IPSec Installed-sa

RouterOS Forwarding Protocols
1

I need help. I need to replace NETGEAR FVG318 router with Mikrotik RouterBOARD.
I need help transferring IPSec VPN configuration to Mikrotik IPSec conf.


Netgear router connects fine, here are the logs:

2011-02-22 : INFO:  Flushing SAs for peer "XXX.XXX.dest.ip" with spi 1422077629
2011-02-22 : INFO:  Sending Informational Exchange: delete payload[]
2011-02-22 : INFO:  accept a request to establish IKE-SA: XXX.XXX.dest.ip
2011-02-22 : INFO:  Configuration found for XXX.XXX.dest.ip.
2011-02-22 : INFO:  Initiating new phase 2 negotiation: XXX.XXX.source.ip[500]<=>XXX.XXX.dest.ip[0]
2011-02-22 : WARNING:  attribute has been modified.
2011-02-22 : INFO:  IPsec-SA established: ESP/Tunnel XXX.XXX.dest.ip->XXX.XXX.source.ip with spi=26990430(0x19bd75e)
2011-02-22 : INFO:  IPsec-SA established: ESP/Tunnel XXX.XXX.source.ip->XXX.XXX.dest.ip with spi=1422077659(0x54c32edb)

So it looks like this:

  1. Netgear uses ESP (and not AH). —> not sure about that - looks like ESP from Netgear log (above)
  2. It uses tunneling

IKE POLICY:
3. from configuration menu i can read that it uses SHA-1 for authentication and 3DES for encrypton
4. It uses Pre-shared key (“_some_random_key”)
5. Dh group = 2 (1024)
6. SA lifetime 28800
7. it uses Aggressive mode
8. it uses User-FQDN: user@domain.de
9. it direction: Both

  1. Local net: 192.168.88.0/24
  2. Remote net: 172.16.0.0/16
    12: Remote IP have a Fixed XXX.XXX.destin.IP
    13: Local public IP, fixed: XXX.XXX.source.IP

I have read all the conf data from NETGEAR. I am using RouterOS v5.rc10.
The reason for v5 is /ip ipsec peer - my-id-user-fqdn parameter.

I have transfered all data to Mikrotik but i am still unable to connect to server with Mikrotik router.



Question 1: Is SHA-1 (Netgear) = SHA on Mikrotik (note the “-1”)
Question 2: Log entry error: “malformed cookie received or the spi expired.” - ANY IDEAS???


Here are log entries from Mikrotik router WHILE trying to ping the remote local IP (Through IPSec Tunnel)

13:48:54 ipsec,debug,packet agreed on pre-shared key auth.
---
13:48:54 ipsec,debug,packet hashtype = SHA:SHA
13:48:54 ipsec,debug,packet authmethod = pre-shared key:pre-shared key
13:48:54 ipsec,debug,packet dh_group = 1024-bit MODP group:1024-bit MODP group
13:48:54 ipsec,debug,packet an acceptable proposal found.
13:48:54 ipsec,debug,packet hmac(modp1024)
13:48:54 ipsec,debug,packet agreed on pre-shared key auth.
13:48:54 ipsec,debug,packet compute DH's shared.
-----------
13:48:54 ipsec,debug,packet the psk found.
----------
13:48:54 ipsec,debug,packet hmac(hmac_sha1)
13:48:54 ipsec,debug,packet SKEYID computed:
--------
13:48:54 ipsec,debug,packet SKEYID_d computed:
---------
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet hash(sha1)
13:48:54 ipsec,debug,packet len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...)
13:48:54 ipsec,debug,packet hmac(hmac_sha1)
13:48:54 ipsec,debug,packet compute intermediate encryption key K1
--------
13:48:54 ipsec,debug,packet hmac(hmac_sha1)
13:48:54 ipsec,debug,packet compute intermediate encryption key K2
--------
13:48:54 ipsec,debug,packet final encryption key computed:
--------
13:48:54 ipsec,debug,packet hash(sha1)
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet IV computed:
13:48:54 ipsec,debug,packet b7fb7a7c 61dd2a4d
13:48:54 ipsec,debug,packet HASH received:
--------
13:48:54 ipsec,debug,packet 931dc71c 9617ddf0 7d61e4f0 c0fcca62 ec44e13b
13:48:54 ipsec,debug HASH mismatched  <===================ERROR???
--------
13:48:54 ipsec,debug,packet compute IV for phase2
13:48:54 ipsec,debug,packet phase1 last IV:
--------
13:48:54 ipsec,debug,packet begin encryption.
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet pad length = 4
13:48:54 ipsec,debug,packet 0b000018 fb989a3c 0f857486 e5dd2d07 abdb295a 4433872f 0000000c 00000001
13:48:54 ipsec,debug,packet 01000017 39ef5c03
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet with key:
13:48:54 ipsec,debug,packet ca99acd9 06c61209 0d781c6b 86441f45 35da3153 fd857775
13:48:54 ipsec,debug,packet encrypted payload by IV:
13:48:54 ipsec,debug,packet 2a57c310 cff42242
13:48:54 ipsec,debug,packet save IV for next:
13:48:54 ipsec,debug,packet 628aac96 5e4f94b6
13:48:54 ipsec,debug,packet encrypted.
-------

ipsec,debug phase1 negotiation failed due to time up.

"malformed cookie received or the spi expired."  repeats every few seconds
2

  1. Yes, SHA is MikroTik is SHA-1, so thats not the problem.

  2. I have no experience with aggressiv mode and the use of FQDN, so I can’t advise you on that, but ‘debug HASH mismatched’ sounds like some of shared information, between the two routers, like PSK, IP and/or FQDN doesn’t add up.

3

Would that happen because one of two possible reasons:?

  1. Mismatched password?
  2. Old Netgear router is still connected and new router cannot connect until the old one is disconnected?
4

Yes to both, especially the second. But both should be easy tested. Try use a wrong PSK and see if the messages change.