Has anyone successfully set up IPsec proposals and peers using either ec2n155/ec2n185 on the RB951G? As near as I can tell, it’s completely broken; watching the CPU when it gets time to generate keys tells me that it’s not even trying; the CPU doesn’t get pegged even for a moment. Contrast that with modp768, which pegs for a few moments, at least, or modp6144, which pegs for most of a minute.
After banging my head for a weektrying to get IPSec working on the 951G, (and to the confusion and consternation of people who tried to help me), I finally narrowed my problems to those two specific DH groups on that particular device…
I’ve setup a small test lab (just out of interest) with two virtual x86 routers (RouterOS 6.15). I confirm that EC2N is indeed broken. A simple IPsec tunnel between two of these works fine with any of the MODP DH groups, but fails miserably when I select any of the EC2N DH groups.
Everything looks fine on the initiator side. On the responder side I’m getting these messages in the log (with ‘topics=ipsec,!packet’, since log entries with topic ‘packet’ do not report any failures anyways):
09:30:29 ipsec,debug initiate new phase 1 negotiation: 10.1.1.1[500]<=>10.1.1.2[500]
09:30:29 ipsec,debug begin Identity Protection mode.
09:30:29 ipsec,debug received Vendor ID: CISCO-UNITY
09:30:29 ipsec,debug received Vendor ID: DPD
09:30:29 ipsec,debug invalid public information was generated.
09:30:29 ipsec,debug failed to process packet.
09:30:29 ipsec,debug phase1 negotiation failed.