ipsec + ping = 22 (Invalid argument)

quash · July 25, 2016, 8:55pm

Hi,

We have an interesting problem
We want make site-to-site ipsec from OpenBSD firewall to Mikrotik RB3011 router.
I set connection on BSD and RB3011, and connection is UP.
If we want make simple traffic on tunnel, we have a problem:

[quash@BRK_RB3011] /ip firewall raw> /ping  192.168.16.1 src-address=192.168.17.254                                             
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                     
    0                                                         22 (Invalid argument)                                                                                                      
    1                                                         22 (Invalid argument)                                                                                                      
    2                                                         22 (Invalid argument)                                                                                                      
    3                                                         22 (Invalid argument)

I dont see traffic at BSD (tcpdump), a dont see traffic at RB3011 (sniffer).
If we make traffic from BSD (simple ping), i see ICMP requiest packages at tunnel, but no return reply packages.

I dont no whats wrong, we use many ipsec site-to-site VPN tunnels with OpenBSD, Mikrotik, we dont have problem.
This is not packtetfilter(firewall) problem, we make check with disabled mikrotik firewall rules, and disabled packetfilter on BSD.

ipsec config:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=20m pfs-group=none
/ip ipsec peer
add address=x.x.x.x/32 dh-group=modp2048 enc-algorithm=aes-128 lifetime=30m nat-traversal=no proposal-check=exact secret=xxx
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.16.0/24 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=192.168.17.0/24 tunnel=yes

ipsec connection is ok:

mikrotik:
 0 local-address=109.x.x.x remote-address=91.x.x.x state=established side=initiator established=23m7s 

oBSD:
FLOWS:
flow esp in from 192.168.17.0/24 to 192.168.16.0/24 peer 109.x.x.x srcid 91.x.x.x/32 dstid 109.x.x.x/32 type use
flow esp out from 192.168.16.0/24 to 192.168.17.0/24 peer 109.x.x.x srcid 91.x.x.x/32 dstid 109.x.x.x/32 type require

SAD:
esp tunnel from 91.120.45.33 to 109.74.61.152 spi 0x09145563 auth hmac-sha1 enc 3des-cbc
esp tunnel from 109.74.61.152 to 91.120.45.33 spi 0x8ff32c53 auth hmac-sha1 enc 3des-cbc

router(os) info:

             model: RouterBOARD 3011UiAS
     serial-number: 
     firmware-type: ipq8060
  factory-firmware: 3.27
  current-firmware: 3.27
  upgrade-firmware: 3.27

#   NAME                                                                         VERSION                                                                         SCHEDULED              
 0   routeros-arm                                                                 6.36                                                                                                   
 1   system                                                                       6.36

Sorry, my english is not good