Hi All,
WAN network scheme is the following:
RESPONDER: CRS326-24G-2S+ (RoS 6.44.3) connected via two separate ISPs, public IP addresses(‘Public_IP0’, ‘Public_IP1’) assigned on RoS side, policy based routing is configured.
INITIATOR: hAPac (RoS 6.44.3) connected via 3G modem, private IP address assigned on RoS side, NAT is performed on cell provider side
Pure IPSec IKEv2 tunnels are configured in the following way:
INITIATOR: has two separate ‘peers’ (‘Initiator_peer0’, ‘Initiator_peer1’)created(one will connect to ‘Public_IP0’, second one to ‘Public_IP1’ respectively). each ‘peer’ has own ‘identity’ with uniq SSL certificate assigned and requests IP configuration via ‘Mod Config’.
RESPONDER: has ‘::/0’ ‘wildcard’ ‘peer’ configured to listen for any incoming IPSec initiation on both ‘Public_IP0’ and ‘Public_IP1’. Two separate ‘Identities’ created, to authenticate connections from ‘Public_IP0’ and ‘Public_IP1’ using corresponding SSL certs, also two separate ‘Mod Config’ configurations were created, to provide each ‘peer’ with own IP configuration from separate subnet.
PROBLEM:
If only one of two ‘peer’ is enabled on INITIATOR side - IKEv2 session started properly, both INITIATOR and RESPONDER gets appropriate SA and Policies negotiated.
If both ‘peer’ are enabled on INITIATOR side - IKEv2 session stuck in endless loop: It successfully negotiates SA/Policy for ‘Initiator_peer0’, than starts to negotiate SA/Policy for ‘Initiator_peer1’, but killing already negotiated SA/Policy for ‘Initiator_peer0’, and so on in loop.
I suspect that cell ISP NAT is the root of the issue, because incoming initiations of both peers are came from same Cell_ISP_NAT_IP:PORT and RoS can’t distinguish them.
Could someone help me to sort this issue out.
Detailed RoS config:
RESPONDER:
/ip firewall mangle
add action=mark-connection chain=input comment="MARK CONNECTIONS TO 'eth2-neo'" in-interface=eth1-neo new-connection-mark=conn-in-neo passthrough=no
add action=mark-connection chain=input comment="MARK CONNECTIONS TO 'pppoe0-osn'" in-interface=pppoe0-osn new-connection-mark=conn-in-osn passthrough=no
add action=mark-routing chain=output comment="MARK ROUTING FOR 'conn-in-neo'" connection-mark=conn-in-neo new-routing-mark=route-neo passthrough=no
add action=mark-routing chain=output comment="MARK ROUTING FOR 'conn-in-osn'" connection-mark=conn-in-osn new-routing-mark=route-osn passthrough=no
/ip route
add distance=1 gateway=91.192.XXX.ZZZ routing-mark=route-neo
add distance=1 gateway=172.20.XXX.VVV routing-mark=route-osn
/ip ipsec mode-config
add address=10.128.100.2 address-prefix-length=32 name=modcfg1-gre_interconnect-ua_bt_lsh0_neocom split-include=10.128.100.1/32 system-dns=no
add address=10.128.201.2 address-prefix-length=32 name=modcfg2-gre_interconnect-ua_bt_lsh0_osnova split-include=10.128.201.1/32 system-dns=no
/ip ipsec policy group
add name=group1-gre_interconnect
add name=group2-tmp
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=profile0-ike2
/ip ipsec peer
add exchange-mode=ike2 name=peer0-ikev2_wildcard_listener passive=yes profile=profile0-ike2 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=proposal0-ike2
/ip ipsec identity
add auth-method=rsa-signature certificate=cerberus-ipsec_ikev2_interconnect-server.crt generate-policy=port-strict match-by=certificate mode-config=\
modcfg2-gre_interconnect-ua_bt_lsh0_osn peer=peer0-ikev2_wildcard_listener policy-template-group=group2-tmp remote-certificate=\
ua_bt_lsh0_osn-cerberus-ipsec_ikev2_interconnect-client.crt
add auth-method=rsa-signature certificate=cerberus-ipsec_ikev2_interconnect-server.crt generate-policy=port-strict match-by=certificate mode-config=\
modcfg1-gre_interconnect-ua_bt_lsh0_neo peer=peer0-ikev2_wildcard_listener policy-template-group=group1-gre_interconnect remote-certificate=\
ua_bt_lsh0_neo-cerberus-ipsec_ikev2_interconnect-client.crt
/ip ipsec policy
add dst-address=10.128.100.0/24 group=group1-gre_interconnect proposal=proposal0-ike2 src-address=10.128.100.0/24 template=yes
add dst-address=10.128.201.0/24 group=group2-tmp proposal=proposal0-ike2 src-address=10.128.201.0/24 template=yes
INITIATOR:
/ip ipsec mode-config
add name=modcfg1-gre_interconnect-initiator responder=no
/ip ipsec policy group
add name=group0-gre_interconnect
add name=group1-tmp
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=profile0-ikev2
/ip ipsec peer
add address=195.60.XXX.VVV/32 exchange-mode=ike2 local-address=10.128.201.2 name=peer1-ikev2-ua_cn_lsh0_osn-client profile=profile0-ikev2
add address=91.192.XXX.ZZZ/32 disabled=yes exchange-mode=ike2 local-address=10.128.100.2 name=peer0-ikev2-ua_cn_lsh0_neo-client profile=profile0-ikev2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=proposal0-ikev2
/ip ipsec identity
add auth-method=rsa-signature certificate=ua_bt_lsh0_neo-cerberus-ipsec_ikev2_interconnect-client.crt generate-policy=port-strict mode-config=modcfg1-gre_interconnect-initiator \
peer=peer0-ikev2-ua_cn_lsh0_neo-client policy-template-group=group0-gre_interconnect
add auth-method=rsa-signature certificate=ua_bt_lsh0_osn-cerberus-ipsec_ikev2_interconnect-client.crt generate-policy=port-strict mode-config=modcfg1-gre_interconnect-initiator \
peer=peer1-ikev2-ua_cn_lsh0_osn-client policy-template-group=group1-tmp
/ip ipsec policy
add dst-address=10.128.100.0/24 group=group0-gre_interconnect proposal=proposal0-ikev2 src-address=10.128.100.0/24 template=yes
add dst-address=10.128.201.0/24 group=group1-tmp proposal=proposal0-ikev2 src-address=10.128.201.0/24 template=yes
RESPONDER LOG:
#Enabling 'Initiator_peer0'
2019-05-21T13:05:58.717603+00:00 172.16.99.1 ipsec,info new ike2 SA (R): 91.192.XXX.ZZZ[4500]-46.211.221.214[35444] spi:175528044582a16b:d7886486b66ae328
2019-05-21T13:06:00.089750+00:00 172.16.99.1 ipsec,info,account peer authorized: 91.192..XXX.ZZZ[4500]-46.211.221.214[35444] spi:175528044582a16b:d7886486b66ae328
#Enabling 'Initiator_peer1'
2019-05-21T13:07:18.967619+00:00 172.16.99.1 ipsec,info new ike2 SA (R): 195.60.XXX.VVV[4500]-46.211.221.214[35444] spi:294740c4baade4cf:f801cd42db95f948
2019-05-21T13:07:20.338663+00:00 172.16.99.1 ipsec,info,account peer authorized: 195.60.XXX.VVV[4500]-46.211.221.214[35444] spi:294740c4baade4cf:f801cd42db95f948
!!! 2019-05-21T13:07:20.339592+00:00 172.16.99.1 ipsec,info killing ike2 SA: 91.192.XXX.ZZZ[4500]-46.211.221.214[35444] spi:175528044582a16b:d7886486b66ae328