ipsec policy selection

abatie · May 6, 2022, 10:09pm

I’m missing something in the ipsec “proposal” selection as I both created one of my one and changed the encryption parameters to match in the default profile, yet according to the peer, it’s still sending the original default parameters (aes-cbc instead of aes-256):

I’m trying to setup a tunnel from 172.20.1.0/24 to 10.64.99.0/24:

172.20.1.0/24 (lan if) (wan if) 69.59.192.19 172.20.44.100 (wan if)(lan if) 10.64.99.0/24

/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
nat-traversal=no
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=new_profile nat-traversal=
no
/ip ipsec peer
add address=69.59.192.19/32 exchange-mode=ike2 local-address=172.20.44.100 name=remote-peer
profile=new_profile

Mikrotik:
14:55:09 ipsec,error no proposal chosen
14:55:19 ipsec,error no proposal chosen
14:55:24 ipsec,error simultaneous rekey
14:55:29 ipsec,error no proposal chosen

Peer:
ike 0:Bend test:549: received create-child request
ike 0:Bend test:549: responder received CREATE_CHILD exchange
ike 0:Bend test:549: responder creating new child
ike 0:Bend test:549:1347: peer proposal:
ike 0:Bend test:549:1347: TSi_0 0:10.64.99.0-10.64.99.255:0
ike 0:Bend test:549:1347: TSr_0 0:69.59.192.19-69.59.192.19:0
ike 0:Bend test:549:Bend test:1347: comparing selectors
ike 0:Bend test:549:Bend test:1347: matched by rfc-rule-2
ike 0:Bend test:549:Bend test:1347: phase2 matched by subset
ike 0:Bend test:549:Bend test:1347: accepted proposal:
ike 0:Bend test:549:Bend test:1347: TSi_0 0:10.64.99.0-10.64.99.255:0
ike 0:Bend test:549:Bend test:1347: TSr_0 0:69.59.192.19-69.59.192.19:0
ike 0:Bend test:549:Bend test:1347: autokey
ike 0:Bend test:549:Bend test:1347: incoming child SA proposal:
ike 0:Bend test:549:Bend test:1347: proposal id = 1:
ike 0:Bend test:549:Bend test:1347: protocol = ESP:
ike 0:Bend test:549:Bend test:1347: encapsulation = TUNNEL
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Bend test:549:Bend test:1347: type=INTEGR, val=SHA
ike 0:Bend test:549:Bend test:1347: type=DH_GROUP, val=MODP1024
ike 0:Bend test:549:Bend test:1347: type=ESN, val=NO
ike 0:Bend test:549:Bend test:1347: my proposal:
ike 0:Bend test:549:Bend test:1347: proposal id = 1:
ike 0:Bend test:549:Bend test:1347: protocol = ESP:
ike 0:Bend test:549:Bend test:1347: encapsulation = TUNNEL
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Bend test:549:Bend test:1347: type=INTEGR, val=SHA256
ike 0:Bend test:549:Bend test:1347: type=DH_GROUP, val=MODP2048
ike 0:Bend test:549:Bend test:1347: type=ESN, val=NO
ike 0:Bend test:549:Bend test:1347: lifetime=28800
ike 0:Bend test:549:Bend test:1347: no proposal chosen

own3r1138 · May 7, 2022, 2:40am

MT

type=ENCR, val=AES_CBC (key_len = 128)
type=ENCR, val=AES_CBC (key_len = 192)
type=ENCR, val=AES_CBC (key_len = 256)
type=INTEGR, val=SHA
type=DH_GROUP, val=MODP1024

Peer

 my proposal:
type=ENCR, val=AES_CBC (key_len = 256)
 type=INTEGR, val=SHA256
type=DH_GROUP, val=MODP2048

Check this article.
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Encapsulating_Security_Payload_(ESP)
also, check if the PH2 is set correctly.

/ip/ipsec/proposal

abatie · May 11, 2022, 4:30pm

/ip ipsec proposal was the trick I missed, thanks!