Problems with IPSec Policies

GonzaloGC · February 3, 2022, 9:06am

Hi everyone,

I have a weird issue with IPSec. But first, i guess it would be good to explain the scenario.

I have a remote branch office which connects to the Cloud through a Mikrotik instance in AWS (CROUTER). The branch office has got a Mikrotik RB4011iGS+RM. (MKT).
So, MKT is connected to the internet through 2 fiber optic lines, for redundancy purposes. To connect those to the CROUTER, i have set 2 IPSEC tunnels, one per line. both end at CROUTER.
At this point, i have not yet found a way for both tunnels to be active at the same time and let MKT to manage which one to use. So i have only one of them active and, it the line fails, i quickly switch to the second one.
The process to accomplish this is to disable both Policies and peer of the failing line, and enabling those from the active line. I have written also a script to manage that automatically (which doesn’t work. but that’s for a different post)
All that said, you at this point will be probably clear about the policies set for both tunnels are basically the same, as follows:
— MKT —

model = RB4011iGS+

serial number = -------

/ip ipsec profile
add name=IPSecTunnel
/ip ipsec peer
add address=x.x.x.x local-address=y.y.y.y name=Tunnel2 profile=IPSecTunnel
add address=x.x.x.x disabled=yes local-address=z.z.z.z name=Tunnel1 profile=IPSecTunnel
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=blowfish pfs-group=none
/ip ipsec identity
add peer=Tunnel2 secret=******
add peer=Tunnel1 secret=******
/ip ipsec policy
add dst-address=172.31.0.0/16 peer=Tunnel2 src-address=192.168.41.0/24 tunnel=yes
add dst-address=192.168.0.0/16 peer=Tunnel2 src-address=192.168.41.0/24 tunnel=yes
add dst-address=172.31.0.0/16 peer=Tunnel2 src-address=10.20.14.0/24 tunnel=yes
add dst-address=192.168.0.0/16 peer=Tunnel2 src-address=10.20.14.0/24 tunnel=yes
add dst-address=172.31.0.0/16 peer=Tunnel2 src-address=172.30.100.0/24 tunnel=yes
add dst-address=192.168.0.0/16 peer=Tunnel2 src-address=172.30.100.0/24 tunnel=yes
add dst-address=192.168.0.0/16 peer=Tunnel2 src-address=10.20.59.0/24 tunnel=yes
add dst-address=172.31.0.0/16 peer=Tunnel2 src-address=10.20.59.0/24 tunnel=yes
add disabled=yes dst-address=172.31.0.0/16 peer=Tunnel1 src-address=192.168.41.0/24 tunnel=yes
add disabled=yes dst-address=192.168.0.0/16 peer=Tunnel1 src-address=192.168.41.0/24 tunnel=yes
add disabled=yes dst-address=172.31.0.0/16 peer=Tunnel1 src-address=10.20.14.0/24 tunnel=yes
add disabled=yes dst-address=192.168.0.0/16 peer=Tunnel1 src-address=10.20.14.0/24 tunnel=yes
add disabled=yes dst-address=172.31.0.0/16 peer=Tunnel1 src-address=172.30.100.0/24 tunnel=yes
add disabled=yes dst-address=192.168.0.0/16 peer=Tunnel1 src-address=172.30.100.0/24 tunnel=yes
add disabled=yes dst-address=172.31.0.0/16 peer=Tunnel1 src-address=10.20.59.0/24 tunnel=yes
add disabled=yes dst-address=192.168.0.0/16 peer=Tunnel1 src-address=10.20.59.0/24 tunnel=yes

— CROUTER —
/ip ipsec profile
add name=IPSecT
/ip ipsec peer
add address=y.y.y.y name=T2 profile=IPSecT
add address=z.z.z.z disabled=yes name=T1 profile=IPSecT
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=blowfish pfs-group=none
/ip ipsec identity
add peer=T1 secret=******
add peer=T2 secret=******
/ip ipsec policy
add disabled=yes dst-address=192.168.41.0/24 peer=T1 src-address=172.31.0.0/16 tunnel=yes
add disabled=yes dst-address=192.168.41.0/24 peer=T1 src-address=192.168.0.0/16 tunnel=yes
add disabled=yes dst-address=10.20.14.0/24 peer=T1 src-address=172.31.0.0/16 tunnel=yes
add disabled=yes dst-address=10.20.14.0/24 peer=T1 src-address=192.168.0.0/16 tunnel=yes
add disabled=yes dst-address=172.30.100.0/24 peer=T1 src-address=172.31.0.0/16 tunnel=yes
add disabled=yes dst-address=172.30.100.0/24 peer=T1 src-address=192.168.0.0/16 tunnel=yes
add disabled=yes dst-address=10.20.59.0/24 peer=T1 src-address=172.31.0.0/16 tunnel=yes
add disabled=yes dst-address=10.20.59.0/24 peer=T1 src-address=192.168.0.0/16 tunnel=yes
add dst-address=192.168.41.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=172.31.34.195 src-address=172.31.0.0/16 tunnel=yes
add dst-address=192.168.41.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=172.31.34.195 src-address=192.168.0.0/16 tunnel=yes
add dst-address=10.20.14.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=172.31.34.195 src-address=172.31.0.0/16 tunnel=yes
add dst-address=10.20.14.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=172.31.34.195 src-address=192.168.0.0/16 tunnel=yes
add dst-address=172.30.100.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=0.0.0.0 src-address=172.31.0.0/16 tunnel=yes
add dst-address=172.30.100.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=172.31.34.195 src-address=192.168.0.0/16 tunnel=yes
add dst-address=10.20.59.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=172.31.34.195 src-address=192.168.0.0/16 tunnel=yes
add dst-address=10.20.59.0/24 peer=T2 sa-dst-address=y.y.y.y sa-src-address=172.31.34.195 src-address=172.31.0.0/16 tunnel=yes

Ok, so far, so good. Both tunnels get established when required. The problem is the following:

— CROUTER –
-E X 0 Claro yes 172.31.0.0/16 192.168.41.0/24 255 (all) encrypt require
-E X 1 Claro yes 192.168.0.0/16 192.168.41.0/24 255 (all) encrypt require
-E X 2 Claro yes 172.31.0.0/16 10.20.14.0/24 255 (all) encrypt require
-E X 3 Claro yes 192.168.0.0/16 10.20.14.0/24 255 (all) encrypt require
-E X 4 Claro yes 172.31.0.0/16 172.30.100.0/24 255 (all) encrypt require
-E X 5 Claro yes 192.168.0.0/16 172.30.100.0/24 255 (all) encrypt require
-E X 6 Claro yes 172.31.0.0/16 10.20.59.0/24 255 (all) encrypt require
-E X 7 Claro yes 192.168.0.0/16 10.20.59.0/24 255 (all) encrypt require
-D A 8 Tigo yes 172.31.0.0/16 192.168.41.0/24 255 (all) encrypt require established
-D A 9 Tigo yes 192.168.0.0/16 192.168.41.0/24 255 (all) encrypt require established
-D A 10 Tigo yes 172.31.0.0/16 10.20.14.0/24 255 (all) encrypt require established
-D A 11 Tigo yes 192.168.0.0/16 10.20.14.0/24 255 (all) encrypt require established
-D A 12 Tigo yes 172.31.0.0/16 172.30.100.0/24 255 (all) encrypt require established
-D A 13 Tigo yes 192.168.0.0/16 172.30.100.0/24 255 (all) encrypt require established
-D I 14 Tigo yes 192.168.0.0/16 10.20.59.0/24 255 (all) encrypt require
-D A 15 Tigo yes 172.31.0.0/16 10.20.59.0/24 255 (all) encrypt require established
-D *T 16 ::/0 ::/0 255 (all) encrypt

Policy 14 is just marked as invalid instantly after enabling it. It is not like the connection fails. It’s more like the CROUTER is calculating it as invalid, whatever the reason. But, which reason?

Its replica in the other tunnel (policy 7) works perfectly when enabled.
I have already tried altering policies order
Of course i have rebooted both routers (and it is nothing i would like to repeat as they are both in Production)
Triple-checked all parameters. Policies, proposals, peers… till the last drop

It is just that CROUTER sets that policy as invalid. If your are curious, at the other side MKT sees that policy as valid but “no Phase 2”

I have completely run out of ideas. ANy help is more than welcome.

All the Best.