Mikrotik hEX S (6.48.1) - Strongswan 2 policies, invalid SPI value

PawelM · February 10, 2021, 9:32pm

Hi,

I've configured vpn connection between Mikrotik and Strongswan. When I have one policy configured that everythink works perfectly, but when additional policy is added, than Mikrotik in incorrect way classify or process packet and put wrong SPI value into ESP packet, than Strongswan drop packet because policy doesn't match.

Strongswan SAs:
##############
root@Syrenka:~# swanctl --list-sas

aleksandrowska: #2, ESTABLISHED, IKEv2, 973d810e50f8df99_i d826f20094b7c644_r*
local 'vpn.XX.pl' @ Strongswan[4500]
remote 'aleksandrowska@XX.pl' @ Mikrotik[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
established 7s ago, rekeying in 13839s
aleksandrowska: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
installed 7s ago, rekeying in 3301s, expires in 3953s
in c1c4311c, 0 bytes, 0 packets
out 0f8baf0b, 0 bytes, 0 packets
local 10.10.10.1/32
remote 192.168.2.0/24
aleksandrowska2: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128/MODP_1024
installed 7s ago, rekeying in 3259s, expires in 3953s
in cc5eff5f, 0 bytes, 0 packets
out 0ab8c73b, 0 bytes, 0 packets
local 192.168.88.0/24
remote 192.168.2.0/24

Mikrotik
#######

[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default

PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT

0 T X* ::/0 ::/0 all
1 A vpn yes 192.168.2.0/24 10.10.10.1/32 all encrypt require 1962
2 A vpn yes 192.168.2.0/24 192.168.88.0/24 all encrypt require

[admin@MikroTik] > ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0xF8BAF0B src-address=Strongswan:4500 dst-address=192.168.1.203:4500 state=mature enc-algorithm=aes-gcm enc-key-size=160 enc-key="8a5599c1757bb34b43bb21927e50cf9fb47863f3" addtime=feb/10/2021 22:05:26 expires-in=1h57m16s
add-lifetime=1h36m/2h1s current-bytes=5712 current-packets=68 replay=128

1 E spi=0xC1C4311C src-address=192.168.1.203:4500 dst-address=Strongswan:4500 state=mature enc-algorithm=aes-gcm enc-key-size=160 enc-key="038338b8d3a32556b9619d55081a2f6056695f61" add-lifetime=1h36m/2h1s replay=128

2 HE spi=0xAB8C73B src-address=Strongswan:4500 dst-address=192.168.1.203:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="4f1e1363e252b70b3ddf620ac4fda41751b4e5d7ac9cbebca3a4c9644c3d1c1e"
enc-key="ea853910951f09cb7dd84aa8dbe7e60c" add-lifetime=1h36m20s/2h26s replay=128

3 HE spi=0xCC5EFF5F src-address=192.168.1.203:4500 dst-address=Strongswan:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="925fa2bfd662446bf4176c2af47363b00f307e91f90534f327e5048393ee8a06"
enc-key="69d7bddfa75b9fa3bd3032e7a86ff721" addtime=feb/10/2021 22:05:26 expires-in=1h57m41s add-lifetime=1h36m20s/2h26s current-bytes=5712 current-packets=68 replay=12

Strongswan# ping 192.168.2.1

Captured packets from Strongswan:
22:07:18.627492 IP Strongswan.4500 > Mikrotik.4500: UDP-encap: ESP(spi=0x0f8baf0b,seq=0x13), length 120
22:07:18.644640 IP Mikrotik.4500 > Strongswan.4500: UDP-encap: ESP(spi=0xcc5eff5f,seq=0x12), length 136

As you can see Mikrotik put spi value from second SA.

/Pawel

sindy · February 13, 2021, 10:47am

Change level from require to unique on the /ip ipsec policy rows and try again. I suspect that Mikrotik sends the traffic of both policies via the same SA and the Strongswan drops traffic which comes in via the “wrong” SA.

PawelM · February 14, 2021, 4:00pm

Hi,

Thank you, works now.

/Pawel