Problems with Ikev2 to Lancom

AndreHro · July 9, 2022, 3:12pm

Hi. Could someone help me please. I want to try a side-to-side connection between a RB760iGS with 7.3.1 and a Lancom router. The tunnel is created but no traffic.
Both sides have a public dynamic ip which is resolvable via dns.
The main parts of the config are:

/ip ipsec profile
add dh-group=modp2048 dpd-interval=1m enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=5h name=BINTEC_PROFILE prf-algorithm=sha256
/ip ipsec peer
add address=DNS_HOST1 exchange-mode=ike2 name=TO_BER profile=BINTEC_PROFILE send-initial-contact=yes
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h name=BINTEC_PROPOSAL pfs-group=modp2048
/ip ipsec identity
add auth-method=pre-shared-key disabled=no generate-policy=no my-id=user-fqdn:HOST1@DNS_HOST2 peer=TO_BER remote-id=user-fqdn:HOST2@DNS_HOST1
/ip ipsec policy
add action=encrypt disabled=no dst-address=172.16.10.64/26 dst-port=any ipsec-protocols=esp level=require peer=TO_BER proposal=BINTEC_PROPOSAL protocol=all sa-dst-address=xxx.xxx.xxx.xxx \
    sa-src-address=yyy.yyy.yyy.yyy src-address=172.16.5.0/26 src-port=any tunnel=yes

The entries of the firewall are:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="REMOTE SSH" dst-port=8686 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="Drop Invalid :"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1 log-prefix="Drop Wan : "
/ip firewall raw
add action=notrack chain=prerouting dst-address=172.16.5.0/26 src-address=172.16.10.64/26
add action=notrack chain=prerouting dst-address=172.16.10.64/26 src-address=172.16.5.0/26
/ip firewall nat
add action=accept chain=srcnat dst-address=172.16.10.64/26 src-address=172.16.5.0/26
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat ipsec-policy=out,none log-prefix=ppoe out-interface=pppoe-out1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=WAN-sfp1.3_VOIP

If I ping the local address of the MikroTik or vis-verse, the counter in-state-mismatches: increments.

In the log file I always see

 17:07:11 ipsec IPSEC: : <- ike2 request, exchange: INFORMATIONAL:30 xxx.xxx.xxx.xxx[4500] 91a62b14d12bbcd6:b7d13cdb6c855ea8
 17:07:11 ipsec,debug IPSEC: : ===== sending 112 bytes from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500]
 17:07:11 ipsec,debug IPSEC: : 1 times of 116 bytes message will be sent to xxx.xxx.xxx.xxx[4500]
 17:07:11 ipsec,debug IPSEC: : ===== received 80 bytes from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500]
 17:07:11 ipsec IPSEC: : -> ike2 reply, exchange: INFORMATIONAL:30 xxx.xxx.xxx.xxx[4500] 91a62b14d12bbcd6:b7d13cdb6c855ea8
 17:07:11 ipsec IPSEC: : payload seen: ENC (52 bytes)
 17:07:11 ipsec IPSEC: : processing payload: ENC
 17:07:11 ipsec,debug IPSEC: : => iv (size 0x10)
 17:07:11 ipsec,debug IPSEC: : 677d5ff3 7f43c984 c18da4a3 79e0dbdc
 17:07:11 ipsec,debug IPSEC: : decrypted packet
 17:07:11 ipsec IPSEC: : respond: info
 17:07:11 ipsec,debug IPSEC: : reply ignored

Is there any problem with my config?

Thanks for help
Andre

sindy · July 9, 2022, 3:41pm

What does /ip ipsec active-peers print show? If it shows nothing under PH2-TOTAL as I suspect, the tunnel did not establish properly (Phase 2 negotiation has failed). If that is the case, take the complete log from the tunnel start - disable the peer, run /log print follow-only file=ipsec-start where topics~“ipsec”, enable the peer, give it 30 seconds, stop the /log print … (using Ctrl-C), download the file ipsec-start.txt and see what complaints are in it (or post it again if you can’t see the explanation in it).

If PH2-TOTAL shows Phase 2 to be established, it’s most likely an incompatibility between RouterOS and Lancom.

What are your reasons to use RouterOS 7 on a device for which RouterOS 6 is available?

AndreHro · July 9, 2022, 4:18pm

Hi sindy thanks for your answer.
It shows

/ip/ipsec/active-peers> print 
Columns: ID, STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
# ID                             STATE        UPTIME  PH2-TOTAL  REMOTE-ADDRESS
0 HOST2@DNS_HOST1  established  7m14s           1  xxx.xxx.xxx.xxx

/ip/ipsec/installed-sa> print 
Flags: H - HW-AEAD; E - ESP
Columns: SPI, STATE, SRC-ADDRESS, DST-ADDRESS, AUTH-ALGORITHM, ENC-ALGORITHM, ENC-KEY-SIZE
#    SPI         STATE   SRC-ADDRESS    DST-ADDRESS    AUTH-ALGORITHM  ENC-ALGORITHM  ENC-KEY-SIZE
0 HE 0xDA801DF   mature  xxx.xxx.xxx.xxx  yyy.yyy.yyy.yyy  sha256          aes-cbc                 256
1 HE 0xCA961866  mature  yyy.yyy.yyy.yyy  xxx.xxx.xxx.xxx  sha256          aes-cbc                 256

On Lancom side I see the same entries. So then I guess some incompatibility between them.
To use v7 no reason. I think I was too quick with the update and don’t want to go back remotely.

Thanks for your help.