mikrotik ipsec and strongswan

RouterOS General
1

I’m trying to setup ipsec between mikrotik and strongswan. Server with strongswan has one to one NAT. All, that i get in logs is:


12:16:16 ipsec,info initiate new phase 1 (Identity Protection): mikrotik_ip[500]<=>strongswan_ip[500] 
12:16:17 ipsec,info ISAKMP-SA established mikrotik_ip[4500]-strongswan_ip[4500] spi:61b688aed15cdf77:76b9804f6176c4bc 
12:16:17 ipsec,info ISAKMP-SA deleted mikrotik_ip[4500]-strongswan_ip[4500] spi:61b688aed15cdf77:76b9804f6176c4bc rekey:1

strongswan side:

Dec  5 12:17:26 srv2 ipsec[32066]: 10[NET] sending packet: from strongswan_private_ip[4500] to mikrotik_ip[4500] (76 bytes)
Dec  5 12:17:26 srv2 ipsec[32066]: 06[NET] received packet: from mikrotik_ip[4500] to strongswan_private_ip[4500] (92 bytes)
Dec  5 12:17:26 srv2 ipsec[32066]: 06[ENC] parsed INFORMATIONAL_V1 request 3391131250 [ HASH D ]
Dec  5 12:17:26 srv2 ipsec[32066]: 06[IKE] received DELETE for IKE_SA skynet[80]
Dec  5 12:17:26 srv2 ipsec[32066]: 06[IKE] deleting IKE_SA skynet[80] between strongswan_private_ip[strongswan_public_ip]...mikrotik_ip[mikrotik_ip]

ipsec.conf:

version 2.0

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn skynet
    dpdaction=clear
    dpddelay=120s
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    auto=start
    forceencaps=yes
    rekey=no
    type=tunnel
    keyexchange=ike
    ike=aes256-sha1;modp2048
    phase2=esp
    phase2alg=aes256-sha1;modp2048
    left=%defaultroute
    leftid=strongswan_public_ip
    leftsourceip=strongswan_public_ip
    leftprotoport=17/1701
    right=mikrotik_ip
    rightprotoport=17/%any

mikoritk:

/ip ipsec peer add address=strongswan_public_ip/32 enc-algorithm=aes-256,aes-128,3des lifetime=1h secret=key
/ip ipsec policy add dst-address=strongswan_public_ip/32 dst-port=1701 protocol=udp sa-dst-address=strongswan_public_ip sa-src-address=mikrotik_ip src-address=mikrotik_ip/32 \
    src-port=1701 tunnel=yes

I will be grateful for the any help

2

mikrotik ros version? strongswan version?

try to increase log verbosity on strongswan side (and then on mt side) and report back

3

Ros version is 6.40.5, strongswan - 5.5.1.
mikrotik.log (2.92 KB)
strongswan.log (632 KB)

4

There are no timestamps on strongswan side.
I see Phase1 won’t go up, I also see l2tp connection starting in mt .. are you trying to l2tp over ipsec ? strongswan cannot handle l2tp directly, you need separate daemon like xl2tpd.

I would try to use ike2 as it’s more robust on nat scenario, I’ve already tested ike2 between mt and strongswan 5+ and works perfectly

5

Time are synchronized. I know, there is xl2tpd on server and it works fine without ipsec, it ipsec rule prevents establishe l2tp connection without encryption. I will try ike2, thank you, maybe it help.

6

I presume you specifically need (tunnel/encryption and) a virtual interface (l2tp) otherwise ipsec/ikev2 policy would be simpler.
Maybe you can bring up ikev2 tunnel and then place l2tp over it (2 steps, w/o mt encryption checkbox auto-create) so you can separately debug.

Now I’m not at office but asap I can provide some config snippet.. if you need

7

Yeah, share please your configs if you can. I already switch to ike2 and ipsec exchange are established, but there are no trafic comes after it, and I can’t get why.

8

I would appreciate any help on that too.