IPSec in-template-mismatches just increases

aragon · August 18, 2017, 8:51am

Hello,

I’m struggling to get a site-to-site IPSec VPN working. Packets that I expect to run over the IPSec tunnel session just cause the in-template-mismatches statistics counter to increase.

Anyone know what that statistics counter means? Or what is an in-template?

aragon · August 18, 2017, 9:42am

In case anyone wonders about my config:

/ip ipsec peer
add address=1.2.3.4/32 dh-group=modp1024 enc-algorithm=3des nat-traversal=no secret=snip
/ip ipsec policy
add dst-address=192.168.1.30/32 level=unique proposal=lantec sa-dst-address=1.2.3.4 sa-src-address=4.3.2.1 src-address=10.10.0.0/24 tunnel=yes
add dst-address=10.10.0.0/24 level=unique proposal=lantec sa-dst-address=4.3.2.1 sa-src-address=1.2.3.4 src-address=192.168.1.30/32 tunnel=yes
/ip ipsec proposal
add enc-algorithms=3des lifetime=1h name=lantec
/ip firewall nat
add action=accept chain=srcnat comment=Lantec dst-address=192.168.1.30 src-address=10.10.0.0/24 place-before=0

RouterOS 6.40.1.

pe1chl · August 18, 2017, 11:15am

Likely the src/dst address of your packets don’t match with your policy dst-address=192.168.1.30/32 src-address=10.10.0.0/24
I recommend using a tunnel interface (GRE or IPIP) over IPsec transport instead of using an IPsec tunnel.

aragon · August 18, 2017, 11:20am

That’s what I thought as well. However, they do match, at least /tool sniffer confirms as much.

Good idea, especially since IPSec traffic to/from the MikroTik itself does work. It’s just forwarded traffic that gets dropped. I’m not sure I’ll be able to convince the other side of the IPSec session to change their config though, so I welcome any other suggestions, please.

pe1chl · August 18, 2017, 11:54am

Remove the policy that has “wrong direction”. (there are 2 policies but of course each of them belongs to another endpoint)

aragon · August 22, 2017, 7:02am

That seems to have fixed things. Thank you!

To be clear, I disabled this policy rule:

add dst-address=10.10.0.0/24 level=unique proposal=lantec sa-dst-address=4.3.2.1 sa-src-address=1.2.3.4 src-address=192.168.1.30/32 tunnel=yes

Which was added to match packets inbound from the peer. It’s fairly standard for an IPSec policy to be bi-directional on other platforms. It seems whacky that on RouterOS a policy rule that can only match inbound packets ends up preventing outbound packets from matching the outbound rule??

pe1chl · August 22, 2017, 8:48am

I know some IPsec software requires separate policies for IN and OUT (and even FORWARD although that normally is a no-op) but
in RouterOS those 2 policy rules are generated from a single policy statement. That is of course part of the effort of RouterOS
to make it easier to manage the underlying Linux software. You can remove the other line.