Hi!
Help me understand why this discrepancy occures, please
First, why Cisco vendor ID ( because it is Mikrotik really)
And second, why “no proposal” at pfSense log ?
Thanks!
IPSec has two sets of encryption settings, both can (kind of, not in Mikrotik) be called “proposals” - for IKE (key exchange) and for SA (data).
Your pfSense logs clearly shows two mismatches:
- What Mikrotik proposes vs. what pfSense supports
- What’s logged as sent by Mikrotik vs. what is visible in your Mikrotik screenshot of “proposal” settings
And it happens right during IKE phase, your connection doesn’t even try to SA.
Therefore, please check Mikrotik → IPSec → profiles (not “proposal”) and make sure it matches the pfSense side.
FWIW, as an example, here is my a section of my strongSwan config, as you can see encryption for IKE is AES CBC but for SA is AES CTR. This is just to illustrate that IKE and SA use two separate sets of encryption settings.
connections {
ec_tunnel {
version = 2
local_addrs = ...
proposals = aes128-sha256-ecp256
....
children {
zzz {
mode = transport
esp_proposals = aes128ctr-sha256-ecp256
}
}
}
}
Further I would guess that - if you’re running a fairly modern *swan (strongSwan, libreSwan… looks more like the former) - it has MODP768 off by default because that’s too weak. In fact your pfSense log has it right there - “no acceptable DH group found”.
You’d need to fix that in both places on the Mikrotik - under proposals and profiles. MODP 2048 is recommended these days.
SHA1 may be off by default as well, but I can’t be sure. SHA256 is a better choice.
PS - I would also not use “aggressive” key exchange while troubleshooting, and switch to IKEv2 if possible, which requires fewer network roundtrips vs. IKEv1 so aggressive is not really necessary anymore. Keep in mind that IKEv2 uses port 4500 (IKEv1 uses port 500) so you may need to adjust firewall settings if applicable.
Thank you, kmansoft for your answer. It is very competent!
One of my mistakes is I have not deleted default police where no “Tunnel” at “Action” tab.
Second is I havent created phase 2 on pfSense.
Now have two “Installed SAs” to and from remote peer.
But tere are no anu pings between Mikrotik and pfSense, ane between LAN of pfSense (192.168.0.0/24) and LAN of Mikrotik (192.168.10.0/24).
There is confog, please tell me what wrong or what is missing here? Please look!
/ip ipsec peer
add address=XX.XX.XX.XX/32 exchange-mode=aggressive name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024,modp768 enc-algorithm=\aes-256,aes-128,3des nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-ctr,aes-128-gcm,3des
…
/ip address
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
add address=192.168.10.150 disabled=yes interface=ipip-tunnel_ipsec network=\192.168.10.0
…
/ip firewall filter
add action=accept chain=forward connection-state=established,related \dst-address=192.168.10.0/24 src-address=192.168.0.0/24
add action=accept chain=forward connection-state=established,related \dst-address=192.168.0.0/24 log=yes log-prefix=-------- src-address=192.168.10.0/24
add action=accept chain=input comment=udp500_accept_231 dst-port=500 \protocol=udp src-address=XX.XX.XX.XX
add action=drop chain=input dst-port=23 in-interface=pppoe-out1 log-prefix=\drop_tcp_23 protocol=tcp
add action=drop chain=input dst-port=22 in-interface=pppoe-out1 log-prefix=\drop_ssh protocol=tcp
add action=accept chain=input comment=ipsec-ah_accept_231 protocol=ipsec-ah \src-address=XX.XX.XX.XX (public Mikrotik)
add action=accept chain=input comment=ipsec-esp_accept_231 protocol=ipsec-esp \src-address=XX.XX.XX.XX
add action=accept chain=input
add action=accept chain=forward
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=\established,related,untracked
add chain=input comment=“Allow IKE” dst-port=500 protocol=udp
add chain=input comment=“Allow IPSec-ah” protocol=ipsec-ah
add chain=input comment=“Allow UDP” protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=\invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add chain=input comment=“Allow IPSec-esp” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept in ipsec policy” \ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” \ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” \connection-state=established,related
/ip firewall nat
add action=accept chain=srcnat comment=home_to_pfsense dst-address=\192.168.0.0/24 log=yes log-prefix=home_to_pfsense dst
…
/ip ipsec identity
add generate-policy=port-override peer=peer1 secret=***********
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.0.0/24 src-address=192.168.10.0/24
add dst-address=192.168.0.0/24 src-address=192.168.10.0/24 template=yes
Looks like you’re trying to set up an IPIP tunnel protected by IPSec.
add address=192.168.10.150 disabled=yes interface=ipip-tunnel_ipsec network=\192.168.10.0
Why then is the IPIP interface’s IP address set to “disabled”?
You will want to:
1 - Create your IPIP (I use GRE, almost same thing) “tun” interface on the server, and assign 1) public addresses of your server and the Mikrotik’s “real” Internet connection to the “outside” of that interface 2) private addresses “inside the IPIP”, these should be on same subnet so they can connect directly.
I suppose pfSense’s management interface will do / already did this for you, worth checking.
2 - On the Mikrotik, assign its “inside the IPIP” address to the IPIP interface.
And then:
3 - Based on (2), the Mikrotik will create a route for the subnet of the “inside of” the IPIP tunnel
4 - Finally, on the Mikrotik you’ll want a routing rule to direct traffic “into” the IPIP tunnel based on some criteria, sounds like you want it to be your pfSense’s LAN addresses and possibly a NAT rule on the server if needed (if you want the tunnel to reach further into the outside world).
My setup:
1 - The GRE interface on the server
45: tun1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1426 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 139.0.0.1 peer 178.0.0.1
inet 10.0.0.1 peer 10.0.0.2/32 scope global tun1
139.0.0.1 is the server’s public IP and 178.0.0.1 is the IP of the “real” Internet on the Mikrotik
10.0.0.1 is the IP of “inside the GRE” interface on the server and 10.0.0.2 is the IP of the Mikrotik side
2 - Mikrotik side needs the IP of “its end” of the GRE tunnel
/ip address print
1 10.0.0.2/24 10.0.0.0 gre-tunnel1
3 - The route for the GRE on the Mikrotik side, created automatically
/ip route print
3 ADC 10.0.0.0/24 10.0.0.2 gre-tunnel1 0
Even without (4) which can vary based on your needs, you should be able to ping the IPIP tunnel’s “opposide side” using the “inside” addresses. If you can it means the tunnel itself is working.
To use my setup as an example, I mean “ping 10.0.0.1” from the Mikrotik and “ping 10.0.0.2” from the server.
But whether this interface not intended for use in l2tp ?
It’s the reason why I disabled l2tp interface, I created it when tried to create l2tp over ipsec.
But whether this interface not intended for use in l2tp ?
It’s the reason why I disabled l2tp interface, I created it when tried to create l2tp over ipsec.
I guess you’re saying that you gave up on l2tp (which by the way works fine with IPSec and Mikrotik has support)?
But then you didn’t post all the relevant bits of your current configuration?
Have you only set up IPSec so far?
You can use a variety of technologies in combination with that: GRE, IPIP, L2TP.
Or you can set up Site-To-Site with IPSec alone (if Site to Site as opposed to Host to Host is your intent):
https://www.strongswan.org/testing/testresults/swanctl/net2net-psk/
But to connect the networks “on the outside” of your tunnel - you will need some additional routing rules (on both sides).
In the example at the link above these are created by “updown = /usr/local/libexec/ipsec/_updown iptables” in strongSwan config.
pfSense have one connection IPsec with one remote peer already. I need one more with other peer.
I would prefer L2TP but …When I configure a L2TP-server on pfSense and mobail clients configuration, I need to configure second phase again.
Theoretically, MikroTik IPsec (as tunnel, not transport) works without new virtual interfaces, and traffic direct to tunnel according Policies. How it work I dont know.
It is need only NAT and few Filter rules.
I added the ipip-tunnel_ipsec interface with address (IP → Addresses) 192.168.10.150 (any unused IP of Mikrotik internal LAN?), no pings from Mikrotik Termonal to pfSense (and to pfSense_Lan net), no pings from pfSense command Line to MikroTik LAN PCs.