Hi,
I just bought a new CRS125-24G-1S-2HnD and upgraded to ros6.7 (after 6.5 failed in phase1 for no reason seemingly). It was going to exchange a Draytek 2920 which is failing due to lightning strike (only 1 wan and 1 lan works now). Now, the issue is ipsec, which works perfectly fine with draytek but fails on many level with mikrotik. The setup is star shape, with a main office and 4 branch, testing currently with one. The branches also have drayteks, and no plan on changing those yet.
MT (Draytek2920 earlier) <== INTERNET ==> Draytek2110
Issue 1,
The connection is quite unstable and there is something like an MSS issue. About every minute the SA is renewed, although both side set the same lifetime 8 and 1 hours. This results only in 1 ping loss every minute and not always happens, sometimes works for hours without starting, then every minute for an hour.
The more pressing issue is that a http page available through the vpn is not working - sometimes loading half, sometimes not at all, typical mss issue. Tried lowering mss throuhg mangle to 1200 (no result at all), 1300 (same result) and to 1394 which i got from the ping dont fragment method, but no change.
Draytek - no instability, days goes without reconnecting, SA stays until actually expiring; http works fine, loads nice.
Issue 2,
IPSec passthrough? From behind the main office router we use some user level ipsec connections too. Eg. I have to connect to a company using vpnc with psk+xauth. With draytek no issue, with mikrotik I get expected xauth packet; rejected: (ISAKMP_N_PAYLOAD_MALFORMED)(16) error. Turned off all firewall filter rules. Windows client says no response.
###########
[kosztyua@MikroTik] > /ip ipsec export
dec/11/2013 12:55:30 by RouterOS 6.7
software id = ***
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=des,3des,aes-128-cbc,aes-192-cbc,aes-256-cbc,blowfish,twofish,camellia-128,camellia-192,camellia-256 lifetime=1h pfs-group=none
/ip ipsec peer
add address=.../32 comment="draytek - 1" generate-policy=port-override hash-algorithm=md5 lifetime=8h secret=***** send-initial-contact=no
[kosztyua@MikroTik] > /ip firewall filter export
dec/11/2013 12:55:57 by RouterOS 6.7
software id = ***
/ip firewall filter
add action=drop chain=input comment=blacklist src-address-list=blacklist
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=ipsec dst-port=500 protocol=udp
add chain=input comment=ipsec disabled=yes protocol=ipsec-esp
add chain=input comment=ipsec disabled=yes protocol=ipsec-ah
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
add chain=forward dst-port=500 protocol=udp
add chain=forward dst-port=4500 protocol=udp
add chain=forward dst-port=49000 protocol=udp
add chain=forward protocol=ipsec-esp
add chain=forward protocol=ipsec-ah
[kosztyua@MikroTik] > /ip firewall nat export
dec/11/2013 12:56:30 by RouterOS 6.7
software id = ***
/ip firewall nat
add chain=srcnat dst-address=192.168.105.0/24 src-address=192.168.1.0/24
add chain=srcnat dst-address=192.168.106.0/24 src-address=192.168.1.0/24
add chain=srcnat dst-address=192.168.102.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="ut" dst-port=12375 protocol=tcp to-addresses=192.168.1.17
add action=dst-nat chain=dstnat comment="ovpn" dst-port=12443 protocol=tcp to-addresses=192.168.1.17
[kosztyua@MikroTik] > /ip firewall mangle export
dec/11/2013 13:01:36 by RouterOS 6.7
software id = ***
/ip firewall mangle
add action=change-mss chain=forward disabled=yes dst-address=192.168.105.0/24 new-mss=1360 protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn tcp-mss=!0-1360