Test case EOIP+IPSEC or IPIP+IPSEC

goshawk · July 28, 2015, 3:11pm

Hi,

After releasing 6.30 firmware I decided to test the new solution of EOIP+IPSEC crypt.
The test environment is the following:
Router A

firewall disabled
Ether1: 192.168.77.1/24 (direct cable to Router B / ether10)
Ether2: 192.168.1.1/24 (direct to my pc)
eoip-test1 tunnel: tunnel-id: 101, local=192.168.77.1, remote=192.168.77.2 (ipsec secret=disabled)
eoip-test1 IP: 192.168.100.1/24

Router B

firewall disabled
Ether10: 192.168.77.2/24 (direct cable to Router A / ether1)
Ether2: 192.168.2.1/24 (direct to another pc)
eoip-test1 tunnel: tunnel-id: 101, local=192.168.77.2, remote=192.168.77.1 (ipsec secret=disabled)
eoip-test1 IP: 192.168.100.2/24

This was the basics… direct connections and EOIP tunnels working properly.

After setting “ipsec secret” parameter to “asdfgh” on both routers…FAIL
Ipsec rules created dynamically on both routers but seems to be it’s not working.
I got this message in logfiles: failed to pre-process ph2 packet

I tried the same with different firmwares from 6.30 to 6.30.2 and with different routers without any success. Also tried the same solution with IPIP tunnel with the same results.

Any idea? Is this new feature a working thing or should I forget it?

mrz · July 28, 2015, 3:16pm

Ph2 fails if some of the phase2 parameters do not match on both routers.

goshawk · July 28, 2015, 4:14pm

Both routers are fresh installed with new firmwares and with factory config.

mrz · July 29, 2015, 9:43am

Enable ipsec debug logs and see why exactly phase2 fails.

goshawk · July 29, 2015, 10:34am

20:27:33 ipsec,debug,packet peer’s single bundle:
20:27:33 ipsec,debug,packet (proto_id=ESP spisize=4 spi=09c8a7c2 spi_p=00000000 encmode=Transport reqid=0:0)
20:27:33 ipsec,debug,packet (trns_id=3DES encklen=0 authtype=hmac-sha1)
20:27:33 ipsec,debug,packet my single bundle:
20:27:33 ipsec,debug,packet (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
20:27:33 ipsec,debug,packet (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
20:27:33 ipsec,debug trns_id mismatched: my:AES-CBC peer:3DES
20:27:33 ipsec,debug not matched
20:27:33 ipsec,debug no suitable proposal found.

Lol… seems to be after a fresh install and factory reset on my two router
the ipsec proposals are differs. RB750G and RB2011UAS-RM

Thanks for the help, after fixing proposal differ it works well.

mrz · July 29, 2015, 10:55am

In latest ROS version default proposal is with enabled aes-128-cbc and aes-256-cbc.
If you have different, then either you did system reset on older version (3des was default on quite old version), or you did not perform system reset on one of the routers.