IPSec strange issues with CCR1016

Nixlog · August 12, 2016, 4:12pm

Hi All,
I have strange issues with simple IPIP-IPSec configuration. My test bed:
CCR1016-12G ROS v6.36 <---------> Virtual Cloud Hosted Router ROS v 6.36
interface ip: 10.7.2.1/24 <------------> interface ip: 10.7.2.2/24
tunnel ip: 10.8.2.1/24 <---------------> tunnel-ip: 10.8.2.2/24
Same proposal configuration on both routers:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc

Cloud Hosted Router setup:

/interface ipip
add allow-fast-path=no ipsec-secret=test1 keepalive=10s,5 local-address=\
    10.7.2.2 name=ipip-hardware remote-address=10.7.2.1
    
/ip address
add address=10.7.2.2/24 interface=ether1 network=10.7.2.0
add address=10.8.2.2/24 interface=ipip-hardware network=10.8.2.0

CCR1016-12G setup:

/interface ipip
add allow-fast-path=no ipsec-secret=test1 keepalive=10s,5 local-address=\
	10.7.2.1 name=ipip-cloud remote-address=10.7.2.2
    
/ip address
add address=10.7.2.1/24 interface=ether3 network=10.7.2.0
add address=10.8.2.1/24 interface=ipip-cloud network=10.8.2.0

Strange things: after tunnel is established peer status shows weak encryption, SA shows encryption from proposal but my tunnel works as expected.

[admin@MikroTik] > /ip ipsec peer print
Flags: X - disabled, D - dynamic 
 0  D ;;; ipip-hardware
      address=10.7.2.1/32 local-address=10.7.2.2 passive=no port=500
      auth-method=pre-shared-key secret="test1" generate-policy=no 
      policy-template-group=default exchange-mode=main send-initial-
      nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d lifeb
      dpd-interval=2m dpd-maximum-failures=5 
[admin@MikroTik] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP 
 0 E spi=0x362A708 src-address=10.7.2.1 dst-address=10.7.2.2 state=mature
     auth-algorithm=sha256 enc-algorithm=aes-cbc 
     auth-key="074e14f2d293fff08331dcccbf782779d8b8e0b18d55e58d66b6b31a12b3d8db" 
     enc-key="b2dfe1a33bf8b3c3c9a699ec5d0ddb2baeecb58f93b093ab2e4e98e5231a7c16" 
     add-lifetime=30m/30m replay=128

When dpd-interval runs out (2min) my tunnel is degraded and nothing than CCR1016 reboot can bring tunnel up. When i choose to use default proposal with default setup:SHA1/aes-128cbc - everithing is working normally. But i want something stronger than “default” encryption.
If i change hardware CCR1016 with another Cloud Hosted Router with equal setup - my tunnel works with different proposal combinations… and more than 2 min
Any ideas why peer status shows garbage?
Why my tunnel with hardware router breaks?

BlackVS · August 14, 2016, 6:31am

Peer settings
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Peer_configuration
Peer configuration settings are used to establish connections between IKE daemons ( phase 1 configuration). This connection then will be used to negotiate keys and algorithms for SAs.

Proposal
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Proposal_settings
Proposal information that will be sent by IKE daemon to establish SAs for this policy ( Phase 2).

Set AES-256 in peers config if you wish higher protection for phase1…

Nixlog · August 15, 2016, 10:03am

Thank you for you time, BlackVS, but my question was not about configuration - my config is pretty simple and also peers config in my case is dynamically generated from IP-IP-IPsec tunnel setup.
Just tried my setup with hardware 2011UiAS and software CHR - tunnel works like a charm!
When i tried my setup using hardware 2011UiAS and hardware CCR1016 - tunnel works after CCR reboot and breaks after DPD time… Some sort CCR1016 bug?
Unfortunately, i dont have second 2011UiAS to test my setup with both 2011UiAS.

pe1chl · August 15, 2016, 1:24pm

Is there any NAT involved? NAT in combination with IPsec is always a drag…

Nixlog · August 16, 2016, 8:11am

No nat, no firewall etc. Router after factory reset - just configured IPs and a tunnel. One more strange thing - tunnel works perfectly with sha512 auth+aes 256 enc… but speed! 16 core tile cpu shows maximum 100Mbps UDP speed and 100% one core load . With null auth+aes 256 enc maximum UDP speed jumps to ~150Mbps. Is this router so slow or did i miss something? sha256 auth+aes 256 tunnel shows ~330Mbps UDP speed but this tunnel breaks as i stated before…

pe1chl · August 16, 2016, 10:37am

Is everything working OK with the default setting of sha1 and aes-128-cbc ?

Nixlog · August 17, 2016, 12:33pm

It’s ok after router reboot with sha1 and aes-128-cbc, but if you will change auth proposal to anithing but sha512 or null - tunnel will not work until another reboot.

pe1chl · August 17, 2016, 12:45pm

It is quite typical for IPsec to fail when you change parameters at one end then on the other end.
It is normally not required to reboot, just disable the IPsec peer at one end, wait a few minutes, and re-enable it.
This is not typical for MikroTik, it is a general problem of IPsec.

Nixlog · August 17, 2016, 1:54pm

In my case you can wait, I think, forever - I waited 30 minutes. But if you change auth to sha512 or null - tunnel will be up in one minute!
One more strange thing: if I reboot with this config - tunnel will be up, but without pushing any traffic through the tunnel it will go down in 3-4 minutes

/interface ethernet
set [ find default-name=ether2 ] speed=1Gbps
/interface ipip
add allow-fast-path=no keepalive=5s,5 local-address=10.7.1.1 name=ipip-tunnel1 \
    remote-address=10.7.1.2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=2m
/ip address
add address=10.7.1.1/24 interface=ether2 network=10.7.1.0
add address=10.8.1.1/24 interface=ipip-tunnel1 network=10.8.1.0
/ip ipsec peer
add address=10.7.1.2/32 nat-traversal=no secret=123
/ip ipsec policy
add dst-address=10.7.1.2/32 sa-dst-address=10.7.1.2 sa-src-address=10.7.1.1 \
    src-address=10.7.1.1/32
/system logging
add prefix=ipsec topics=ipsec

And after the tunnel get down i have this picture:

Nixlog · August 18, 2016, 6:54am

Just tried with CHR v6.37.rc16 - no luck

Blazing speed on 1Gb link May be this is a hardware issues?

BlackVS · August 18, 2016, 8:35am

Relating to the speed - try change from AES-CBC to AES-CTR or Camelia.
I suspect you will be surprised very much…

Nixlog · August 18, 2016, 10:28am

Thank you for your suggestion, but I am not suprised - I tried all combinations
SHA256: AES128-CBC ~ 404Mbps, AES256-CBC ~ 375Mbps, AES256-CTR ~ 83.1Mbps, Camelia256 ~ 83.7Mbps
SHA512: AES128-CBC ~ 112Mbps, AES256-CBC ~ 100Mbps, AES256-CTR ~ 100Mbps, Camelia256 ~ 99.7Mbps
SHA1: AES128-CBC ~ 412Mbps, AES256-CBC~ 500Mbps, AES256-CTR ~ 113Mbps, Camelia256 ~ 113Mbps
Network link between routers is 1Gbps
If SHA256 auth totally not working for me with *-CBC encr., it does not care much what I’ll choose from other combinations - all will be slow.

BlackVS · August 19, 2016, 4:51pm

One more notice - internal btest tools is not very accurate. I did direct VPN connection between two CCR (CCR1016 and CCR1036).
One without any rules, other have some rules (it is used in office).

In my test Btest shows (I run tests 5-10 times and chose the highest one):

Direct BT test (ether-ether)
UDP receive 975
UDP send 975
UDP both 975/870

GRE no Encryption
UDP receive 355
UDP send 900
UDP both 900/250

IPIP no Encryption
UDP receive 367
UDP send 890
UDP both 890/270

RouterOS on both 6.36.
CPU load not exceeded 10% on both routers.
For receive often I got result 100-150M.
TCP tests showed much lower results…
Next days I will test with different encryption to compare with your results…