Hi all,
I interpret section Traffic Selector Negotiation from RFC7296 that I can use multiple local and remote traffic selectors for a single security association.
While reading the page on IPsec from the Manual I am not sure if this is possible with MikroTik and if so, how.
Can anybody here shed a light on this?
Thanks and kind regards,
Mathias
Hello.
I am also very interested in this topic, even after so many years after this post.
If I do not understand the situation correctly and there is a more correct solution, then I will be very grateful for a hint on how to do this.
As far as I can tell, not yet. At least I was never able to achieve this when working with the StrongSwan server and mikrotik as client.
This all applies to the configuration where dynamic policy are based on the template 0.0.0.0/0
I used a similar scheme with multiple prefixes in the traffic selector quite widely. But, of course, StrongSwan acted as both server and client. (Linux servers). And there were no problems with this. More precisely, in IKEv2 mode Mikrotik only accepts the first prefix in the traffic selector.
But if the connection is between Mikrotiks, then separate SAs are formed for each prefix specified in Split-Include.
Moreover, the wiki also notes that routeros only understands Split-Include. I have a feeling that IKE2 in Mikrotik is not fully finished. Or it was done in some strange way, using a piece of IKEv1. After all, if I understand correctly, then Split-Include is generally provided by an extension to IKE1 from Cicso Unity
If I don’t understand correctly, I apologize and would be very grateful for clarification.
In order for this to somehow work when the server is StrongSwan, I had to switch to IKE 1. Since only this version supports the cisco unity extension, which is what this Split-Include extension provides.
But in this mode, firstly, for some reason, ipsec associations after ike associations are not immediately established. And it happens with the second attempt after 120 seconds (DPD timer). Or an interruption occurs when updating an association
If there is a more correct solution, then I will be very grateful for a hint on how to do this.
This is my experience as well: RouterOS’s implementation relies on mode config with IKEv2 even where IKEv2 has a “native” solution.
Please send a feature request at help.mikrotik.com
I did it)!)))
I have achived it by using pool attribude “subnet” in strongswan and addidional local_ts.
Mikrotik used this data from subnet to request additional child_sa.
with *************** i have removed my server name and IP address
Strongswan config
pools {
ipsec-test {
addrs = 192.168.254.2 - 192.168.254.99
dns = 10.100.0.1
subnet = 192.168.250.0/24
}
}
connections {
ipsec-test-ike2-pubkey-fqdn {
version = 2
send_cert = always
pools = ipsec-test
proposals = aes128-sha256-prfsha256-ecp256
local {
auth = pubkey
id = test-resp-strswan.ipsec.test
certs = test-resp-strswan.ipsec.test.crt
}
remote {
auth = pubkey
id = test-init-chr-vm.ipsec.test
}
children {
ipsec-test-net {
esp_proposals = aes128-sha256-prfsha256-ecp256
local_ts = 10.100.0.1/32 #, 192.168.250.0/24
}
ipsec-test-net2 {
esp_proposals = aes128-sha256-prfsha256-ecp256
local_ts = 192.168.250.0/24
}
}
}
}
Active IKE SA and Child SA
[admin@test_mikrotik] > ip/ipsec/policy/print detail
Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000
1 D peer=ipsec-test-init tunnel=yes src-address=192.168.254.3/32 src-port=any dst-address=10.100.0.1/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=192.168.70.62 sa-dst-address=************** proposal=default
priority=0x20000 ph2-count=1 ph2-state=established
2 D peer=ipsec-test-init tunnel=yes src-address=192.168.254.3/32 src-port=any dst-address=192.168.250.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=192.168.70.62 sa-dst-address=*********** proposal=default
priority=0x30000 ph2-count=1 ph2-state=established
[admin@test_mikrotik] > ip/ipsec/installed-sa/print detail
Flags: S - seen-traffic; H - hw-aead; A - AH, E - ESP
0 E spi=0x8F1A17C src-address=*****************:4500 dst-address=192.168.70.62:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="b40cdf12c0b5f6867d414ab9f2859d0567d007f9e05fd9a4359dfdee597fbabb"
enc-key="df1aff9ed23f1d52363d24107bbe484c" add-lifetime=24m4s/30m5s replay=128
1 E spi=0xC050E1E5 src-address=192.168.70.62:4500 dst-address=****************:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="6b70b91b93624a856415b03584c5c7170ede72954c30af3b4e62ee4741f135d3"
enc-key="5b3fc110d79330c38f6b7eef8c352be3" add-lifetime=24m4s/30m5s replay=128
2 E spi=0x4347BE9 src-address=**************:4500 dst-address=192.168.70.62:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="312e1f4699eb5b178126b1d3d6e4474481d9505fdc9d0efed0cfc52f01b0c4f4"
enc-key="ebb6daab0b75315aeeb7d4a72613cd9d" add-lifetime=24m23s/30m29s replay=128
3 E spi=0xC0CE2051 src-address=192.168.70.62:4500 dst-address=*****************:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="177615a476ab7f34e20580b648f3def740067e5b49fa4a95a85b50b3af0d8eb7"
enc-key="abe01cf156fad8d4b5af4418803ad429" add-lifetime=24m23s/30m29s replay=128
Mikrotik config
[admin@test_mikrotik] > ip ipsec/export hide-sensitive verbose
# 2023-11-01 08:58:44 by RouterOS 7.11.2
# software id =
#
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 hash-algorithm=sha256 lifetime=1h name=default nat-traversal=yes proposal-check=obey
/ip ipsec peer
add address=********************* comment=ipsec-test disabled=no exchange-mode=ike2 name=ipsec-test-init profile=default send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=no enc-algorithms=aes-128-cbc lifetime=30m name=default pfs-group=ecp256
/ip ipsec identity
add auth-method=digital-signature certificate=test-init-chr-vm.ipsec.test.pfx_0 comment=ipsec-test-init disabled=no generate-policy=port-strict mode-config=request-only my-id=fqdn:test-init-chr-vm.ipsec.test peer=ipsec-test-init
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
I have noticed this problem as well, but I sort of assumed that it was caused by the other side (Android, ChromeOS).
I have tried to configure IKEv2 with split include, but like you I experienced that only the first prefix works.