[SOLVED] IPSec issue - tcp doesn't work

anesth · June 22, 2013, 10:49pm

Hi. Help me please with my road-warrior IPSec setup I’m trying to get work on my RB450G with latest RouterOS:

[root@ewsd-gw] > ip ipsec peer p
Flags: X - disabled
 0   address=0.0.0.0/0 passive=yes port=500 auth-method=pre-shared-key-xauth secret="secret" generate-policy=port-strict policy-group=rw_group 
     exchange-mode=main mode-cfg=rw-pool send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1h lifebytes=0 
     dpd-interval=2m dpd-maximum-failures=5
[root@ewsd-gw] > ip ipsec pol p
Flags: T - template, X - disabled, D - dynamic, I - inactive 
 0 T  group=rw_group src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

 1  D src-address=192.168.0.142/32 src-port=any dst-address=192.168.0.0/20 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=REMOTE_IP 
      sa-dst-address=MIKROTIK_IP proposal=default priority=2
[root@ewsd-gw] > ip ipsec prop pr
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des,aes-256 lifetime=1h pfs-group=modp1024

Tunnel succesfully comes up, I can ping remote side with 1500-bytes (and higher) packets, but cannot connect with tcp. Here is tcpdump from the host behind VPN gateway:

listening on br-lan, link-type EN10MB (Ethernet), capture size 65535 bytes
01:26:11.590496 IP 192.168.0.142.46351 > 192.168.2.254.22: Flags [S], seq 524269201, win 14600, options [mss 1460,sackOK,TS val 29928172 ecr 0,nop,wscale 7], length 0
01:26:11.590759 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [S.], seq 2142093018, ack 524269202, win 14480, options [mss 1460,sackOK,TS val 150335913 ecr 29928172,nop,wscale 2], length 0
01:26:11.607270 IP 192.168.0.142.46351 > 192.168.2.254.22: Flags [.], ack 1, win 115, options [nop,nop,TS val 29928193 ecr 150335913], length 0
01:26:11.716220 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150335926 ecr 29928193], length 26
01:26:11.935906 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150335948 ecr 29928193], length 26
01:26:12.375931 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150335992 ecr 29928193], length 26
01:26:13.255913 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336080 ecr 29928193], length 26
01:26:14.707601 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336225 ecr 29928193], length 26
01:26:14.925907 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336247 ecr 29928193], length 26
01:26:15.365927 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336291 ecr 29928193], length 26
01:26:16.245911 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336379 ecr 29928193], length 26
01:26:17.707658 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336525 ecr 29928193], length 26
01:26:17.925927 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336547 ecr 29928193], length 26
01:26:18.365902 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336591 ecr 29928193], length 26
01:26:19.245969 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336679 ecr 29928193], length 26
01:26:20.707686 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336825 ecr 29928193], length 26
01:26:20.925918 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336847 ecr 29928193], length 26
01:26:21.365919 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336891 ecr 29928193], length 26
01:26:22.245922 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150336979 ecr 29928193], length 26
01:26:23.707679 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337125 ecr 29928193], length 26
01:26:23.925914 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337147 ecr 29928193], length 26
01:26:24.365968 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337191 ecr 29928193], length 26
01:26:25.245922 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337279 ecr 29928193], length 26
01:26:26.707616 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337425 ecr 29928193], length 26
01:26:26.925959 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337447 ecr 29928193], length 26
01:26:27.365919 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337491 ecr 29928193], length 26
01:26:28.245924 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337579 ecr 29928193], length 26
01:26:29.707692 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 368776824 ecr 150333675], length 26
01:26:29.925918 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337747 ecr 29928193], length 26
01:26:30.365917 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337791 ecr 29928193], length 26
01:26:31.245943 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [P.], seq 1:27, ack 1, win 3620, options [nop,nop,TS val 150337879 ecr 29928193], length 26
01:26:32.108081 IP 192.168.0.142.46351 > 192.168.2.254.22: Flags [F.], seq 1, ack 1, win 115, options [nop,nop,TS val 29948696 ecr 150335913], length 0
01:26:32.108895 IP 192.168.2.254.22 > 192.168.0.142.46351: Flags [F.], seq 27, ack 2, win 3620, options [nop,nop,TS val 150337965 ecr 29948696], length 0
01:26:32.124372 IP 192.168.0.142.46351 > 192.168.2.254.22: Flags [R], seq 524269203, win 0, length 0

Tested clients: Linux 2.6.30, 3.8.13, 3.9.6 + both strongswan and racoon, Android native IPSec client, Nokia E71 + Nokia VPN client with same result. All those clients works perfectly with either Cisco and Linux/racoon/strongswan.

Thanks in advance.

anesth · June 24, 2013, 12:30pm

Ok, answering myself. It was my fail: I had to insert nat firewall rule (5):

5   chain=srcnat action=accept to-addresses=192.168.0.128/28 out-interface=wan2

6   chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=wan2

where 192.168.0.128/28 is my modecfg pool, but I didn’t 'cause I assumed that RouterOS does it automagically (as my client got syn/ack without that firewall rule, same as ICMP).