[SOLVED] Bugfix version 6.38.7 and IPsec tunnel issue!

simvirus · September 1, 2017, 12:19pm

Hello

I’ve upgraded my devices from bugfix version 6.37.5 to the last bugfix 6.38.7 and the IPsec tunnel does not work anymore.
I’ve tested this issue with 5/6 setup in different infrastructure, with multiple IPsec client (Apple, Windows, etc…)

This is the log:

13:57:41 ipsec,info XAuth login succeeded for user: xxxx
13:57:41 ipsec,info acquired 10.255.255.19 address for Y.Y.Y.Y[65169] 
13:57:41 ipsec Ignored attribute INTERNAL_IP4_NBNS 
13:57:41 ipsec Ignored attribute INTERNAL_ADDRESS_EXPIRY 
13:57:41 ipsec Ignored attribute 28683 
13:57:43 ipsec respond new phase 2 negotiation: Z.Z.Z.Z[4500]<=>Y.Y.Y.Y[65169] 
13:57:43 ipsec searching for policy 
13:57:43 ipsec template lookup for selector: 192.168.5.0/24 <=> 10.255.255.19 
13:57:43 ipsec no template matches 
13:57:43 ipsec failed to get proposal for responder. 
13:57:43 ipsec,error Y.Y.Y.Y failed to pre-process ph2 packet. 
13:57:43 ipsec sendto Information notify. 
13:57:46 ipsec,error Y.Y.Y.Y peer sent packet for dead phase2 
13:57:49 ipsec,error Y.Y.Y.Y peer sent packet for dead phase2

and this is the config:

/ip ipsec mode-config
add address-pool=pool-VPN name=pool-VPN split-include=192.168.5.0/24 system-dns=no

/ip ipsec policy group
add name="VPN Users"

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h pfs-group=none

/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dpd-interval=10m dpd-maximum-failures=10 enc-algorithm=aes-256 generate-policy=port-override mode-config=pool-VPN passive=yes policy-template-group="VPN Users" secret=xxxxx

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.5.0/24 group="VPN Users" src-address=10.255.255.0/24 template=yes

/ip pool
add name=pool-VPN ranges=10.255.255.10-10.255.255.20

Downgrade to all old versions fix the issue.

The changelog from the last to this bugfix version report this:

*) ike1 - fixed crash on xauth message;
*) ike2 - allow multiple child SA traffic selectors on re-key;
*) ike2 - fixed last EAP authentication payload type;
*) ike2 - fixed policy release during SA negotiation;
*) ike2 - fixed RSA authentication without EAP;
*) ike2 - fixed situation when traffic selector prefix was parsed incorrectly;
*) ipsec - do not deduct policy src/dst address for tunnel policies;
*) ipsec - fixed generated policy priority;
*) ipsec - fixed peer "my-id" address reset;

Sure.. this is due to a change of ipsec policy.. but how I can fix it?

Is this a bug?

Regards
Sim

simvirus · September 4, 2017, 7:44am

Hello!
I will share here the reply from the support…

You need to swap src-address and dst-address parameters in places for your policy template.
Src-address should be the split network and dst-address should be remote peers dynamic address pool.

This tip solved my issue/bad configuration upgrading from the 6.37.x to 6.38.x (bugfix version in my case)

My congratulations for the beautiful support!
I love Mikrotik