Mikrotik <-> Cisco IPsec IKEv2 VPN

RouterOS General
1

Hello! Having troubles to setup my Mikrotik (RB750GL with 6.47.1) to establish a IPsec IKEv2 VPN with a Cisco router. Here’s the config of the Cisco Router that was sent to me:

crypto ikev2 proposal ikev2-prop-partner 
 encryption aes-gcm-256
 prf sha512
 group 14

crypto ikev2 policy ikev2-policy-partner 
 match fvrf any
 proposal ikev2-prop-partner

crypto ikev2 keyring ikev2-keyring-partner
 peer partner
  address 88.XXX.XXX.106
  pre-shared-key *********************
 !

crypto ikev2 profile ikev2-prof-partner
 match identity remote address 88.XXX.XXX.106 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring-partner

crypto ipsec transform-set ipsec-prop-partner esp-gcm 256 
 mode tunnel
 set transform-set ipsec-prop-partner 
 set ikev2-profile ikev2-prof-partner
 match address crypto-acl-partner

ip access-list extended crypto-acl-partner
 permit ip 10.101.0.0 0.0.255.255 192.168.2.0 0.0.0.255

Here’s how I set up the Mikrotik VPN:

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1h name=NDA-DG

/ip ipsec peer
add address=34.XXX.XXX.251/32 comment="VPN NDA-DG" exchange-mode=ike2 name=NDA-DG profile=NDA-DG send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=8h name=NDA-DG pfs-group=modp2048

/ip ipsec identity
add comment="VPN NDA-DG" peer=NDA-DG secret=***********************************

/ip ipsec policy
add comment="VPN NDA-DG" dst-address=10.101.0.0/16 peer=NDA-DG proposal=NDA-DG sa-dst-address=34.XXX.XXX.251 sa-src-address=0.0.0.0 src-address=192.168.2.0/24 tunnel=yes

Here’s what the Mikrotik log says:

12:39:54 ipsec ike2 starting for: 34.XXX.XXX.251 
12:39:55 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
12:39:55 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
12:39:55 ipsec adding payload: NONCE 
12:39:55 ipsec adding payload: KE 
12:39:55 ipsec adding payload: SA 
12:39:55 ipsec <- ike2 request, exchange: SA_INIT:0 34.XXX.XXX.251[4500] 1c006823eafc81cb:0000000000000000 
12:39:55 ipsec,debug ===== sending 424 bytes from 88.XXX.XXX.106[4500] to 34.XXX.XXX.251[4500] 
12:40:00 ipsec ike2 init retransmit 
12:40:00 ipsec,debug ===== sending 424 bytes from 88.XXX.XXX.106[4500] to 34.XXX.XXX.251[4500]

I am stuck, and don’t know what else I could try. I have successfully setup several VPN tunnels to various entities, including IKEv2 to a Cisco-router, but I have no idea why this one does not work. I am only in email contact with the team on the Cisco side.

2

The log shows that the Cisco peer neither responds your initial IKEv2 packets nor attempts to initiate the IKEv2 connection from its own side.

What does /tool traceroute 34.XXX.XXX.251 show?

3

Thank you for your response!
Traceroute shows this, however, I know the other side wont respond to ping. I know it’s there though.

 1 88.XXX.XXX.105                     0%   10   0.7ms     0.6     0.5     0.7     0.1                                                                                
 2                                  100%   10 timeout                                                                                                                
 3 195.3.65.5                        30%   10     5ms     5.2       5     5.6     0.2                                                                                
 4 195.3.68.62                       90%   10 timeout     5.3     5.3     5.3       0                                                                                
 5 99.82.177.116                      0%   10   9.7ms     6.5     5.2     9.9     1.7                                                                                
 6 52.93.38.229                       0%   10   5.6ms     5.5     5.1     5.9     0.3 <MPLS:L=8584,E=0>                                                              
 7 52.93.38.131                       0%   10   5.4ms     9.5     5.1    31.2     7.9                                                                                
 8                                  100%   10 timeout                                                                                                                
 9                                  100%   10 timeout                                                                                                                
10                                  100%    9 timeout                                                                                                                
11                                  100%    9 timeout                                                                                                                
12                                  100%    9 timeout

Also I added a firewall rule just to see if any traffic is coming in, and in fact there is!

/ip firewall filter
add action=accept chain=input comment="default configuration" in-interface=ether1-WAN src-address=34.XXX.XXX.251

It shows packets of roughly 40-70 bytes trickling in. Which is puzzling, since the ipsec log indeed shows no sign of incoming traffic…
I must be missing something…

4

Post the anonymized export of the Mikrotik configuration - as the packets from the Cisco arrive but don’t make it to the IPsec stack, it must be something else (not IPsec related) in the configuration.

5

Please see attached config file. Thanks for your help!!
config.txt (12.8 KB)

6

I’m not good at reading Cisco configs, could you clarify what party you expect to send initial contact? From the Mikrotik logs (“ike2 starting for” and config (no “passive=yes” on /ipsec peer) I gather you expect a Mikrotik to make initial contact. However, you also have “send-initial-contact=no” and mode-config is in responder mode.

To get a grasp of the situation best would be to sniff IPsec-related traffic on WAN (ports 500,4500, protocol UDP). First few packets related to Phase 1 are unencrypted.

7

I cannot see anything wrong in your configuration (I mean, the firewall rules could me a little bit more efficient but that’s a minor thing). Can you add log=yes to the action=accept chain=input in-interface=ether1-WAN src-address=34.XXX.XXX.251 rule and see in the log to what port the packets from 34.xxx.xxx.251 arrive?

8

It’s actually a misconception I’ve suffered from myself for years. The send-initial-contact parameter has nothing to do with controlling whether the peer will initiate connections or not - this is what the passive parameter controls. INITIAL_CONTACT is an optional notification, asking the peer receiving it to drop any existing IKE connections from the same source IP address and continue only with the one within which this INITIAL_CONTACT has arrived.
EDIT: the above is not precise, see clarification here.


That doesn’t matter since the /ip ipsec identity row we’re dealing with here doesn’t refer to any mode-config at all.

9

Not sure if this is helpful:

20:20:36 firewall,info CISCO input: in:ether1-WAN out:(unknown 0), src-mac 20:83:f8:57:c4:98, proto UDP, 34.XXX.XXX.251:4500->88.XXX.XXX.106:4500, len 64 
20:20:38 firewall,info CISCO input: in:ether1-WAN out:(unknown 0), src-mac 20:83:f8:57:c4:98, proto UDP, 34.XXX.XXX.251:4500->88.XXX.XXX.106:4500, len 29 
20:20:41 firewall,info CISCO input: in:ether1-WAN out:(unknown 0), src-mac 20:83:f8:57:c4:98, proto UDP, 34.XXX.XXX.251:4500->88.XXX.XXX.106:4500, len 64 
20:20:46 firewall,info CISCO input: in:ether1-WAN out:(unknown 0), src-mac 20:83:f8:57:c4:98, proto UDP, 34.XXX.XXX.251:4500->88.XXX.XXX.106:4500, len 64 
20:20:48 firewall,info CISCO input: in:ether1-WAN out:(unknown 0), src-mac 20:83:f8:57:c4:98, proto UDP, 34.XXX.XXX.251:4500->88.XXX.XXX.106:4500, len 29

How could I see the actual contents of the packets?

10

What’s interesting is that this rule does not show any traffic:

/ip firewall filter
add action=accept chain=input comment=VPN protocol=udp src-address-list=VPN src-port=500,4500

34.XXX.XXX.251 is of course part of the VPN address-list.

Interestingly, this is something that puzzled me in the past, when successfully setting up other IPSec VPN’s - this rule did not show any traffic either.
The purpose of this rule of course is to only accept IPsec traffic from specific IP’s.

11

It is helpful in terms that we now know that they are not “ICMP destination unreachable” responses to the packets from your Mikrotik, but it doesn’t explain why the Mikrotik IPsec stack ignores them.


To see the contents, you have to sniff into a file and open the file using Wireshark.

/tool sniffer set file-name=ipsec.pcap
/tool sniffer quick ip-address=34.XXX.XXX.251

Let it run for a minute, then stop it, download the file an open it using Wireshark.

12

In your current case, the packets from 34.XXX.XXX.251 are accepted already by the rule accepting anything from that address, so they never reach this rule matching on src-address-list=VPN; in other cases, if your router sends a packet first, the response is accepted by the action=accept connection-state=established rule, so they also do not reach that rule matching on src-address-list=VPN.

13

Let’s hope I have done that right…
wireshark.png
I guess we can see her both incoming and outgoing traffic?
The Cisco seems to send NAT-keepalive and ESP (SPI=xxxxxxxxxxxx) packets.
Where else the Mikrotik sends IKE_SA_INIT packets.

14

in other cases, if your router sends a packet first, the response is accepted by the action=accept connection-state=established rule, so they also do not reach that rule matching on src-address-list=VPN.

Ah I see, so the “VPN IPsec filter rule for UDP 500,4500” only ever hits if the other side initiates the VPN negotiation? That makes sense… So I guess I can leave it as it is?

15

The sniff shows that you’ve got another peer of 34.XXX.XXX.251 somewhere in the LAN of the RB750, which may explain why the Cisco ignores the IKE_SA_INIT packets sent by the RB750 itself.

/ip firewall connection print detail where src-address~“34.XXX.XXX.251” or dst-address~“34.XXX.XXX.251” should show you the IP address of that peer.

16

Correct. You can even remove the rule accepting anything from 34.XXX.XXX.251.

17

Got the following response:

[admin@MikroTik Main-Router] > /ip firewall connection print detail where src-address~"34.XXX.XXX.251" or dst-address~"34.XXX.XXX.251"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  SAC     protocol=udp src-address=88.XXX.XXX.106:4500 dst-address=34.XXX.XXX.251:4500 reply-src-address=34.XXX.XXX.251:4500 reply-dst-address=88.XXX.XXX.106:4500 timeout=2m59s 
            orig-packets=94 901 orig-bytes=30 195 575 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=175 599 repl-bytes=16 978 279 repl-fasttrack-packets=0 
            repl-fasttrack-bytes=0 orig-rate=3.6kbps repl-rate=232bps
18

Correct. You can even remove the rule accepting anything from 34.XXX.XXX.251.

Sure, it’s only an easy way (for me) to see if there is even any traffic coming from that address. Will remove after the VPN actually works :slight_smile:

19

Hm. So there WAS a peer in the past, but it is not active at the moment, and the Cisco hasn’t found out yet - the connection shown is the one of the RB750 itself.

I’d say disable the peer on the RB750, give it an hour, and see whether the Cisco finds out that the connection went down. But it is strange, do you have any idea how that could have happened?

20

Well, we did experiment with this partner over the last couple of days with various VPN configurations. One of them was a IKEv1 config that actually did manage to establish a connection, but dropped the SA-keys immediately after establishing it.

So you want me to disable the entire VPN config (peer, policy, proposal etc) for an hour, and see if that connection went down - then try again? Can do that…