IPSEC tunnel established, traffic not passing through

RouterOS General
21

It seems that RouterOS has a bug with IPsec. My VPN was working until I updated to version 7.18. Downgrading to 7.17.2 resolved the issue.

22

OK. So whereas a “normal” responder waits for the initiator to use the data it got in the mode-config message to construct their own policy and propose it, this one apparently uses some inverse logic - despite being a responder, it proposes a policy with such a wide selector and probably expects the initiator to restrict it according to the contents of the mode-config.

As you cannot change its behavior, you have to accept that approach, so the next step is to modify the policy template at the Mikrotik side.

But there is a complication - the LAN subnet of the remote responder, from which the responder also assigns addresses to initiators, overlaps with the WAN subnet of your Mikrotik. So whilst normally it would be sufficient to restrict the src-address of the policy template to the subnet from which the responder assigns an adddress to you, in your particlular scenario, doing so is not sufficient because a 192.168.1.0/24<->0.0.0.0/0 policy would still hijack the WAN traffic of the Mikrotik.

So what is the optimal solution depends on a number of factors, it will be different for each of the following cases:

  • you can change the range from which the remote router assigns addresses to initiators
  • you can specify a particular address for the initiator in the responder configuration
  • you can change the LAN subnet of the remote router
  • you can change the LAN subnet of your ISP router
  • you can use a static address (manually or by means of reserving a DHCP lease for it) for the WAN of your Mikrotik within the LAN subnet of your ISP router
  • neither of the above is possible
23

Yes thank you I was thinking the same.

I’ll try to change the LAN subnet on my ISP router and see how it goes.

24

Same here. I upgrade to 7.18.2 and messed with my ipsec connections. Have to rollback to 7.15 for we can work with ours SQL Servers, and Tomcats.

25

Same here. CCR1016, Site to Site IPSec with multiple policies. I upgrade to 7.18.2 and messed with my ipsec connections.
Some policies stopped forwarding data at random times and in random order. Disabling and enabling the problematic policy immediately fixes the problem.
Downgrading to 7.15.3 has improved the situation considerably. Such problems have become much less frequent.

p.s. It feels like since version 7.12.1, ipsec is only broken and not fixed

1 Like