IPSec Problems

Hi All,

I am having difficulty establishing a site-to-site IPSEC VPN with a 3rd party (FortiGate) from our mikrotik. I am getting “none” on the Auth/Encr Algorithms when looking at the SA’s.

Below are some logs and my config. 10.43.54.0 is my local LAN and 192.168.101.0 is the Remote LAN.

I can’t see anything obvious in the logs. Any ideas?

CONFIG:

/ip firewall nat
add chain=srcnat dst-address=192.168.101.0/24 src-address=10.43.54.0/24
add action=masquerade chain=srcnat src-address=10.43.54.0/24

/ip ipsec peer
add address=81.95.XXX.XXX/32 dh-group=modp1536 disabled=yes dpd-interval=disable-dpd enc-algorithm=aes-128 generate-policy=yes \
    hash-algorithm=sha1 lifetime=8h my-id-user-fqdn=83.244.XXX.XXX secret=*********

/ip ipsec policy
add disabled=yes dst-address=192.168.101.0/24 level=unique sa-dst-address=81.95.XXX.XXX sa-src-address=83.244.XXX.XXX src-address=\
    10.43.54.0/24 tunnel=yes

LOG:

Mar/31/2014 17:42:52 ipsec,debug,packet ==========
Mar/31/2014 17:42:52 ipsec,debug,packet 92 bytes message received from 81.95.XXX.XXX[500] to 83.244.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet 30824d59 bbcb2d59 fd840171 d8a4f9f6 08100501 13066cb7 0000005c 48eba819
Mar/31/2014 17:42:52 ipsec,debug,packet 306c5c2a 4f011b75 b69000a9 10161787 1d7e65fc 56aeb190 d2d36e6c a472ec86
Mar/31/2014 17:42:52 ipsec,debug,packet 0f2314ea 41fda1a5 809f98d9 7a232f8f 561370fb 869f85a5 5ae026d8
Mar/31/2014 17:42:52 ipsec,debug,packet receive Information.
Mar/31/2014 17:42:52 ipsec,debug,packet compute IV for phase2
Mar/31/2014 17:42:52 ipsec,debug,packet phase1 last IV:
Mar/31/2014 17:42:52 ipsec,debug,packet 09367f8e 4751ad08 8eaa8125 16d5a227 13066cb7
Mar/31/2014 17:42:52 ipsec,debug,packet hash(sha1)
Mar/31/2014 17:42:52 ipsec,debug,packet encryption(aes)
Mar/31/2014 17:42:52 ipsec,debug,packet phase2 IV computed:
Mar/31/2014 17:42:52 ipsec,debug,packet b85a8daa 7a84655f db903b6b b72a9a10
Mar/31/2014 17:42:52 ipsec,debug,packet encryption(aes)
Mar/31/2014 17:42:52 ipsec,debug,packet IV was saved for next processing:
Mar/31/2014 17:42:52 ipsec,debug,packet 7a232f8f 561370fb 869f85a5 5ae026d8
Mar/31/2014 17:42:52 ipsec,debug,packet encryption(aes)
Mar/31/2014 17:42:52 ipsec,debug,packet with key:
Mar/31/2014 17:42:52 ipsec,debug,packet c952eab9 c26f3c5e 85a378be 3195e4a1
Mar/31/2014 17:42:52 ipsec,debug,packet decrypted payload by IV:
Mar/31/2014 17:42:52 ipsec,debug,packet b85a8daa 7a84655f db903b6b b72a9a10
Mar/31/2014 17:42:52 ipsec,debug,packet decrypted payload, but not trimed.
Mar/31/2014 17:42:52 ipsec,debug,packet 0b000018 3a8b0f1b 3f2bb372 b948e1a6 0839d1d4 a4d009b6 00000020 00000001
Mar/31/2014 17:42:52 ipsec,debug,packet 01108d28 30824d59 bbcb2d59 fd840171 d8a4f9f6 00476ba1 af5e4af2 f3f6c607
Mar/31/2014 17:42:52 ipsec,debug,packet padding len=8
Mar/31/2014 17:42:52 ipsec,debug,packet skip to trim padding.
Mar/31/2014 17:42:52 ipsec,debug,packet decrypted.
Mar/31/2014 17:42:52 ipsec,debug,packet 30824d59 bbcb2d59 fd840171 d8a4f9f6 08100501 13066cb7 0000005c 0b000018
Mar/31/2014 17:42:52 ipsec,debug,packet 3a8b0f1b 3f2bb372 b948e1a6 0839d1d4 a4d009b6 00000020 00000001 01108d28
Mar/31/2014 17:42:52 ipsec,debug,packet 30824d59 bbcb2d59 fd840171 d8a4f9f6 00476ba1 af5e4af2 f3f6c607
Mar/31/2014 17:42:52 ipsec,debug,packet HASH with:
Mar/31/2014 17:42:52 ipsec,debug,packet 13066cb7 00000020 00000001 01108d28 30824d59 bbcb2d59 fd840171 d8a4f9f6
Mar/31/2014 17:42:52 ipsec,debug,packet 00476ba1
Mar/31/2014 17:42:52 ipsec,debug,packet hmac(hmac_sha1)
Mar/31/2014 17:42:52 ipsec,debug,packet HASH computed:
Mar/31/2014 17:42:52 ipsec,debug,packet 3a8b0f1b 3f2bb372 b948e1a6 0839d1d4 a4d009b6
Mar/31/2014 17:42:52 ipsec,debug,packet hash validated.
Mar/31/2014 17:42:52 ipsec,debug,packet begin.
Mar/31/2014 17:42:52 ipsec,debug,packet seen nptype=8(hash)
Mar/31/2014 17:42:52 ipsec,debug,packet seen nptype=11(notify)
Mar/31/2014 17:42:52 ipsec,debug,packet succeed.
Mar/31/2014 17:42:52 ipsec,debug,packet DPD R-U-There received
Mar/31/2014 17:42:52 ipsec,debug,packet compute IV for phase2
Mar/31/2014 17:42:52 ipsec,debug,packet phase1 last IV:
Mar/31/2014 17:42:52 ipsec,debug,packet 09367f8e 4751ad08 8eaa8125 16d5a227 dec1541b
Mar/31/2014 17:42:52 ipsec,debug,packet hash(sha1)
Mar/31/2014 17:42:52 ipsec,debug,packet encryption(aes)
Mar/31/2014 17:42:52 ipsec,debug,packet phase2 IV computed:
Mar/31/2014 17:42:52 ipsec,debug,packet 08afa72c a1cc8466 af283c14 55532afc
Mar/31/2014 17:42:52 ipsec,debug,packet HASH with:
Mar/31/2014 17:42:52 ipsec,debug,packet dec1541b 00000020 00000001 01108d29 30824d59 bbcb2d59 fd840171 d8a4f9f6
Mar/31/2014 17:42:52 ipsec,debug,packet 00476ba1
Mar/31/2014 17:42:52 ipsec,debug,packet hmac(hmac_sha1)
Mar/31/2014 17:42:52 ipsec,debug,packet HASH computed:
Mar/31/2014 17:42:52 ipsec,debug,packet 2384dabb 34267ab9 d092d0de 7fe73f9b 50589ad8
Mar/31/2014 17:42:52 ipsec,debug,packet begin encryption.
Mar/31/2014 17:42:52 ipsec,debug,packet encryption(aes)
Mar/31/2014 17:42:52 ipsec,debug,packet pad length = 8
Mar/31/2014 17:42:52 ipsec,debug,packet 0b000018 2384dabb 34267ab9 d092d0de 7fe73f9b 50589ad8 00000020 00000001
Mar/31/2014 17:42:52 ipsec,debug,packet 01108d29 30824d59 bbcb2d59 fd840171 d8a4f9f6 00476ba1 1ae345c7 46006a07
Mar/31/2014 17:42:52 ipsec,debug,packet encryption(aes)
Mar/31/2014 17:42:52 ipsec,debug,packet with key:
Mar/31/2014 17:42:52 ipsec,debug,packet c952eab9 c26f3c5e 85a378be 3195e4a1
Mar/31/2014 17:42:52 ipsec,debug,packet encrypted payload by IV:
Mar/31/2014 17:42:52 ipsec,debug,packet 08afa72c a1cc8466 af283c14 55532afc
Mar/31/2014 17:42:52 ipsec,debug,packet save IV for next:
Mar/31/2014 17:42:52 ipsec,debug,packet e6650fb3 1d6b1852 36256e81 afd0f431
Mar/31/2014 17:42:52 ipsec,debug,packet encrypted.
Mar/31/2014 17:42:52 ipsec,debug,packet 92 bytes from 83.244.XXX.XXX[500] to 81.95.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet sockname 83.244.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet send packet from 83.244.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet send packet to 81.95.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet src4 83.244.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet dst4 81.95.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet 1 times of 92 bytes message will be sent to 81.95.XXX.XXX[500]
Mar/31/2014 17:42:52 ipsec,debug,packet 30824d59 bbcb2d59 fd840171 d8a4f9f6 08100501 dec1541b 0000005c 640664a3
Mar/31/2014 17:42:52 ipsec,debug,packet 728892ee aea26c9a d355ad41 ed4bff37 1907c886 e933b4d2 bf91a5c5 f28723ce
Mar/31/2014 17:42:52 ipsec,debug,packet a7761fb6 0ecf89f4 e0b8f4e2 e6650fb3 1d6b1852 36256e81 afd0f431
Mar/31/2014 17:42:52 ipsec,debug,packet sendto Information notify.
Mar/31/2014 17:42:52 ipsec,debug,packet received a valid R-U-THERE, ACK sent
Mar/31/2014 17:42:57 ipsec,debug,packet ==========

Having IPSec-issues with 6.10 aswell. I have to restart the router, then it works again.

Everything was fine with VPN prior to 6.10 (well except the fact, that the Router froze from time to time, which is now fixed with 6.10).

Did you get the same symptoms?

Anyone know what setting would cause “none” on the Auth/Encr Algorithms when looking at the SA’s ?

PS. Using version 5.26.

Hello,

I was on 5.24 and upgraded to 5.26.
Had the same issues…

Now running on version 6.11 and still the same problem.

So I think it is a configuration issue – maybe a mismatch. Anyone know what settings would cause a “none” “none” on the encryption/auth SAs?

Thanks