[SOLVED] Wrong IPSec SA selection for traffic

RouterOS General
1

Hello,
I set up a S2S VPN between Stonegate and Mikrotik

LAN A1 10.160.1.0/24 ----> SG 83.206.1.10 oooooooo 41.188.22.44 MT <----- 192.168.193.0/24 LAN B1
LAN A2 172.20.0.0/23 |

Mikrotik has srcnat accept for both A1 and A2

Most things work fine, IKE and IPSEC negotiate well and I can see 4 installed SA on mikrotik side (and the SPI match with Stonegate side).
They are :
A1->B1
B1->A1
A2->B1
B1->A2

If I ping from A1 to B1, it’s OK.
but when I ping from A2 to B1, I see packet arriving through SA A2->B1 but the return packet goes through B1->A1 instead of B1->A2 (I can see that in byte counter) so it is rejected on A side.

If I clear all on both sides, I can ping B1 from A2 but then B1 from A1 does not work.

I tried to upgrade from v5.9 to v6.7 but the behavior is the same.
Bug ?

Thank you for any help

2

Please share your IPsec configuration.

3

Here is my config :
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128-cbc lifetime=8h name=“ipcop” pfs-group=modp1536
add enc-algorithms=3des lifetime=8h name=stonegate pfs-group=none

/ip ipsec peer
add address=83.206.1.10/32 enc-algorithm=3des secret=********************
[ cropped other mikrotik gateways with no problem]

/ip ipsec policy
add dst-address=172.20.0.0/23 proposal=stonegate sa-dst-address=83.206.1.10 sa-src-address=41.188.22.44 src-address=192.168.193.0/24 tunnel=yes
add dst-address=10.160.13.0/24 proposal=stonegate sa-dst-address=83.206.1.10 sa-src-address=41.188.22.44 src-address=192.168.193.0/24 tunnel=yes
[ cropped other policies with no problem]

/ip ipsec installed-sa print

12 E spi=0x4C08C0F src-address=83.206.1.10 dst-address=41.188.22.44
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key=“9ebfc3d95362c7f280a8a4c70f32fc6cda13d6b8”
enc-key=“26d138fa37a8b7292456d7d9edee0304d0c9df3985088fdc”
addtime=jan/02/1970 00:32:56 expires-in=4h31m9s add-lifetime=6h24m/8h
current-bytes=96695

16 E spi=0x5F35979 src-address=83.206.1.10 dst-address=41.188.22.44
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key=“97430e864eec05d40463dd4830999785a1e61cd1”
enc-key=“b915efaeec8e941338ed3df16e58dd876b27c1d221cc89ff”
addtime=jan/02/1970 04:02:59 expires-in=7h57m8s add-lifetime=6h24m/8h
current-bytes=500

29 E spi=0xAA142F84 src-address=41.188.22.44 dst-address=83.206.1.10
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key=“1077a4f949b0f085d7190ad023b13e71b0128f29”
enc-key=“b63cff955e3fdf139ce60e73e9f24ebd077cd59c5e7f7716”
addtime=jan/02/1970 00:32:56 expires-in=4h31m9s add-lifetime=6h24m/8h
current-bytes=6771

31 E spi=0x202ED5AC src-address=41.188.22.44 dst-address=83.206.1.10
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key=“30abe04300a1eb092cc1c7cf0dfe2fb63df665d3”
enc-key=“491782c863040a0339133ba5f07cf6ab8c1d58176a6882bd”
addtime=jan/02/1970 04:02:59 expires-in=7h57m8s add-lifetime=6h24m/8h
current-bytes=500and on stonegate side :

Screenshot

IKE SA is established and the SPI and subnets match

Don’t know where to look further, I don’t know mikrotik debugs yet.
Thanks again

4

A similar situation, if installed tunnel between Kerio and Mikrotik. If the year has not been answered, I think that fix those bugs that are understood by developers. If the situation is non-standard, developers do not respond. Bravo!

5

Hi,

I recently found the solution : on the Action tab of the IPSec Policy, set Level to ‘unique’ instead of ‘require’

Tell me if it works in your case, I will the set the topic to SOLVED

Cheers

6

Guy, I’ll hard drinking for your health for the next week. Honestly! Thank you, colleague! It works.

7

Happy to hear that !

To help you don’t get drunk, I’ll drink some beers too :wink:

I close the thread.