IPSEC issues (port 500 failed to bind)

cook12 · May 27, 2018, 1:30pm

I am trying to setup an IPSEC connection to google cloud VPN, however it fails to connect. I have tried all sorts of firewall configurations to no avail (NAT, mangle, filter).

When looking into the ipsec logs, I found the following entry which cought my attention:
failed to bind to ::[500] Bad file descriptor

This happens when I enable the IPSEC peer configuration (there is only 1 available).

I can see packets coming in from google cloud VPN.

Any idea why port 500 cannot be bound for listening? Could this be the reason why the IPSEC SA is not created?

Mikrotik v6.42.3

May/27/2018 15:08:51 ipsec,debug 0.0.0.0[500] used as isakmp port (fd=19)
May/27/2018 15:08:51 ipsec,debug 0.0.0.0[4500] used as isakmp port with NAT-T (fd=21)
May/27/2018 15:08:54 ipsec,debug failed to bind to ::[500] Bad file descriptor
May/27/2018 15:08:55 ipsec ike2 initialize send for: Y.Y.Y.Y
May/27/2018 15:08:56 ipsec adding payload: NOTIFY
May/27/2018 15:08:56 ipsec => (size 0x1c)
May/27/2018 15:08:56 ipsec adding payload: NOTIFY
May/27/2018 15:08:56 ipsec => (size 0x1c)
May/27/2018 15:08:56 ipsec adding payload: NONCE
May/27/2018 15:08:56 ipsec => (size 0x1c)
May/27/2018 15:08:56 ipsec adding payload: KE
May/27/2018 15:08:56 ipsec => (first 0x100 of 0x108)
May/27/2018 15:08:56 ipsec adding payload: SA
May/27/2018 15:08:56 ipsec => (size 0x50)
May/27/2018 15:08:56 ipsec,debug ===== sending 456 bytes from X.X.X.X[4500] to Y.Y.Y.Y[4500]
May/27/2018 15:08:56 ipsec,debug 1 times of 460 bytes message will be sent to Y.Y.Y.Y[4500]
May/27/2018 15:09:04 ipsec ike2 init retransmit
May/27/2018 15:09:04 ipsec,debug ===== sending 456 bytes from X.X.X.X[4500] to Y.Y.Y.Y[4500]
May/27/2018 15:09:04 ipsec,debug 1 times of 460 bytes message will be sent to Y.Y.Y.Y[4500]
…

sindy · May 27, 2018, 3:07pm

This is not the reason of your trouble (unless you did use IPv6 which doesn’t seem to be the case given that you’ve replaced real addresses with X.X.X.X rather than something like X:X:X)

At start, and unless a specific local address is specified for each peer configured, the IPsec process binds to ports 500 and 4500 on all local addresses, which means 0.0.0.0 for IPv4 and ::0 for IPv6.

So if you need assistance, take the output of /export hide-sensitive and the output of /log print where topics~“ipsec”, paste both to a text editor and use “find&replace” to replace each occurrence of every public IP you don’t want to publish by a meaningful string such as my.public.ip.1. Then post here the result.