IPsec VPN-phase 2 not completing on my MT end

rvr9999 · October 27, 2016, 2:58pm

Hello,

I have a RH1100AHx2 that has several site-to-site IPsec VPNs running on it (3 total). We changed ISPs recently, and I took the opportunity to update this device and start with a new configuration, bringing some settings from v6.29.1. I got 2 of the VPNs connected by having the techs on the remote sides replace the IP addresses and either rebuild their configs or reset them (all remote peers are Ciscos). The third VPN, I am having trouble with. On his end, phase 1 and 2 are up and running, and passing traffic to my side, but he doesn’t see any return traffic. In my log, I can see the IPsec established, but I get two errors.: “xxx.xxx.xxx.xxx failed to pre-process ph2 packet” and “xxx.xxx.xxx.xxx peer sent packet for dead phase2”. Everything has been confirmed with the remote tech several times. I feel like its something on this end. I have rebuilt my settings from scratch, just in case there is something from the old version that’s not valid in the new, but the results were the same.

Here are my settings:

Proposal:

name="Name" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=none

Policy:

src-address=<localLANaddress>/32 src-port=any dst-address=<remoteLANaddress>/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<localWANIPaddress> sa-dst-address=<remoteWANIPaddress> proposal=New IU-Health-Phase 2 priority=0

Peer:

address=<remoteWANIPaddress>/32 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="<password>" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

I have have a srcnat nat rule in place to accept traffic across to the remote LAN:

chain=srcnat action=accept src-address=<localLANaddress> dst-address=<remoteLANaddress> log=no log-prefix=""

My remote counterpart also sent me output from his Cisco showing the status, if anyone would like to see it. For some reason, this exact setup worked fine on my other router running 6.29.1, but not here. I can’t figure out why phase 2 is not processing on my end, but is on his end.

Thanks

cdiedrich · October 27, 2016, 3:24pm

First, your posted proposal name does not match the proposal name in the policy.
Are you sure you posted the correct proposal for this policy?
Is it possible you (or the remote end) is using sha256?

This is from the release notes of 6.34:

*) ipsec - fix phase2 hmac-sha-256-128 truncation len from 96 to 128
This will break compatibility with all previous versions and any other
currently compatible software using sha256 hmac for phase2;

This could explain why it worked unter 6.29.1 and now doesn’t.

-Chris

rvr9999 · October 27, 2016, 3:49pm

Regarding the proposal name discrepancy, I changed the name in the Proposal for anonymity and forgot to change the one in the Policy. Noobie error!

I know for certain that I am not using sha256, and I left a VM for the remote tech to see if he has it enabled.

Here is the info he gave me on his end, I have changed IP addresses. Anything referred to as ‘My’ refers to my Mikrotik side, and ‘His’ refers to his Cisco side. I don’t really know what this output means, but except for changing the IP addresses, I have copied exactly what he emailed me.

Phase 1:

96 IKE Peer:
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 28560

Phase 2:

MH-MUX-ASA1# show ipsec sa peer
peer address:
Crypto map tag: RemoteAccess, seq num: 153, local addr:

access-list extended permit ip host host
local ident (addr/mask/prot/port): (/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (/255.255.255.255/0/0)
current_peer:

#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: , remote crypto endpt.:

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 03C365FF
current inbound spi : E7900339

inbound esp sas:
spi: 0xE7900339 (3884974905)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 126930944, crypto-map: RemoteAccess
sa timing: remaining key lifetime (kB/sec): (4374000/3315)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x03C365FF (63137279)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 126930944, crypto-map: RemoteAccess
sa timing: remaining key lifetime (kB/sec): (4373999/3315)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

MH-MUX-ASA1#