Community discussions

MikroTik App
 
surajs
just joined
Topic Author
Posts: 4
Joined: Tue Dec 22, 2020 9:53 am

Regarding Aggressive mode ipsec not working for peer (0.0.0.0/0) on ros above 6.43.13

Tue Dec 22, 2020 11:54 am

Hi everyone, If anyone came across with below mentioned issue, I will need your guidance. Thank you in advance.

I am facing issue with IPsec in aggressive mode for router os version above 6.43.13 hence I was not using any newer version of routeros. But now recently I have purchased some new hardware RB1100ahx4 which comes with factory default version 6.45.4 and I cant degrade it.

I have tested both latest stable(6.47.8) and long term(6.46.8) but IPsec is not getting established.

Network scenario -
IPsec server - RB11ahx4 router with Internet leased line static ip
IPsec client - Openwrt router with 4g sim dynamic ip
I am having this setup running with more than 3 qty RB1100ahx4 which consists above 1000 ipsec clients. and it is working properly till ros 6.43.13

On router os version - 6.43.13 and below -
Aggressive mode IPsec successfully gets established with openwrt router 4g sim(dynamic public ip) and RB100ahx4 (static public ip) connectivity.
My router RB1100ahx4 is behind NAT(firewall) hence I am using my-id type address and it's working properly without issue


On router os version above 6.43.13 -

1. Aggressive IPsec works only if peer ip is fixed and unchecked the passive option
2. Aggressive IPsec doesn't work if peer ip is 0.0.0.0/0 . Also we cant unchecked the passive mode, it gets check automatically. Peer ip 0.0.0.0/0 works for version 6.43.13 and below.
I have also tested the setting my-id type auto and address for peer ip as suggested by support but it did not work.


Support ticket is already open [SUP-34332] but not getting any proper resolution yet.

Attachments -
1. ipsec_config_aggr_mikrotik6.43.13.txt
2. ipsec_config_aggr_mikrotik6.47.8.txt
3. ipsec_config_aggr_openwrt.txt
4. mikrotik6.47.8_ipsec_aggr_peer_ip_fixed_successfull.rsc
5. mikrotik6.47.8_ipsec_aggr_peer_ip_0.0.0.0_failed.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: Regarding Aggressive mode ipsec not working for peer (0.0.0.0/0) on ros above 6.43.13

Wed Dec 23, 2020 9:54 am

if you enable "ipsec" debug logging in both Mikrotik and OpenWRT, what does the log says?
 
surajs
just joined
Topic Author
Posts: 4
Joined: Tue Dec 22, 2020 9:53 am

Re: Regarding Aggressive mode ipsec not working for peer (0.0.0.0/0) on ros above 6.43.13  [SOLVED]

Thu Apr 29, 2021 9:41 am

Thank you for the support.

I have tested this in router os 6.47.7 and 6.48.2. It's working now.

Now I can able to configure aggressive mode IPSec where one end has dynamic IP address.



For the Global IP on wan interface - IPsec is connecting with my old configuration untouched.

For the natted IP on wan interface - I have configured right ID in phase 1 of openwrt router and its working fine.

Who is online

Users browsing this forum: lurker888, pmcsill, svh79, syslog, Wovka and 50 guests