ipsec VPN - after some time my vpn ip gets added to addresses list and VPN stops working

markwien · March 21, 2020, 7:45am

Hey i am facing a strange behaviour on one IPSEC dial in.

I am using a mikrotik to connect to my office .. i have several ipsec connections none of them has this issue. Only with my router inside one office.

home → office

After connecting to office Ipsec Router i can access to my local subnet 192.168.2.0/24.
Then about some time it stops. Only thing i discoverd is that my private ip 192.168.77.254 is suddenly apearing on Adress list.

[mark@XC-Office-Router] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFAC
 0   192.168.2.1/24     192.168.2.0     bridge  
 1   192.168.33.1/24    192.168.33.0    gast    
 2 D ISP IP/24   ISP IP   ether1  
 3 D 10.11.11.254/32    10.11.11.254    ether1  
 4 D 192.168.77.254/32  192.168.77.254  ether1  <<this is my IP assigned by modconfig from pool)

when i delete this dynamic adress vpn works again.

i am out of ideas what i might not considered in my configuration.

Here some more configs …

Bridge

[mark@XC-Office-Router] > interface bridge print 
Flags: X - disabled, R - running 
 0 R name="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=proxy-arp arp-timeout=auto mac-address=D4:CA:6D:B8:22:98 protocol-mode=none fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no 

 1 R name="gast" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled arp-timeout=auto mac-address=D4:CA:6D:B8:22:98 protocol-mode=none fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=no dhcp-snooping=no 

 2 X name="loopback" mtu=auto arp=enabled arp-timeout=auto mac-address=3E:88:14:BA:65:C1 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 
     vlan-filtering=no dhcp-snooping=no

Interfaces

 interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ;;; UPC-Modem
       ether1                              ether            1500  1598       9498 D4:CA:6D:B8:22:8D
 1   S ;;;  Lan
       ether2                              ether            1500  1598       9498 D4:CA:6D:B8:22:8E
 2   S ;;; Deffekt Port 3
       ether3                              ether            1500  1598       9498 D4:CA:6D:B8:22:8F
 3  RS ;;; Chef Office Link
       ether4                              ether            1500  1598       9498 D4:CA:6D:B8:22:90
 4  R  ether5                              ether            1500  1598       9498 D4:CA:6D:B8:22:91
 5   S ether6                              ether            1500  1598       9498 D4:CA:6D:B8:22:92
 6  RS ether7                              ether            1500  1598       9498 D4:CA:6D:B8:22:93
 7  RS ether8                              ether            1500  1598       9498 D4:CA:6D:B8:22:94
 8  RS ;;; CAPCAC Basterl Kammerl
       ether9                              ether            1500  1598       9498 D4:CA:6D:B8:22:95
 9  RS ;;; TrottelSwitch TP link iNTERN
       ether10                             ether            1500  1598       9498 D4:CA:6D:B8:22:96
10  RS ;;; technik b ro
       ether11                             ether            1500  1600       9500 D4:CA:6D:B8:22:97
11  RS ;;; CAPAC Technik
       ether12                             ether            1500  1600       9116 D4:CA:6D:B8:22:98
12   S ether13                             ether            1500  1600       9116 D4:CA:6D:B8:22:99
13 D   2G-BastlRaum-1                      cap              1500  1600            74:4D:28:51:57:D3
14 D   2G-BastlRaum-1-1                    cap              1500  1600            76:4D:28:51:57:D3
15 DR  2G-ChefBuero-1                      cap              1500  1600            74:4D:28:4C:1E:2D
16 D   2G-ChefBuero-1-1                    cap              1500  1600            76:4D:28:4C:1E:2D
17 D   2G-MikroTik-1                       cap              1500  1600            CC:2D:E0:EA:67:8C
18 D   2G-MikroTik-1-1                     cap              1500  1600            CE:2D:E0:EA:67:8C
19 D   5G-BastlRaum-1                      cap              1500  1600            74:4D:28:51:57:D4
20 D   5G-BastlRaum-1-1                    cap              1500  1600            76:4D:28:51:57:D4
21 D   5G-ChefBuero-1                      cap              1500  1600            74:4D:28:4C:1E:2E
22 D   5G-ChefBuero-1-1                    cap              1500  1600            76:4D:28:4C:1E:2E
23 D   5G-MikroTik-1                       cap              1500  1600            CC:2D:E0:EA:67:8D
24 D   5G-MikroTik-1-1                     cap              1500  1600            CE:2D:E0:EA:67:8D
25  R  bridge                              bridge           1500  1598            D4:CA:6D:B8:22:98
26     cap1                                cap                                    00:00:00:00:00:00
27  R  gast                                bridge           1500  1594            D4:CA:6D:B8:22:98
28  X  loopback                            bridge                                 3E:88:14:BA:65:C1
29  X  ;;; Hurricane Electric IPv6 Tunnel Broker
       sit1                                6to4-tu...       1280 65535
30  RS vlan1                               vlan             1500  1594            D4:CA:6D:B8:22:90
31  RS ;;; WLAN
       vlan2                               vlan             1500  1594            D4:CA:6D:B8:22:93
32  RS ;;; WLAN
       vlan3                               vlan             1500  1594            D4:CA:6D:B8:22:90
33  RS vlan4                               vlan             1500  1594            D4:CA:6D:B8:22:91
34   S vlan5                               vlan             1500  1594            D4:CA:6D:B8:22:92
35  RS vlan6                               vlan             1500  1594            D4:CA:6D:B8:22:94
36  RS vlan7                               vlan             1500  1596            D4:CA:6D:B8:22:97
37  RS vlan8                               vlan             1500  1596            D4:CA:6D:B8:22:98
38   S vlan9                               vlan             1500  1596            D4:CA:6D:B8:22:99
39   S vlan10                              vlan             1500  1594            D4:CA:6D:B8:22:8F
40  RS vlan11                              vlan             1500  1594            D4:CA:6D:B8:22:95
41  X  vlan12                              vlan                                   D4:CA:6D:B8:22:98

 ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          84.113XXXXX              1
 1 ADC  10.11.11.254/32    10.11.11.254    ether1                    0
 2 ADC  ISP IP /24    ISP GW  ether1                    0
 3 ADC  192.168.2.0/24     192.168.2.1     bridge                    0
 4 ADC  192.168.33.0/24    192.168.33.1    gast                      0
 5 ADC  192.168.77.254/32  192.168.77.254  ether1                    0

[mark@XC-Office-Router] > ip ipsec peer print 
Flags: X - disabled, D - dynamic, R - responder 
 2   R name="XC-VPN" passive=yes profile=XC-VPN exchange-mode=ike2 send-initial-contact=no

/ip ipsec policy group
add name=rw-policies
add name=XC-VPN
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.2.0/24 group=XC-VPN proposal=XC-VPN src-address=0.0.0.0/0 template=yes
add dst-address=192.168.77.0/24 group=XC-VPN proposal=XC-VPN src-address=0.0.0.0/0 template=yes




/ip ipsec mode-config
set [ find default=yes ] src-address-list=xcoorLAN
add address-pool=rw-pool address-prefix-length=32 name=rw-conf split-include=192.168.2.0/24

rw-pool 192.168.77.2-192.168.77.254

can someone help me please?

thank you!

markwien · March 21, 2020, 12:07pm

i guess i was able to find the bug → my router at home had some firewall drop rules for some kind of traffic i dont want from WAN like cifs … after disabling cifs drop it went to normal operation. Stil strange but atm it works great since some hours.