mozerd
October 3, 2018, 2:38pm
1
One year ago I configured my CCR1009 using IPsec using mode config. This VPN has been working flawlesslyFile Explorer that I use to access my files residing on my NAS. This has been working very nicely for the longest time.
Since using Firmware 6.43.2 my File Explorer App can no longer access my NAS remotely.
While connected to the VPN The Strange part to me is that when I ping my NAS IPv4 address from my iPone6 I now get a reply in ipv6 address? And the ipv6 address that it replies with is not the same ipv6 address assigned by the Router for the NAS?
Can anyone please shed some light on this strange behavior,
mozerd
October 4, 2018, 12:05pm
2
Showing example ipv4 address BUT Host is in ipv6 address plus the IPv6 address shown is wrong.???
mozerd
October 4, 2018, 12:18pm
3
IPsec mode-config code follows:
# oct/03/2018 08:35:40 by RouterOS 6.44beta14
# software id = 1TLQ-B555
#
# model = CCR1009-7G-1C-1S+
# serial number = noyb
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no
add address-pool=ipsec-RW address-prefix-length=24 name=RW-cfg split-include=\
192.168.10.0/24,192.168.40.0/24 system-dns=yes
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha1 \
lifetime=1d name=default nat-traversal=yes proposal-check=obey
add dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 \
enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=1d name=proposal_1 \
nat-traversal=yes proposal-check=obey
/ip ipsec policy group
set [ find default=yes ] name=default
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no \
enc-algorithms=aes-256-cbc,aes-256-ctr lifetime=8h name=default \
pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth disabled=no \
exchange-mode=main generate-policy=port-strict mode-config=RW-cfg \
passive=yes policy-template-group=RoadWarrior profile=proposal_1 secret=\
"mysecretpw" send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
all src-address=::/0 template=yes
add disabled=no dst-address=192.168.90.0/24 group=RoadWarrior proposal=\
default protocol=all src-address=192.168.10.0/24 template=yes
add disabled=no dst-address=192.168.90.0/24 group=RoadWarrior proposal=\
default protocol=all src-address=192.168.40.0/24 template=yes
/ip ipsec user
add name=helloworld password="mysecretpw"
/ip ipsec user settings
set xauth-use-radius=no
mozerd
October 5, 2018, 10:03am
4
Showing strange ping response from iPhone and IOS 12 … and I have zero idea who that ipv6 address belongs to
IPsec mode-config code follows:
# oct/03/2018 08:35:40 by RouterOS 6.44beta14
# software id = 1TLQ-B555
#
# model = CCR1009-7G-1C-1S+
# serial number = noyb
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no
add address-pool=ipsec-RW address-prefix-length=24 name=RW-cfg split-include=\
192.168.10.0/24,192.168.40.0/24 system-dns=yes
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha1 \
lifetime=1d name=default nat-traversal=yes proposal-check=obey
add dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 \
enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=1d name=proposal_1 \
nat-traversal=yes proposal-check=obey
/ip ipsec policy group
set [ find default=yes ] name=default
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no \
enc-algorithms=aes-256-cbc,aes-256-ctr lifetime=8h name=default \
pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth disabled=no \
exchange-mode=main generate-policy=port-strict mode-config=RW-cfg \
passive=yes policy-template-group=RoadWarrior profile=proposal_1 secret=\
"mysecretpw" send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
all src-address=::/0 template=yes
add disabled=no dst-address=192.168.90.0/24 group=RoadWarrior proposal=\
default protocol=all src-address=192.168.10.0/24 template=yes
add disabled=no dst-address=192.168.90.0/24 group=RoadWarrior proposal=\
default protocol=all src-address=192.168.40.0/24 template=yes
/ip ipsec user
add name=helloworld password="mysecretpw"
/ip ipsec user settings
set xauth-use-radius=no
And where is your IPv6 config on routerboard?
mozerd
October 5, 2018, 10:50am
6
Thanks for looking @Anumrak . ipv6 config follows:
# mar/15/2018 07:29:49 by RouterOS 6.42rc43
# software id = 1TLQ-B555
#
# model = CCR1009-7G-1C-1S+
# serial number = noyb
/ipv6 address add from-pool=rogers-ipv6 interface=vlan10
/ipv6 address add from-pool=rogers-ipv6 interface=vlan20
/ipv6 address add from-pool=rogers-ipv6 interface=vlan40
/ipv6 dhcp-client add add-default-route=yes comment="delgate ISP-assigned prefix" interface=ether1 pool-name=rogers-ipv6 prefix-hint=::/56 request=address,prefix
/ipv6 firewall filter add action=accept chain=input comment=established connection-state=established in-interface=ether1
/ipv6 firewall filter add action=accept chain=input comment=related connection-state=related in-interface=ether1
/ipv6 firewall filter add action=accept chain=input comment=icmp in-interface=ether1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment=dhcpv6 dst-port=546 in-interface=ether1 protocol=udp
/ipv6 firewall filter add action=drop chain=input comment="drop input" in-interface=ether1
/ipv6 firewall filter add action=accept chain=forward comment=established connection-state=established in-interface=ether1
/ipv6 firewall filter add action=accept chain=forward comment=related connection-state=related in-interface=ether1
/ipv6 firewall filter add action=accept chain=forward comment=icmp in-interface=ether1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment=SSH dst-port=XXXX in-interface=ether1 protocol=tcp
/ipv6 firewall filter add action=drop chain=forward comment="drop forward" in-interface=ether1
/ipv6 nd set [ find default=yes ] advertise-dns=yes disabled=yes interface=ether1 mtu=1500 ra-lifetime=none reachable-time=5m
/ipv6 nd add advertise-dns=yes hop-limit=64 interface=vlan10 reachable-time=5m
/ipv6 nd add advertise-dns=yes hop-limit=64 interface=vlan20 reachable-time=5m
/ipv6 nd add advertise-dns=yes hop-limit=64 interface=vlan40 reachable-time=5m
/ipv6 nd prefix default set preferred-lifetime=4h valid-lifetime=4h
/ipv6 settings set accept-router-advertisements=yes
Do you have this network configured on your vlan interfaces? 2604:5580…?
mozerd
October 5, 2018, 1:05pm
8
No .
I have absoluteness no idea where this address is coming from and am very surprised by an ipv6 response to a ipv4 ping query - I have not had a ipv6 response to an ipv4 ping before.
Just a reminder that this al l was working properly prior to 6.43.x … no changes to config … only change is firmware updates for CCR009. and IOS updates for iPhone.
mrz
October 5, 2018, 1:51pm
9
Router cannot respond to ipv4 pings with ipv6 packets. Run packet sniffer and see exactly what packet you are receiving, my guess is that phone is sending ipv6 packet not ipv4.
`
If you try a device with iOS 11 still on it, does it do the same thing?
What happens if you try to use the VPN over Wi-Fi instead of over Rogers LTE?
– Nathan
mozerd
October 5, 2018, 2:12pm
11
So how do you know that the fault is with RouterOS 6.43.x and not with iOS 12?
If you try a device with iOS 11 still on it, does it do the same thing?
What happens if you try to use the VPN over Wi-Fi instead of over Rogers LTE?
– Nathan
Very good questions @NathanA . I am trying to get my hands on a Apple iPhone or Ipad with IOS 11 to test.
@mrz – Will use sniffer soon …
mozerd
October 5, 2018, 6:21pm
12
Problem is SOLVED
It seems that my MOAB blacklist and the RAW firewall rule was the issue. Deleted the rule and created the drop rule for the blacklist under IP Filter and that solved the VPN issue.
Using RAW has significant implications – some of which I obviously did not comprehend --very glad I trapped that one.implication tied to my VPN and the range of addresses used by Rogers which also included Bogon addresses that I was using.
Everything back to normal now.
