Community discussions

MikroTik App
 
datajerk
newbie
Topic Author
Posts: 36
Joined: Sun Aug 28, 2016 1:02 am

killing ikev2 with 2 ipsec/ikev2 peers

Sat Oct 19, 2019 8:38 pm

Hi,

I have the following config (Based on https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS) that works great:

/ip ipsec mode-config add connection-mark=nordvpnch name=nordvpnch responder=no
/ip ipsec policy group add name=nordvpnch
/ip ipsec profile add name=nordvpnch
/ip ipsec peer add address=ch78.nordvpn.com exchange-mode=ike2 name=nordvpnch profile=nordvpnch send-initial-contact=no
/ip ipsec proposal add enc-algorithms=aes-256-cbc name=nordvpnch pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=nordvpnch peer=nordvpnch policy-template-group=nordvpnch 
/ip ipsec policy add dst-address=0.0.0.0/0 group=nordvpnch proposal=nordvpnch src-address=0.0.0.0/0 template=yes

When I add a second connection to a different server, both connections work, and work as expected (traceroute, perf, etc...), however within minutes I get:

ipsec,info killing ike2 SA, from both (but not at the same time, they alternate about every 2 minutes).

I set the peer send-initial-contact=no, however there is no difference in behavior.

CCR1009/6.45.6

What did I miss? Thanks.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: killing ikev2 with 2 ipsec/ikev2 peers

Sat Oct 19, 2019 10:13 pm

You need a separate peer, mode-config and identity for every connection.
 
datajerk
newbie
Topic Author
Posts: 36
Joined: Sun Aug 28, 2016 1:02 am

Re: killing ikev2 with 2 ipsec/ikev2 peers

Sat Oct 19, 2019 10:28 pm

Hi, thanks for the quick reply.

You need a separate peer, mode-config and identity for every connection.

I believe I've done that. I should have provided both entries in the original post.

/ip ipsec mode-config add connection-mark=nordvpnus name=nordvpnus responder=no
/ip ipsec mode-config add connection-mark=nordvpnch name=nordvpnch responder=no
/ip ipsec policy group add name=nordvpnus
/ip ipsec policy group add name=nordvpnch
/ip ipsec profile add name=nordvpnus
/ip ipsec profile add name=nordvpnch
/ip ipsec peer add address=ch78.nordvpn.com exchange-mode=ike2 name=nordvpnch profile=nordvpnch send-initial-contact=no
/ip ipsec peer add address=us3685.nordvpn.com exchange-mode=ike2 name=nordvpnus profile=nordvpnus send-initial-contact=no
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=nordvpnus pfs-group=none
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=nordvpnch pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=nordvpnus peer=nordvpnus policy-template-group=nordvpnus
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=nordvpnch peer=nordvpnch policy-template-group=nordvpnch
/ip ipsec policy add dst-address=0.0.0.0/0 group=nordvpnus proposal=nordvpnus src-address=0.0.0.0/0 template=yes
/ip ipsec policy add dst-address=0.0.0.0/0 group=nordvpnch proposal=nordvpnch src-address=0.0.0.0/0 template=yes

Anything else I missed? Thanks.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: killing ikev2 with 2 ipsec/ikev2 peers

Sat Oct 19, 2019 11:47 pm

Use one profile, proposal, policy, policy group and profile for 1 up to 6 connections with NordVPN.

The only difference I see that I state SHA1 in proposal:
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=NordVPN pfs-group=none
And in profile:
add dh-group=modp3072,modp2048,modp1024 dpd-maximum-failures=2 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 lifetime=1d5m name=NordVPN
 
datajerk
newbie
Topic Author
Posts: 36
Joined: Sun Aug 28, 2016 1:02 am

Re: killing ikev2 with 2 ipsec/ikev2 peers

Tue Oct 22, 2019 2:47 am

Thank you, this is helpful.

I cleaned up and started over following your advice and did some monitoring and observing. I still have the same problem, and it is consistent.

I started with one peer/mode-config/identity and continued to add new peers/mode-configs/identities (p/m/i) up to 5, any time I add a new p/m/i, communication appears to be stable, but then eventually intermittently fails. And the ike2 killing spree starts.

If I disable all identities, and reenable at 10 second intervals, then all connections are stable. For 24 hours. I suspect this is related to the profile lifetime.

At any time if a connection needs to restart (profile lifetime, or a change to a config, etc...), the remaining connections fail to pass traffic, the last-seen gets up to 2 min, then another ike2 killing spree. This does not resolve itself. One restarting from the kill causes the other connections to no longer communicate, then they restart after 2 min (dpd-interval perhaps?), creating a never ending cascading failure.

Race condition somewhere?

To correct I have to disable all connections, then start up one at a time. Stable again. All connections work. Last-seen is always 30s or less when working.

Logs:

Only once:

Oct 21 12:04:00 router1.local ipsec,error got fatal error: INVALID_SYNTAX

These repeat until I end the madness:

Oct 21 12:04:00 router1.local ipsec,info killing ike2

150 (5x30) messages in 90 min (each connection cycles ~ every 3 min).

My hack right now is to monitor last-seen and if any connection >45s, then kill all the connections, and bring up 1 by 1.

Thanks again.
 
davis65536
just joined
Posts: 5
Joined: Mon Apr 01, 2019 8:02 pm

Re: killing ikev2 with 2 ipsec/ikev2 peers

Mon Sep 21, 2020 8:01 pm

Hi

I found your post because I was looking for an answer to the same problem. I eventually solved it by using one IP from a DNS lookup of the peer's hostname. I believe this is because Router OS is looking up the DNS host name every time, and not looking it up once when creating the SA. I believe if you specify a single IP (and therefore host) you'll be able to maintain the SA.
 
mercomputo
just joined
Posts: 1
Joined: Wed Sep 15, 2021 10:53 pm

Re: killing ikev2 with 2 ipsec/ikev2 peers

Fri Sep 17, 2021 10:58 pm

It seems that enableing support for MODP2048 can solve the issue:
"
AES-256-CBC and MODP2048
By default, the Windows Agile VPN Client only offers AES-128-CBC, AES-192-CBC, AES-256-CBC, 3DES, SHA-1,SHA-256, SHA-384 and MODP-1024.
By creating and setting the following registry key as a DWORD key, support for MODP2048 can be enabled, disabled or enforced.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256
The values that can be used are 0, 1 or 2. The table tells you what the values mean.

value meaning
0 (default) disable AES-256-CBC and MODP-2048
1 Enable AES-256-CBC and MODP-2048
2 Enforce the usage of AES-256-CBC and MODP-2048

By using the Set-VpnConnectionIPsecConfiguration PowerShell cmdlet it is possible to use even more algorithms like AES-GCM and ECP DH groups (at least on Windows 10). The VPN connection may be added in the GUI or via "Add-VpnConnection" cmdlet.
"

https://wiki.strongswan.org/projects/st ... owsClients

Who is online

Users browsing this forum: Bing [Bot] and 32 guests