IPSec over IPv6 not working?

RouterOS General
1

I have two Mikrotiks, both running RouterOS 6.32.2. They both have a public IPv4 address, a private IPv4-net, a public IPv6 address and a public IPv6 net:

MikroTik1:
Public IPv4: 88.91.209.xxx - Private LAN: 192.168.10.1/24
Public IPv6 2001:14b8:100:xxxx::2 - LAN: 2001:14b8:xxxx::/64

MikroTik2:
Public IPv4: 85.166.75.xxx - Private LAN: 192.168.20.1/24
Public IPv6 2001:16d8:ee00:xxxx::2 - LAN: 2001:16d8:ee00:yyyy::/64

First I configured IPSec for IPv4, using this guide. It worked perfectly, I just had to add a firewall rule stating that ipsec-esp packets were allowed.

Then I used the same guide to configure IPSec for IPv6, but that did not work. I get an error-message stating: Failed to pre-process ph2 packet

My setup on Mikrotik1:

/ip ipsec peer print
Flags: X - disabled, D - dynamic 
 0    address=85.166.75.xxx/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
       secret="xxxxx" generate-policy=no policy-template-group=group1 exchange-mode=main
       send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
       dpd-maximum-failures=5 

 1   address=2001:16d8:ee00:xxxx::2/128 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
      secret="yyyyy" generate-policy=no policy-template-group=group1 exchange-mode=main
      send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
      dpd-maximum-failures=5

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=group1 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=192.168.10.0/24 src-port=any dst-address=192.168.20.0/24 dst-port=any protocol=all
        action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=88.91.209.xxx
        sa-dst-address=85.166.75.xxx proposal=default priority=0 

 2    src-address=2001:14d8:xxxx::/64 src-port=any dst-address=2001:16d8:ee00:yyyy::/64 dst-port=any
       protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
       sa-src-address= 2001:14b8:100:xxxx::2 sa-dst-address=2001:16d8:ee00:xxxx::2 proposal=default priority=0

My setup on Mikrotik2:

/ip ipsec peer print
Flags: X - disabled, D - dynamic 
 0    address=88.91.209.xxx/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
       secret="xxxxx" generate-policy=no policy-template-group=group1 exchange-mode=main
       send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
       enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
       dpd-maximum-failures=5 

 1   address=2001:14b8:100:xxxx::2/128 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
      secret="yyyyy" generate-policy=no policy-template-group=group1 exchange-mode=main
      send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
      enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
      dpd-maximum-failures=5 

/ip ipsec policy print   
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=group1 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

 1     src-address=192.168.20.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any protocol=all
        action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=85.166.75.xxx
        sa-dst-address=88.91.209.xxx proposal=default priority=0 

 2    src-address=2001:16d8:ee00:yyyy::/64 src-port=any dst-address=2001:14b8:xxxx::/64 dst-port=any
       protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
       sa-src-address=2001:16d8:ee00:xxxx::2 sa-dst-address=2001:14b8:100:xxxx::2 proposal=ipv6 priority=0

I have tried to only enable IPSec for IPv6, disabling IPSec over IPv4. Did not work.
I have also tried to turn off the firewalls, that didn’t help either.

Since all IPv6 adresses are unicast, I am able to ping from 2001:16d8:ee00:yyyy::/64 to 2001:14b8:xxxx::/64 when IPSec is not running, but those packages are not encrypted. I want everything sent between my IPv6 subnets to be encrypted (since they are traversing the big bad Internet :slight_smile:)

Does anyone know what might be the problem?

2

A follow-up: After turning on some IPSec debugging, I got this in the log:

09:03:33 ipsec,debug,packet 3613be9d 7e31a9da 1659bd49 65854b99 d44880cf 
09:03:33 ipsec,debug,packet get a src address from ID payload 2001:16d8:ee00:yyyy::[0] prefixlen=64 ul_proto=255 
09:03:33 ipsec,debug,packet get dst address from ID payload 2001:14b8:xxxx::[0] prefixlen=64 ul_proto=255 
09:03:33 ipsec,debug,packet 0x7fe16e38 masked with /64: 2001:16d8:ee00:yyyy::[0] 
09:03:33 ipsec,debug,packet 0x47d758 masked with /64: 2001:16d8:ee00:yyyy::[0] 
09:03:33 ipsec,debug,packet 0x7fe16e38 masked with /64: 2001:14b8:xxxx::[0] 
09:03:33 ipsec,debug,packet 0x47d758 masked with /64: 2001:14d8:xxxx::[0] 
09:03:33 ipsec,debug no policy found: 2001:16d8:ee00:yyyy::/64[0] 2001:14b8:xxxx::/64[0] proto=any dir=in 
09:03:33 ipsec,debug failed to get proposal for responder. 
09:03:33 ipsec,error failed to pre-process ph2 packet. 
09:03:33 ipsec,error failed to pre-process ph2 packet.

But I can’t understand why, because this is the policy:

src-address=2001:14d8:xxxx::/64 src-port=any dst-address=2001:16d8:ee00:yyyy::/64 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2001:14b8:100:xxxx::2 sa-dst-address=2001:16d8:ee00:xxxx::2 proposal=default priority=0

Is there something I am missing?

3

Yes, it is:
src-address=2001:14d8:xxxx::/64 had a typo, so the correct was:
src-address=2001:14b8:xxxx::/64

Now everything is working as excepted :slight_smile: