Hi everyone, I have an old Mikrotik RB951G-2HnD that I have to manage for a few months to keep an IPSec connection active.
Currently the connection is already active and the Mikrotik is on firmware 6.25.
I would like to update the firmware to version 6.49.18 without interrupting the VPN (the system is remote and I could lose the connection and not be able to reach it immediately).
Is it possible that the IPSec connection could drop (for example I know that the menus in the IPSec section, going from 6.25 to 6.49.18 will surely change)?
Obviously when you upgrade, the connection WILL drop since the device has to reboot.
And then it remains to be seen if nothing major has changed between 6.25 (!!?? That’s from january 2015 ??!! ) and 6.49.18 with respect to IPSEC.
Do you have the possibility to add a second VPN next to IPSEC, as fallback ?
Which then brings the question … if this is only for a few months and it’s such a possible risk with the device being remote, why upgrade ?
If it works, let it be.
Fortigate in the office A and Mikrotik in the office B.
Mikrotik sets up VPN to Fortigate.
The VPN must be site-to-site because there are no PCs or Servers in office B but only devices (machines) that must send data to the network of office A.
I was referring to a separate VPN towards that Tik. Doesn’t have to start on Fortigate, though.
You just need something to get back into that device in case the IPSEC tunnel goes wrong.
You mention you can provide access via public IP with Winbox directly on Mikrotik device. I wouldn’t do that for obvious reasons.
Something as simple as SSTP or L2TP, starting from your computer ?
As for IPSEC differences between 6.25 and 6.49.18 … you got a minute ?
Extracted all changelog info from website, bit of Excel magic “et voila” …
Release Topic
6.49.1 *) snmp - fixed IPsec-SA byte and packet counter reporting;
6.49 *) ipsec - fixed memory leak when processing DHCP packets;
6.49 *) ipsec - improved SA update by SPI;
6.49 *) ipsec - improved system stability on CHR;
6.49 *) ipsec - improved system stability on MMIPS devices;
6.48.3 *) ipsec - fixed SA address parameter exporting;
6.48.1 *) ipsec - improved stability when processing IPv6 packets larger than interface MTU;
6.48 *) dhcp - fixed DHCP packet forwarding to IPsec policies;
6.48 *) ipsec - added SHA384 hash algorithm support for phase 1;
6.48 *) ipsec - do not kill connection when peer’s “name” or “comment” is changed;
6.48 *) ipsec - fixed client certificate usage when certificate is renewed with SCEP;
6.48 *) ipsec - fixed multiple warning message display for peers;
6.48 *) ipsec - inactivate peer’s policy on disconnect;
6.48 *) ipsec - refresh peer’s DNS only when phase 1 is down;
6.48 *) snmp - added information from IPsec “active-peers” menu to MIKROTIK-MIB;
6.47.1 *) ipsec - do not update peer endpoints for generated policy entries (introduced in v6.47);
6.47 *) dns - added support for exclusive dynamic DNS server usage from IPsec;
6.47 *) ipsec - added “split-dns” parameter support for mode configuration;
6.47 *) ipsec - added “use-responder-dns” parameter support;
6.47 *) ipsec - allow specifying two peers for a single policy for failover;
6.47 *) ipsec - control CRL validation with global “use-crl” setting;
6.47 *) ipsec - do full certificate validation for identities with explicit certificate;
6.47 *) ipsec - fixed minor spelling mistake in logs;
6.47 *) ipsec - improved IPsec service stability when receiving bogus packets;
6.47 *) ipsec - place dynamically created IPsec policies by L2TP client at the begining of the table;
6.47 *) l2tp - improved dynamically created IPsec configuration updating;
6.47 *) l2tp - use L2TP interface when adding dynamic IPsec peer;
6.46.5 *) ipsec - improved system stability when handling fragmented packets;
6.46.1 *) ipsec - improved system stability when processing decrypted packet on unregistered interface;
6.46 *) ipsec - added “error” topic for identity check failure logging messages;
6.46 *) ipsec - fixed DNS resolving when domain has only AAAA entries;
6.46 *) ipsec - fixed policy “sa-src-address” detection from “local-address” (introduced in v6.45);
6.45.5 *) ipsec - allow inline “passphrase” parameter when importing keys;
6.45.5 *) ipsec - fixed “eap-radius” authentication method (introduced in v6.45);
6.45.5 *) ipsec - fixed minor spelling mistakes in logs;
6.45.2 *) ipsec - added “connection-mark” parameter for mode-config initiator;
6.45.2 *) ipsec - allow peer argument only for “encrypt” policies (introduced in v6.45);
6.45.2 *) ipsec - fixed peer configuration migration from versions older than v6.43 (introduced in v6.45);
6.45.2 *) ipsec - improved stability for peer initialization (introduced in v6.45);
6.45.2 *) ipsec - show warning for policies with “unknown” peer;
6.45.1 *) ipsec - added dynamic comment field for “active-peers” menu inherited from identity;
6.45.1 *) ipsec - added “ph2-total” counter to “active-peers” menu;
6.45.1 *) ipsec - added support for RADIUS accounting for “eap-radius” and “pre-shared-key-xauth” authentication methods;
6.45.1 *) ipsec - added traffic statistics to “active-peers” menu;
6.45.1 *) ipsec - disallow setting “src-address” and “dst-address” for transport mode policies;
6.45.1 *) ipsec - do not allow adding identity to a dynamic peer;
6.45.1 *) ipsec - fixed policies becoming invalid after changing priority;
6.45.1 *) ipsec - general improvements in policy handling;
6.45.1 *) ipsec - properly drop already established tunnel when address change detected;
6.45.1 *) ipsec - renamed “remote-peers” to “active-peers”;
6.45.1 *) ipsec - renamed “rsa-signature” authentication method to “digital-signature”;
6.45.1 *) ipsec - replaced policy SA address parameters with peer setting;
6.45.1 *) ipsec - use tunnel name for dynamic IPsec peer name;
6.45.1 *) tunnel - removed “local-address” requirement when “ipsec-secret” is used;
6.44.3 *) ipsec - fixed freshly created identity not taken in action (introduced in v6.44);
6.44.3 *) ipsec - fixed possible configuration corruption after import (introduced in v6.44);
6.44.1 *) ipsec - allow identities with empty XAuth login and password if RADIUS is enabled (introduced in v6.44);
6.44.1 *) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);
6.44.1 *) ipsec - use “remote-id=ignore” for dynamic L2TP configuration (introduced in v6.44);
6.44 !) ipsec - added new “identity” menu with common peer distinguishers;
6.44 !) ipsec - removed “main-l2tp” exchange-mode, it is the same as “main” exchange-mode;
6.44 !) ipsec - removed “users” menu, XAuth user configuration is now handled by “identity” menu;
6.44 *) ipsec - added account log message when user is successfully authenticated;
6.44 *) ipsec - added basic pre-shared-key strength checks;
6.44 *) ipsec - added new “remote-id” peer matcher;
6.44 *) ipsec - allow to specify single address instead of IP pool under “mode-config”;
6.44 *) ipsec - fixed active connection killing when changing peer configuration;
6.44 *) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.> > ;
6.44 *) ipsec - fixed stability issues after changing peer configuration (introduced in v6.43);
6.44 *) ipsec - hide empty prefixes on “peer” menu;
6.44 *) ipsec - improved invalid policy handling when a valid policy is uninstalled;
6.44 *) ipsec - made dynamic “src-nat” rule more specific;
6.44 *) ipsec - made peers autosort themselves based on reachability status;
6.44 *) ipsec - moved “profile” menu outside “peer” menu;
6.44 *) ipsec - properly detect AES-NI extension as hardware AEAD;
6.44 *) ipsec - removed limitation that allowed only single “auth-method” with the same “exchange-mode” as responder;
6.44 *) ipsec - require write policy for key generation;
6.44 *) l2tp - fixed IPsec secret not being updated when “ipsec-secret” is changed under L2TP client configuration;
6.44 *) rb3011 - implemented multiple engine IPsec hardware acceleration support;
6.44 *) ssh - close active SSH connections before IPsec connections on shutdown;
6.44 *) tunnel - properly clear dynamic IPsec configuration when removing/disabling EoIP with DNS as “remote-address”;
6.43.11 *) ipsec - accept only valid path for “export-pub-key” parameter in “key” menu;
6.43.7 *) ipsec - fixed hw-aead (H) flag presence under Installed SAs on startup;
6.43.7 *) ipsec - improved stability when uninstalling multiple SAs at once;
6.43.7 *) ipsec - properly handle peer profiles on downgrade;
6.43.7 *) ipsec - properly update warnings under peer menu;
6.43.7 *) tunnel - made “ipsec-secret” parameter sensitive;
6.43.4 *) ipsec - allow multiple peers to the same address with different local-address (introduced in v6.43);
6.43.1 *) rb3011 - added IPsec hardware acceleration support;
6.43 *) ipsec - added “responder” parameter for “mode-config” to allow multiple initiator configurations;
6.43 *) ipsec - added “src-address-list” parameter for “mode-config” that generates dynamic “src-nat” rule;
6.43 *) ipsec - added warning messages for incorrect peer configuration;
6.43 *) ipsec - do not allow removal of “proposal” and “mode-config” entries that are in use;
6.43 *) ipsec - fixed AES-192-CTR fallback to software AEAD on ARM devices with wireless and RB3011UiAS-RM;
6.43 *) ipsec - fixed AES-CTR and AES-GCM key size proposing as initiator;
6.43 *) ipsec - fixed “static-dns” value storing;
6.43 *) ipsec - improved invalid policy handling when a valid policy is uninstalled;
6.43 *) ipsec - improved reliability on generated policy addition when IKEv1 or IKEv2 used;
6.43 *) ipsec - improved stability when using IPsec with disabled route cache;
6.43 *) ipsec - install all DNS server addresses provided by “mode-config” server;
6.43 *) ipsec - separate phase1 proposal configuration from peer menu;
6.43 *) ipsec - separate phase1 proposal configuration from peer menu;
6.43 *) ipsec - use monotonic timer for SA lifetime check;
6.43 *) winbox - fixed “IP/IPsec/Peers” section sorting;
6.42.7 *) ipsec - fixed “sa-src-address” deduction from “src-address” in tunnel mode;
6.42.7 *) ipsec - improved invalid policy handling when a valid policy is uninstalled;
6.42.7 *) winbox - fixed warning presence for “IP/IPsec/Peers” menu;
6.42.4 *) ipsec - improved reliability on IPsec hardware encryption for RB1100Dx4;
6.42.2 *) ipsec - fixed policies becoming invalid if added after a disabled policy;
6.42.2 *) ipsec - improved reliability on IPsec hardware encryption for ARM devices except RB1100Dx4;
6.42 *) ipsec - fixed AES-CTR and AES-GCM support on RB1200;
6.42 *) ipsec - improved single tunnel hardware acceleration performance on MMIPS devices;
6.42 *) ipsec - properly detect interface for “mode-config” client IP address assignment;
6.41.3 *) winbox - removed “Enable” and “Disable” buttons from IPsec “mode-config” list;
6.41.1 *) ipsec - properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;
6.41 *) ipsec - added DH groups 19, 20 and 21 support for phase1 and phase2;
6.41 *) ipsec - allow to specify “remote-peer” address as DNS name;
6.41 *) ipsec - fixed incorrect esp proposal key size usage;
6.41 *) ipsec - fixed policy enable/disable;
6.41 *) ipsec - improved hardware accelerated IPSec performance on 750Gr3;
6.41 *) ipsec - improved reliability on certificate usage;
6.41 *) ipsec - renamed “firewall” argument to “notrack-chain” in peer configuration;
6.41 *) ipsec - skip invalid policies for phase2;
6.41 *) l2tp-server - fixed PPP services becoming unresponsive after changes on L2TP server with IPSec configuration;
6.41 *) winbox - added “notrack-chain” setting to IPSec peers;
6.41 *) winbox - do not show duplicate “Template” parameters for filter in IPSec policy list;
6.40.5 *) ipsec - fixed lost value for “remote-certificate” parameter after disable/enable;
6.40.4 *) ipsec - kill PH1 on “mode-config” address failure;
6.40.2 *) winbox - hide “level” and “tunnel” parameters for IPSec policy templates;
v6.40 *) ipsec - added “firewall=add-notrack” peer option (CLI only);
v6.40 *) ipsec - added information in console XML for “mode-config” menu;
v6.40 *) ipsec - added support for “key-id” peer identification type;
v6.40 *) ipsec - allow to specify chain in “firewall” peer option;
v6.40 *) ipsec - do not deduct “dst-address” from “sa-dst-address” for “/0” policies;
v6.40 *) ipsec - enabled modp2048 DH group by default;
v6.40 *) ipsec - fixed connections cleanup on policy or proposal modification;
v6.40 *) ipsec - optimized logging under IPSec topic;
v6.40 *) ipsec - removed policy priority;
v6.40 *) quickset - added special firewall exception rules for IPSec;
v6.40 *) winbox - make IPSec policies table an order list;
6.39.2 *) ipsec - fixed generated policy priority;
6.39.2 *) ipsec - fixed peer “my-id” address reset;
6.39.2 *) ipsec - renamed “remote-dynamic-address” to “dynamic-address”;
6.39 !) tile - fixed IPSec hardware acceleration out-of-order packet problem, significantly improved performance;
6.39 *) ipsec - added “last-seen” parameter to active connection list;
6.39 *) ipsec - allow mixing aead algorithms in proposal;
6.39 *) ipsec - better responder flag calculator for console;
6.39 *) ipsec - disallow AH+ESP combined policies ;
6.39 *) ipsec - do not loose “use-ipsec=yes” parameter after downgrade;
6.39 *) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
6.39 *) ipsec - fixed “/ip ipsec policy group export verbose”;
6.39 *) ipsec - fixed “mode-cfg” verbose export;
6.39 *) ipsec - fixed SA authentication flag;
6.39 *) ipsec - renamed “hw-authenc” flag to “hw-aead”;
6.39 *) ipsec - show hardware accelerated authenticated SAs;
6.39 *) ipsec - updated tilera classifier for UDP encapsulated ESP;
6.39 *) l2tp-server - added “use-ipsec=required” option;
6.39 *) l2tp-server - fixed upgrade to keep “use-ipsec=yes” in L2TP server;
6.39 *) tile - fixed IPSec crash (introduced in 6.39rc64);
6.39 *) winbox - allow to not specify certificate in IPSec peer settings;
6.39 *) winbox - fixed IPSec “mode-config” DNS settings;
6.39 *) winbox - fixed issue when working IPSec policies were shown as invalid;
6.39 *) winbox - properly show IPSec “installed-sa” “enc-algorithm” when it is aes-gcm;
6.39 *) winbox - show “A” flag for IPSec policies;
6.39 *) winbox - show “H” flag for IPSec installed SAs;
6.38.4 *) ipsec - deducted policy SA src/dst address from src/dst address;
6.38.4 *) ipsec - do not require “sa-dst-address” if “action=none” or “action=discard”;
6.38.4 *) ipsec - fixed SA address check in policy lookup;
6.38.4 *) ipsec - hide SA address for transport policies;
6.38.4 *) ipsec - keep policy in kernel even with bad proposal;
6.38.4 *) ipsec - kill ph2 on policy removal;
6.38.4 *) ipsec - updated/fixed Radius attributes;
6.38.4 *) l2tp-client - fixed IPSec policy generation after reboot;
6.38.4 *) l2tp-client - require working IPSec encryption if “use-ipsec=yes”;
6.38.1 *) ipsec - added ability to kill particular remote-peer;
6.38.1 *) ipsec - fixed flush speed and SAs on startup;
6.38.1 *) ipsec - fixed peer port export;
6.38.1 *) ipsec - port is used only for initiators;
6.38.1 *) winbox - added IPsec to radius services;
6.38.1 *) winbox - hide “nat-traversal” setting in IPsec peer if IKEv2 is selected;
6.38 !) ipsec - added IKEv1 xauth user authentication with RADIUS “/ip ipsec user settings set xauth-use-radius=yes”;
6.38 !) ipsec - added IKEv2 support;
6.38 !) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder;
6.38 !) ipsec - added support for unique policy generation;
6.38 !) ipsec - removed IKEv1 ah+esp support;
6.38 *) ipsec - added ability to specify static IP address at “send-dns” option;
6.38 *) ipsec - added ph2 accounting for each policy “/ip ipsec policy ph2-count”;
6.38 *) ipsec - allow to specify explicit split dns address;
6.38 *) ipsec - changed logging topic from error to debug when empty pfkey messages are received;
6.38 *) ipsec - do not auto-negotiate more SAs than needed;
6.38 *) ipsec - ensure generated policy refers to valid proposal;
6.38 *) ipsec - fixed camellia crypto algorithm module loading;
6.38 *) ipsec - fixed IPv6 remote prefix;
6.38 *) ipsec - fixed kernel failure on tile with sha256 when hardware encryption is not being used;
6.38 *) ipsec - fixed peer configuration my-id IPv4 address endianness;
6.38 *) ipsec - fixed ph2 auto-negotiation by checking policies in correct order;
6.38 *) ipsec - load ipv6 related modules only when ipv6 package is enabled;
6.38 *) ipsec - make generated policies always as unique;
6.38 *) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet;
6.38 *) ipsec - optimized logging under ipsec topic;
6.38 *) ipsec - show active flag when policy has active SA;
6.38 *) ipsec - show SA “enc-key-size”;
6.38 *) ipsec - split “mode-config” and “send-dns” arguments;
6.38 *) radius - added IPSec service (cli only);
6.38 *) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;
6.38 *) winbox - moved ipsec peer “exchange-mode” to General tab;
6.37.2 *) ipsec - changed logging topic from error to debug for ph2 transform mismatch messages;
6.37 *) ipsec - fixed crash with enabled fragmentation;
6.37 *) ipsec - fixed dynamic policy not deleted on disconnect for nat-t peers;
6.37 *) ipsec - fixed fragmentation use negotiation;
6.37 *) ipsec - fixed kernel crash when sha512 was used;
6.36.3 *) ipsec - don’t log authtype mismatch as critical;
6.36.3 *) ipsec - fixed xauth parameter printing in terminal;
6.36 *) ipsec - add dead ph2 detection exception for windows msgid noncompliance with rfc;
6.36 *) ipsec - added dead ph2 reply detection;
6.36 *) ipsec - don’t register temporary ph2 on dead list;
6.36 *) ipsec - fix initiator modecfg dynamic dns;
6.36 *) ipsec - fixed AH with SHA2;
6.36 *) ipsec - fixed checks before accessing ph1 nat options;
6.36 *) ipsec - fixed mode-config export;
6.36 *) ipsec - fixed route cache overflow when using ipsec with route cache disabled;
6.36 *) ipsec - fixed windows msgid check on x86 devices;
6.36 *) ipsec - show remote peer address in error messages when possible;
6.36 *) ipsec - store udp encapsulation type in proposal;
6.35.4 *) ipsec - fixed mode-config export;
6.35.4 *) ipsec - fixed route cache overflow when using ipsec with route cache disabled;
6.35 *) ipsec - always re-key ph1 because it was possible that ph1 without DPD would expire;
6.35 *) ipsec - better flush on proposal change;
6.35 *) ipsec - fixed crash on policy update;
6.35 *) ipsec - fixed fast ph2 SA addition;
6.35 *) ipsec - fixed larval SA refresh for display;
6.35 *) ipsec - fixed multiple consecutive dynamic policy flush;
6.34.4 *) ipsec - take into account ip protocol in kernel policy matcher;
6.34.2 *) ipsec - fix console peer aes enc algorithm display;
6.34.2 *) l2tp - ipsec peer & policy sometimes was not removed after l2tp interface disable;
6.34 *) ipsec - improved TCP performance on CCRs;
6.34 *) ipsec - allow my-id address specification in main mode;
6.34 *) ipsec - prioritize proposals;
6.34 *) ipsec - support multiple DH groups for phase 1;
6.34 *) ipsec - fix phase2 hmac-sha-256-128 truncation len from 96 to 128
6.34 *) ipsec - make sure that dynamic policy always has dynamic flag;
6.34 *) ipsec - fixed active SAs flushing;
6.34 *) ipsec - fixed kernel failure after underlying tunnel has been disabled/enabled;
6.34 *) tile - fix ipsec freeze after SA updates;
6.33 *) ipsec - force flow cache validation once in 1h;
6.33 *) ipsec - fix set on multiple policies which could result in adding non existent dynamic policies to the list;
6.33 *) ipsec - fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
6.33 *) ipsec - use local-address for phase 1 matching and initiation;
6.33 *) ipsec - fix replay window, was accidentally disabled since version 6.30;
6.32.2 *) ipsec - fixed kernel failure when packets were not ordered on first call;
6.32.2 *) ipsec - fix sockaddr buf size on id generation for ipv6 address;
6.32 *) ipsec - added compatibility option skip-peer-id-check;
6.32 *) ipsec - fix potential memory leak;
6.32 *) ipsec - use local-address for phase 1 matching and initiation;
6.32 *) ipsec - fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
6.30 *) ipsec - fail ph2 negitioation when initiator proposed key length
6.30 *) ipsec - increase replay window to 128;
6.30 have new property - ipsec-secret - for easy setup of ipsec
6.30 *) firewall - added ipsec-policy matcher to check wheather packet
6.30 was/will be ipsec processed or not;
6.29 *) ipsec - allow to specify custom IP address for my_id parameter;
6.27 *) ipsec - fixed crash that happened in specific situation;
If it’s appropriately firewalled for public access (i.e. not using the ACL on the services but actually using input filters on the WAN links) then I’d say leave as-is.
Your idea of opening up some kind of management on WAN would be a good fallback just in case IPSec doesnt come up - but you still run the risk of the upgrade just not working. Bricked device? Config doesnt convert? who knows what may happen. Remote upgrades are usually bad ideas if there’s no chance of at least remote hands (Are there staff at the site that could plug in a laptop on some kind of 4G or similar so you can remote in to have a look in case of issues?)
I would personally fall in the group of if it works let it be, organise a nice fresh replacement thats fully updated and configured as a drop-in replacement.
That would indeed be the ideal way of doing.
Especially when seeing that HUGE list of changes only for IPSEC, chances are quite high (close to certain) that upgrade will not go smooth.
@kintho, you should also check to possbiblity to update FortiOS to a suitable version. There have been just as many fixes, additions, and changes to IPSec as there have been in ROS over the same period. Any issues you run into with ROS could just as easily be caused by FortiOS.
To minimize compatibility issues, I recommend starting with a lab setup using the exact versions of RouterOS and FortiOS you plan to run in production. These days, it’s super easy to spin up a test environment with Mikrotik CHR and FortiGate-VM on your own PC using Hyper-V or whatever virtual machine platform you like best. When you’re done testing just transfer the setings to the production test unit.
Setting up an OOB management VPN, like WireGuard, SSTP, or L2TP, is probably a wise idea. You might also use a separate LTE or 5G unit connected to the replacement device if it’s located far away and there’s no one tech-savvy on site, just in case you end up shooting yourself in the foot.
> ;