c7ee15 3ac21d22 4d083d53 00940163 
21:52:52 ipsec,debug sendto Information notify. 
21:52:52 ipsec,debug 87.xxx.xxx.xxx DPD R-U-There sent (0) 
21:52:52 ipsec,debug 87.xxx.xxx.xxx rescheduling send_r_u (5). 
21:52:52 ipsec,debug ===== received 92 bytes from 87.xxx.xxx.xxx[4500] to 192.168.0.104[4500] 
21:52:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 08100501 cea2c9d8 0000005c 137023c7 
21:52:52 ipsec,debug,packet 8ea70679 45b3557f 54e68183 326b3088 0c102b96 595a804d 48a5f685 39842039 
21:52:52 ipsec,debug,packet 7c706260 1b55a6e7 926547c1 4cc4385e ebeeace5 ce18cbe6 fd83f821 
21:52:52 ipsec,debug receive Information. 
21:52:52 ipsec,debug,packet compute IV for phase2 
21:52:52 ipsec,debug,packet phase1 last IV: 
21:52:52 ipsec,debug,packet f3601756 f9ee8619 e894d9cc 1e97cbaf cea2c9d8 
21:52:52 ipsec,debug hash(sha1) 
21:52:52 ipsec,debug,packet encryption(aes) 
21:52:52 ipsec,debug,packet phase2 IV computed: 
21:52:52 ipsec,debug,packet 09357371 11866813 5a999a32 fd1c7b2b 
21:52:52 ipsec,debug,packet encryption(aes) 
21:52:52 ipsec,debug,packet IV was saved for next processing: 
21:52:52 ipsec,debug,packet 4cc4385e ebeeace5 ce18cbe6 fd83f821 
21:52:52 ipsec,debug,packet encryption(aes) 
21:52:52 ipsec,debug,packet with key: 
21:52:52 ipsec,debug,packet 2eae441c f1aee2d3 c65beb43 7ea3a18b d86e39f0 54102358 684c880e 616df003 
21:52:52 ipsec,debug,packet decrypted payload by IV: 
21:52:52 ipsec,debug,packet 09357371 11866813 5a999a32 fd1c7b2b 
21:52:52 ipsec,debug,packet decrypted payload, but not trimed. 
21:52:52 ipsec,debug,packet 0b000018 fe4a7221 ea9849d0 599b7072 859b5edf f40fc3bd 00000020 00000001 
21:52:52 ipsec,debug,packet 01108d29 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 0000064f 00000000 00000000 
21:52:52 ipsec,debug,packet padding len=1 
21:52:52 ipsec,debug,packet skip to trim padding. 
21:52:52 ipsec,debug,packet decrypted. 
21:52:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 08100501 cea2c9d8 0000005c 0b000018 
21:52:52 ipsec,debug,packet fe4a7221 ea9849d0 599b7072 859b5edf f40fc3bd 00000020 00000001 01108d29 
21:52:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 0000064f 00000000 00000000 
21:52:52 ipsec,debug,packet HASH with: 
21:52:52 ipsec,debug,packet cea2c9d8 00000020 00000001 01108d29 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 
21:52:52 ipsec,debug,packet 0000064f 
21:52:52 ipsec,debug,packet hmac(hmac_sha1) 
21:52:52 ipsec,debug,packet HASH computed: 
21:52:52 ipsec,debug,packet fe4a7221 ea9849d0 599b7072 859b5edf f40fc3bd 
21:52:52 ipsec,debug hash validated. 
21:52:52 ipsec,debug begin. 
21:52:52 ipsec,debug seen nptype=8(hash) len=24 
21:52:52 ipsec,debug seen nptype=11(notify) len=32 
21:52:52 ipsec,debug succeed. 
21:52:52 ipsec,debug 87.xxx.xxx.xxx notify: R_U_THERE_ACK 
21:52:52 ipsec,debug 87.xxx.xxx.xxx DPD R-U-There-Ack received 
21:52:52 ipsec,debug received an R-U-THERE-ACK 
21:53:02 ipsec,debug KA: 192.168.0.104[4500]->87.xxx.xxx.xxx[4500] 
21:53:02 ipsec,debug 1 times of 1 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:53:02 ipsec,debug,packet ff 
21:53:22 ipsec,debug KA: 192.168.0.104[4500]->87.xxx.xxx.xxx[4500] 
21:53:22 ipsec,debug 1 times of 1 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:53:22 ipsec,debug,packet ff 
21:53:42 ipsec,debug KA: 192.168.0.104[4500]->87.xxx.xxx.xxx[4500] 
21:53:42 ipsec,debug 1 times of 1 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:53:42 ipsec,debug,packet ff 
21:54:02 ipsec,debug KA: 192.168.0.104[4500]->87.xxx.xxx.xxx[4500] 
21:54:02 ipsec,debug 1 times of 1 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:54:02 ipsec,debug,packet ff 
21:54:22 ipsec,debug KA: 192.168.0.104[4500]->87.xxx.xxx.xxx[4500] 
21:54:22 ipsec,debug 1 times of 1 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:54:22 ipsec,debug,packet ff 
21:54:42 ipsec,debug KA: 192.168.0.104[4500]->87.xxx.xxx.xxx[4500] 
21:54:42 ipsec,debug 1 times of 1 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:54:42 ipsec,debug,packet ff 
21:54:52 ipsec,debug 87.xxx.xxx.xxx DPD monitoring.... 
21:54:52 ipsec,debug,packet compute IV for phase2 
21:54:52 ipsec,debug,packet phase1 last IV: 
21:54:52 ipsec,debug,packet f3601756 f9ee8619 e894d9cc 1e97cbaf cb482dbf 
21:54:52 ipsec,debug hash(sha1) 
21:54:52 ipsec,debug,packet encryption(aes) 
21:54:52 ipsec,debug,packet phase2 IV computed: 
21:54:52 ipsec,debug,packet 52eac2eb 7c32910b 70f5eaaf 674a3622 
21:54:52 ipsec,debug,packet HASH with: 
21:54:52 ipsec,debug,packet cb482dbf 00000020 00000001 01108d28 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 
21:54:52 ipsec,debug,packet 00000650 
21:54:52 ipsec,debug,packet hmac(hmac_sha1) 
21:54:52 ipsec,debug,packet HASH computed: 
21:54:52 ipsec,debug,packet 5806838c ea30c60f bbd48d08 f9a790dd 8978405d 
21:54:52 ipsec,debug,packet begin encryption. 
21:54:52 ipsec,debug,packet encryption(aes) 
21:54:52 ipsec,debug,packet pad length = 8 
21:54:52 ipsec,debug,packet 0b000018 5806838c ea30c60f bbd48d08 f9a790dd 8978405d 00000020 00000001 
21:54:52 ipsec,debug,packet 01108d28 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 00000650 bd959a99 f66aaa07 
21:54:52 ipsec,debug,packet encryption(aes) 
21:54:52 ipsec,debug,packet with key: 
21:54:52 ipsec,debug,packet 2eae441c f1aee2d3 c65beb43 7ea3a18b d86e39f0 54102358 684c880e 616df003 
21:54:52 ipsec,debug,packet encrypted payload by IV: 
21:54:52 ipsec,debug,packet 52eac2eb 7c32910b 70f5eaaf 674a3622 
21:54:52 ipsec,debug,packet save IV for next: 
21:54:52 ipsec,debug,packet 73447ddb 8c81e914 4160e61a 88479062 
21:54:52 ipsec,debug,packet encrypted. 
21:54:52 ipsec,debug 92 bytes from 192.168.0.104[4500] to 87.xxx.xxx.xxx[4500] 
21:54:52 ipsec,debug 1 times of 96 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:54:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 08100501 cb482dbf 0000005c 2b65c25e 
21:54:52 ipsec,debug,packet be57e1a6 55e02d1b 90a135fd 2095c64e c88f0e8d e27e89b0 cfde8e05 ebba8f73 
21:54:52 ipsec,debug,packet 43e86139 8da53dd6 683114b4 73447ddb 8c81e914 4160e61a 88479062 
21:54:52 ipsec,debug sendto Information notify. 
21:54:52 ipsec,debug 87.xxx.xxx.xxx DPD R-U-There sent (0) 
21:54:52 ipsec,debug 87.xxx.xxx.xxx rescheduling send_r_u (5). 
21:54:52 ipsec,debug ===== received 92 bytes from 87.xxx.xxx.xxx[4500] to 192.168.0.104[4500] 
21:54:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 08100501 cb482dbf 0000005c dbbc4a10 
21:54:52 ipsec,debug,packet 6ff8c1d8 3fa38ba7 37a1a792 c9f5b85d 7efe7489 25906a39 acd1c947 13fe4602 
21:54:52 ipsec,debug,packet eaed1a58 31e5e4ae 4033d6b4 7ab341dc 2724bb2a 81c5148f 4de7bd75 
21:54:52 ipsec,debug receive Information. 
21:54:52 ipsec,debug,packet compute IV for phase2 
21:54:52 ipsec,debug,packet phase1 last IV: 
21:54:52 ipsec,debug,packet f3601756 f9ee8619 e894d9cc 1e97cbaf cb482dbf 
21:54:52 ipsec,debug hash(sha1) 
21:54:52 ipsec,debug,packet encryption(aes) 
21:54:52 ipsec,debug,packet phase2 IV computed: 
21:54:52 ipsec,debug,packet 52eac2eb 7c32910b 70f5eaaf 674a3622 
21:54:52 ipsec,debug,packet encryption(aes) 
21:54:52 ipsec,debug,packet IV was saved for next processing: 
21:54:52 ipsec,debug,packet 7ab341dc 2724bb2a 81c5148f 4de7bd75 
21:54:52 ipsec,debug,packet encryption(aes) 
21:54:52 ipsec,debug,packet with key: 
21:54:52 ipsec,debug,packet 2eae441c f1aee2d3 c65beb43 7ea3a18b d86e39f0 54102358 684c880e 616df003 
21:54:52 ipsec,debug,packet decrypted payload by IV: 
21:54:52 ipsec,debug,packet 52eac2eb 7c32910b 70f5eaaf 674a3622 
21:54:52 ipsec,debug,packet decrypted payload, but not trimed. 
21:54:52 ipsec,debug,packet 0b000018 df96e319 eff7ca7c deba3a45 95fd9fdd 214dab51 00000020 00000001 
21:54:52 ipsec,debug,packet 01108d29 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 00000650 00000000 00000000 
21:54:52 ipsec,debug,packet padding len=1 
21:54:52 ipsec,debug,packet skip to trim padding. 
21:54:52 ipsec,debug,packet decrypted. 
21:54:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 08100501 cb482dbf 0000005c 0b000018 
21:54:52 ipsec,debug,packet df96e319 eff7ca7c deba3a45 95fd9fdd 214dab51 00000020 00000001 01108d29 
21:54:52 ipsec,debug,packet 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 00000650 00000000 00000000 
21:54:52 ipsec,debug,packet HASH with: 
21:54:52 ipsec,debug,packet cb482dbf 00000020 00000001 01108d29 7c8dbe7b 3ad2ff3f ae5e7dda 825a17d9 
21:54:52 ipsec,debug,packet 00000650 
21:54:52 ipsec,debug,packet hmac(hmac_sha1) 
21:54:52 ipsec,debug,packet HASH computed: 
21:54:52 ipsec,debug,packet df96e319 eff7ca7c deba3a45 95fd9fdd 214dab51 
21:54:52 ipsec,debug hash validated. 
21:54:52 ipsec,debug begin. 
21:54:52 ipsec,debug seen nptype=8(hash) len=24 
21:54:52 ipsec,debug seen nptype=11(notify) len=32 
21:54:52 ipsec,debug succeed. 
21:54:52 ipsec,debug 87.xxx.xxx.xxx notify: R_U_THERE_ACK 
21:54:52 ipsec,debug 87.xxx.xxx.xxx DPD R-U-There-Ack received 
21:54:52 ipsec,debug received an R-U-THERE-ACK 
21:55:02 ipsec,debug KA: 192.168.0.104[4500]->87.xxx.xxx.xxx[4500] 
21:55:02 ipsec,debug 1 times of 1 bytes message will be sent to 87.xxx.xxx.xxx[4500] 
21:55:02 ipsec,debug,packet ff

And the current config with the MiktoTik connected to a router with IPSec passthrough set:

/ip ipsec peer
add address=xxxxxxxxxxxxxxx.myfritz.net exchange-mode=aggressive name=\
    FRITZBox
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict my-id=\
    key-id:xxxxx password=xxxxxxx peer=FRITZBox secret=\
    xxxxxxxxxxxxx username=xxxxxx
/ip ipsec policy
add peer=FRITZBox sa-dst-address=87.xxx.xxx.xxx sa-src-address=\
    192.168.0.104 tunnel=yes

Any ideas?

Many thanks in advance!