Is this a bug in ipsec dynamic policies?

akschu · June 11, 2012, 9:31pm

So I’m working on setting up ipsec/l2tp with an ipad. I’ve done it a number of times on a number of different platforms so I have a pretty good idea on what I’m doing.

The problem with the mikrotik is that you can’t add an ipsec policy that has a dynamic endpoint:

[admin@MikroTik] /ip ipsec policy> add src-address=x.x.x.x/32 src-port=1701 dst-address=0.0.0.0/0 dst-port=1701 protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=x.x.x.x sa-dst-address=0.0.0.0/0 proposal=default priority=1
invalid value for argument ip

It wants to see a real ip address for the sa-dst-address. That makes sense, and probably why mikrotik gives us dynamic policies. So I go to use that, and ipsec comes up, but the policy is wrong:

[admin@MikroTik] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0x36733D4 src-address=x.x.x.x dst-address=166.147.93.225 auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="0387a82de70a46a32750b5b58629906cb7c96154" enc-key="53205926fb782cd55b4035ef36d7369b78a55a22c4382d44" add-lifetime=48m/1h 
      use-lifetime=0s/0s lifebytes=0/0 

 1 E  spi=0x77BEE75 src-address=166.147.93.225 dst-address=x.x.x.x auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="2ac9425dee01fd861f083912d84820836d84278c" enc-key="b684bf0bbbe426ec8065dbae1b5f8516943cf989f68e5fb2" addtime=jun/11/2012 13:21:23 
      add-lifetime=48m/1h usetime=jun/11/2012 13:21:23 use-lifetime=0s/0s current-bytes=158 lifebytes=0/0 

[admin@MikroTik] /ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - inactive 
 1 D src-address=10.41.150.188/32 src-port=any dst-address=x.x.x.x/32 dst-port=any protocol=udp action=encrypt level=require 
     ipsec-protocols=esp tunnel=no sa-src-address=10.41.150.188 sa-dst-address=x.x.x.x proposal=default priority=2

In the code above you notice a few things:

I removed my public ip.
I have another policy that is static for my site to site vpn that I omitted.
The address that brought up the ipsec tunnel is a public address, but the policy is added for the nat address. Of course my router has no idea how to get to that address and thus none of the packets match the policy.

I do have nat traversal enabled:

add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=10s dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=\
    password send-initial-contact=yes

So routeros puts the policy in transport mode, but uses the inside IP. Is this a bug? It certainly doesn’t work.

Thanks,
schu

mrz · June 12, 2012, 6:56am

generate-policy=yes ip peer configuration means that policy will be generated automatically. Do not add any policies here.