Has anyone been able to get the new RB850Gx2 working with an IPSEC tunnel? I get a kernel failure and the routers reboot at the end of phase 2 negotiation. I purchased two of these devices specifically because I was led to believe they would have hardware encryption and would be suitable for a site-to-site VPN at >100mbps.
I’ve tried two different brand new routers running both ROS 6.18 (what the router comes with) and ROS 6.20 (the latest). I set them both up as NAT routers with a site-to-site IPSEC tunnel between them using SHA1/AES256 and an ethernet cable connecting ether1 on each device. In both cases the router will get through Phase 1 negotiations, and then crash/reboot towards the end of Phase 2:
KEYMAT computed.
call pk_sendupdate
encryption(aes-cbc)
hmac(sha1)
call pfkey_send_update_nat
** routers crash at this point **
Additionally I have tested a single RB850Gx2 connecting to a remote RB951G-2HnD over the internet. The RB850Gx2 did not crash immediately, but rather went into a strange hang state where you could not print anything in the “/ip ipsec” menu, and you could also not export the router settings. However, after rebooting, there was a message in the log stating that the kernel crashed.
It seems hard to believe IPSEC was not tested, and indeed in a different thread normis indicates that the router can do “550MBps with 1470 byte packets” using IPSEC, so perhaps it worked at one point?
Would love if someone else with the routers could test it or verify whether IPSEC is working for them. I’ve included scripts to set up the two routers.
Router 1:
Router 1 script for RB850Gx2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master-local lease-time=
10m name=default
/port
set 0 name=serial0
/ip address
add address=192.168.88.1/24 comment=“default configuration” interface=
ether2-master-local network=192.168.88.0
add address=1.1.1.1/24 interface=ether1-gateway network=1.1.1.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=
ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
/ip ipsec peer
add address=1.1.1.2/32 dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=aes-256 nat-traversal=no secret=test
/ip ipsec policy
add dst-address=192.168.90.0/24 sa-dst-address=:: sa-src-address=::
src-address=192.168.88.0/24 tunnel=yes
/ip route
add distance=1 gateway=1.1.1.2
/ip upnp
set allow-disable-external-interface=no
/system logging
add topics=ipsec
/system routerboard settings
set cpu-frequency=533MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-localRouter 2:
Router 2 script for RB850Gx2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip pool
add name=dhcp ranges=192.168.90.10-192.168.90.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master-local name=default
/port
set 0 name=serial0
/system logging action
set 2 remember=yes
/ip address
add address=192.168.90.1/24 comment=“default configuration” interface=
ether2-master-local network=192.168.90.0
add address=1.1.1.2/24 interface=ether1-gateway network=1.1.1.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=
ether1-gateway
/ip dhcp-server network
add address=192.168.90.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.90.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
/ip ipsec peer
add address=1.1.1.1/32 dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=aes-256 nat-traversal=no secret=test
/ip ipsec policy
add dst-address=192.168.88.0/24 sa-dst-address=1.1.1.1 sa-src-address=1.1.1.2
src-address=192.168.90.0/24 tunnel=yes
/ip route
add distance=1 gateway=1.1.1.1
/ip upnp
set allow-disable-external-interface=no
/snmp
set trap-community=public
/system identity
set name=“MikroTik 2”
/system logging
add topics=ipsec
/system routerboard settings
set cpu-frequency=533MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local