Quality of IPSec Implementation

burkon · March 27, 2008, 8:56am

Hi,

I’m having a litte trouble with IPSec on ROS 3.6. I have set up
a l2tp in IPSec tunnel. Which works when both ends are on a
static IP.

But I ran into following troubles:

ROS crashed or lost all connectivity after SAs expired. (Sorry
had no one in place who could do more then press the reset button)
Had a crash too when disabling a faulty configuration.

Is there some means of dead peer detection? Or some other way to make
the renegotiation speed up after one end is rebooted?

Is it possible to have a IPsec road warrior setup with MT clients?

MT ROS is somewhat my swiss army knife for networking. But it is weak for
building VPNs.

PPTP is unsecure
L2TP over IPSec has issues
and Openvpn has missing features (and missing docu)

Has anybody some hints to get the IPSec issues solved?

Thanks
Ekkehard

sergejs · March 31, 2008, 9:34am

Thank you about Expired SA, we are researching for the ways to reproduce the same problem and see what we can do.

PPTP is not insecure, when encryption is used.
OpenVPN documentation is here,
http://wiki.mikrotik.com/wiki/OpenVPN

burkon · April 7, 2008, 9:57am

On PPTP security:

Can we agree that there is an ongoing debate on PPTPs security.
I prefer to use it. But sometimes I’m required to use something else.

On OpenVPN:

The Wiki docu is a nice Howto.
But I think the reference documentation is still missing.
I think the options need to be thoroughly described especially how
far the implementation really is done (e.g. OpenVPN over TCP/UDP).

What I am really missing is the ability to set up an openVPN Connection
based wholly on certificates to prevent issues with the
user having to enter the password all the time. (on Windows clients
you can not store the passwotd in a seperate file)

Thanks
Ekkehard

sergejs · April 7, 2008, 1:12pm

Ekkehard,

Is it possible to get more information about IPSec issues,

ROS crashed or lost all connectivity after SAs expired. (Sorry
had no one in place who could do more then press the reset button)
Had a crash too when disabling a faulty configuration.

I have tried different configurations to reproduce your problems, I was not able to find any problems.
Give us more detailed problems, how it is possible to reproduce this problem.

jp1 · April 7, 2008, 9:48pm

OpenVPN with UDP and certificates works very nicely, and fast too. It is relatively easy to setup in windows/linux distributions.

hippo · April 8, 2008, 10:26am

I think what you are experiencing is the same problems as I have been having, see:
http://forum.mikrotik.com/t/ipsec-problem-bug/20204/1

For a detailed instruction for how to reproduce the problem
br
Hippo

rabbtux · April 12, 2008, 2:56pm

you were speaking of OpenVPN in general, or were you indicating this works well for you in the MT versions??

dsovereen · April 14, 2008, 3:03pm

I have what appears to be the same or at least very similar problem.

I have IPSec between three Mikrotik RouterOS units. If one of the units reboots, the other units will lose connectivity to the network behind the rebooted RouterOS.

The only way I can restore connectivity is to flush the installed SA table on the other two Mikrotiks. The error “unknown SPI …” appears in the log of the units when this happens. It’s quite frustrating that RouterOS doesn’t detect this and renegotiate to get IPSec working between the units automatically after a reboot.

Dave