IPSEC - one way SPI SA not installed

morph · February 10, 2014, 9:34pm

I’m trying to create an ipsec vpn tunnel between a Mikrotik and a cisco router.
It seems that the SPI SA in the direction Mikrotik → Cisco is installed fine but the
SPI SA in direction Cisco → Mikrotik is not installed (there is no addtime).

[admin@MikroTik] /ip ipsec installed-sa>> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x382B108 src-address=192.168.10.200 dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key=“adc4c7acfdbf86e3a9750c0e0a81f569”
enc-key="d3e54e4f122fc8920e651aec4157afd887b
addtime=feb/10/2014 22:12:58 expires-in=27m5
current-bytes=60

1 E spi=0xF778A1E src-address=190.X.X.X dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key=“448e14a463e062902f5d70507b1dbbcb”
enc-key="74309e284428767f831c42f833544d147b7
add-lifetime=24m/30m
[admin@MikroTik] /ip ipsec installed-sa>>

Does anyone know what can cause this and how to fix it?

Regards.

efaden · February 10, 2014, 10:12pm

morph:

I’m trying to create an ipsec vpn tunnel between a Mikrotik and a cisco router.
It seems that the SPI SA in the direction Mikrotik → Cisco is installed fine but the
SPI SA in direction Cisco → Mikrotik is not installed (there is no addtime).

[admin@MikroTik] /ip ipsec installed-sa>> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x382B108 src-address=192.168.10.200 dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key=“adc4c7acfdbf86e3a9750c0e0a81f569”
enc-key="d3e54e4f122fc8920e651aec4157afd887b
addtime=feb/10/2014 22:12:58 expires-in=27m5
current-bytes=60

1 E spi=0xF778A1E src-address=190.X.X.X dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key=“448e14a463e062902f5d70507b1dbbcb”
enc-key="74309e284428767f831c42f833544d147b7
add-lifetime=24m/30m
[admin@MikroTik] /ip ipsec installed-sa>>

Does anyone know what can cause this and how to fix it?

Regards.

Need to see the export and the settings from the Cisco. Could be a wide variety of stuff. Any errors? Did you try turning on ipsec debugging to the log and seeing if there are errors?

morph · February 10, 2014, 10:26pm

Hi efaden,
These are the settings on the cisco:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0

crypto ipsec transform-set TS esp-3des esp-md5-hmac 
!
crypto dynamic-map hq-vpn 10
 set security-association lifetime seconds 86400
 set transform-set TS 
 match address VPN1-TRAFFIC
!
!
crypto map VPN 1 ipsec-isakmp dynamic hq-vpn 

ip access-list extended VPN1-TRAFFIC
 permit ip 10.32.0.0 0.0.255.255 192.168.10.0 0.0.0.255

There are no errors in the logs.

Regards.

morph · February 10, 2014, 10:29pm

I’m getting the same problem when trying to connect the Mikrotik to a pfSense firewall.
On the side of the Cisco and pfSense there are no errors displayed.
The only problem I see is that the SA is not installed on the Mikrotik.

Regards.

efaden · February 10, 2014, 10:30pm

Post your export. Did you try turning on debugging?

Sent from my SCH-I545 using Tapatalk

morph · February 10, 2014, 10:45pm

Hi Efaden,
When you say export are you looking for the ipsec configuration?

/ip firewall nat
add chain=srcnat dst-address=10.32.0.0/16 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=yes \
    out-interface=ether1-gateway
add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16
/ip ipsec peer
add address=190.X.X.X/32 enc-algorithm=3des hash-algorithm=md5 secret=\
    PASSWORD send-initial-contact=no
/ip ipsec policy
add dst-address=10.32.0.0/16 sa-dst-address=190.X.X.X sa-src-address=\
    0.0.0.0 src-address=192.168.10.0/24 tunnel=yes

I tried turning debugging but I didn’t see anything that looks suspicious in the log window.

Regards.

ditonet · February 10, 2014, 11:08pm

sa-src-address=0.0.0.0

SA-Src-Address should be set to your public (WAN) IP, and this NAT rule is not necessary:

add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16

BTW, you didn’t post your ‘IPSec/Proposal’ settings.

HTH,

morph · February 10, 2014, 11:14pm

I’m using a 3G stick for WAN that does not have a fixed IP address. That’s why I used 0.0.0.0 for source.

Here is the proposal setting:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d

ditonet · February 10, 2014, 11:43pm

I’m using a 3G stick for WAN that does not have a fixed IP address. That’s why I used 0.0.0.0 for source.

It’s possible to read WAN IP address and set it in ‘IPSec/Policy’ using script.

Regards,

efaden · February 10, 2014, 11:54pm

Thats what I do…

morph · February 11, 2014, 7:01am

The 3G stick gets a private address from the provider that is then nat-ed to a public address.

I tried to connect the mikrotik through a LAN cable to my home router. With the above setup (sa-src-address=0.0.0.0) the IPSec did work. So the Mikrotik was behind NAT (my OpenWRT router) and IPSec formed with (sa-src-address=0.0.0.0).

For test I also tried to connect the mikrotik to a Pfsense box and also got the problem with the SA (using the USB stick and also when using LAN cable behind my home router).

efaden · February 11, 2014, 12:21pm

I think you need to script the IP into the SA. Never tried this setup though.