Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

EOIP over IPSEC tunnel connection is unstable

Post Reply
 
malas
just joined
Topic Author
Posts: 5
Joined: Tue Feb 16, 2021 7:54 am

EOIP over IPSEC tunnel connection is unstable

Wed Feb 17, 2021 3:40 am

Hi, everyone.

I'm trying to site-to-site VPN with EOIP over IPSEC tunnel between a CCR2004 and a CCR1009.

Just after reboot both CCR devices, a EOIP over IPSEC tunneling connection works fine.
But, after repeat enable and disable few times the EOIP interface, tunneling doesn't work anymore.
It report "<ip> parsing packet failed, possible cause: wrong password" and
"phase1 negotiation failed due to time up <ip> blahblah".
When I remove the ipsec-secret attribute on the EOIP interface, it work's very well.
The GRE over IPSEC tunneling has same problem.

It seems that a ipsec negotiation is unstable.

I ask for help.
Code: Select all
[admin@site2] > /interface eoip print
Flags: X - disabled, R - running 
 0  R ;;; EOIP Tunnel Interface between HO and BO
      name="eoip-tunnel1-to-site1" mtu=auto actual-mtu=1458 l2mtu=65535 
      mac-address=<mac> arp=enabled arp-timeout=auto 
      loop-protect=default loop-protect-status=off 
      loop-protect-send-interval=5s loop-protect-disable-time=5m 
      local-address=<site2 static public ip> remote-address=<site1 static public ip> tunnel-id=100 
      keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no 
      ipsec-secret="<secret pwd>" allow-fast-path=no

[admin@site2] > /ip ipsec proposal print  
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 
      enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m 
      pfs-group=modp1024 

[admin@site2] > /ip ipsec profile print 
Flags: * - default 
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128 
     dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey 
     nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5 

[admin@site1] > /interface eoip print
Flags: X - disabled, R - running 
 0    ;;; EOIP Tunnel Interface between HO and BO
      name="eoip-tunnel1-to-site2" mtu=auto actual-mtu=1458 l2mtu=65535 
      mac-address=<mac> arp=enabled arp-timeout=auto 
      loop-protect=default loop-protect-status=off 
      loop-protect-send-interval=5s loop-protect-disable-time=5m 
      local-address=<site1 static public ip> remote-address=<site2 static public ip> tunnel-id=100 
      keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no 
      ipsec-secret="<secret pwd>" allow-fast-path=no

[admin@site1] > /ip ipsec proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 
      enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m 
      pfs-group=modp1024

[admin@site1] > /ip ipsec profile print 
Flags: * - default 
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128 
     dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey 
     nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
Top
 
malas
just joined
Topic Author
Posts: 5
Joined: Tue Feb 16, 2021 7:54 am

Re: EOIP over IPSEC tunnel connection is unstable

Thu Feb 18, 2021 10:46 am

this is site1's ipsec debug log.
Code: Select all
17:39:55 ipsec,debug ===== received 76 bytes from <site2 ip addr>[500] to <site1 ipaddr>[500] 
17:39:55 ipsec,debug,packet 18fb156d 760d9cf9 6abfae28 89b48f9d 05100201 00000000 0000004c 557b31d3 
17:39:55 ipsec,debug,packet ace10aa2 9023620d 46558029 c21b6bd5 b9e5c8a5 3d75da9b 3a9c08b1 cfbbaf8d 
17:39:55 ipsec,debug,packet d059824d 1007300a 7d03da8d 
17:39:55 ipsec,debug,packet encryption(aes) 
17:39:55 ipsec,debug,packet IV was saved for next processing: 
17:39:55 ipsec,debug,packet cfbbaf8d d059824d 1007300a 7d03da8d 
17:39:55 ipsec,debug,packet encryption(aes) 
17:39:55 ipsec,debug,packet with key: 
17:39:55 ipsec,debug,packet 89c10f71 81f06938 366bbba8 d47965e9 
17:39:55 ipsec,debug,packet decrypted payload by IV: 
17:39:55 ipsec,debug,packet 3a516d71 385d2046 8e78cf4e f31ef1df 
17:39:55 ipsec,debug,packet decrypted payload, but not trimed. 
17:39:55 ipsec,debug,packet c6809192 2aa3fa16 46908c8c 015629b3 0b75a1c8 6dab5c84 729a76a7 e25d643a 
17:39:55 ipsec,debug,packet 0ab77184 5e0e73f4 3fc7a2ac deb45f09 
17:39:55 ipsec,debug,packet padding len=10 
17:39:55 ipsec,debug,packet skip to trim padding. 
17:39:55 ipsec,debug,packet decrypted. 
17:39:55 ipsec,debug,packet 18fb156d 760d9cf9 6abfae28 89b48f9d 05100201 00000000 0000004c c6809192 
17:39:55 ipsec,debug,packet 2aa3fa16 46908c8c 015629b3 0b75a1c8 6dab5c84 729a76a7 e25d643a 0ab77184 
17:39:55 ipsec,debug,packet 5e0e73f4 3fc7a2ac deb45f09 
17:39:55 ipsec,debug begin. 
17:39:55 ipsec,debug seen nptype=5(id) len=37266 
17:39:55 ipsec invalid length of payload 
17:39:55 ipsec,error <site1 ip addr>parsing packet failed, possible cause: wrong password 
17:40:05 ipsec,debug 236 bytes from <site2 ip addr>[500] to <site1 ip addr>[500] 
17:40:05 ipsec,debug 1 times of 236 bytes message will be sent to <site1 ip addr>[500] 
17:40:05 ipsec,debug,packet 18fb156d 760d9cf9 6abfae28 89b48f9d 04100200 00000000 000000ec 0a000084 
17:40:05 ipsec,debug,packet fd56343f c7531f4b 5972c0c6 4ba28e41 3cf3f904 3e5e32f7 c13f363c f432651f 
17:40:05 ipsec,debug,packet 49b44295 94ae1ea2 f160a8ab f1a1baf4 720ec81a 96e62e9b a09bc529 cb410577 
17:40:05 ipsec,debug,packet f7d9ce4a a412f3a4 558650a0 07af7716 e2e913ba 7d2d3824 1d530ffa 050563e8 
17:40:05 ipsec,debug,packet fb5c1ab1 b9a2d62e 1df10416 16f053d2 cf1bfc2f 3db65f1a 30582c71 ac653ca0 
17:40:05 ipsec,debug,packet 1400001c 9a52dd1f 2f6f3c09 ae96d4ab 3d94d9c3 3928a29e 958120c2 14000018 
17:40:05 ipsec,debug,packet 3cbda84e 85de0a7d 97f3cba3 5a7bc09c 3ecaedb1 00000018 e99e5e5c e9bdba64 
17:40:05 ipsec,debug,packet 8ef45600 43c0f3ef 75caa07a 
17:40:05 ipsec resent phase1 packet <site1 ip addr>[500]<=><site2 ip addr>[500] 18fb156d760d9cf9:6abfae2889b48f9d 
17:40:05 ipsec,debug ===== received 76 bytes from <site2 ip addr>[500] to <site1 ip addr>[500] 
17:40:05 ipsec,debug,packet 18fb156d 760d9cf9 6abfae28 89b48f9d 05100201 00000000 0000004c 557b31d3 
17:40:05 ipsec,debug,packet ace10aa2 9023620d 46558029 c21b6bd5 b9e5c8a5 3d75da9b 3a9c08b1 cfbbaf8d 
17:40:05 ipsec,debug,packet d059824d 1007300a 7d03da8d 
17:40:05 ipsec,debug,packet encryption(aes) 
17:40:05 ipsec,debug,packet IV was saved for next processing: 
17:40:05 ipsec,debug,packet cfbbaf8d d059824d 1007300a 7d03da8d 
17:40:05 ipsec,debug,packet encryption(aes) 
17:40:05 ipsec,debug,packet with key: 
17:40:05 ipsec,debug,packet 89c10f71 81f06938 366bbba8 d47965e9 
17:40:05 ipsec,debug,packet decrypted payload by IV: 
17:40:05 ipsec,debug,packet 3a516d71 385d2046 8e78cf4e f31ef1df 
17:40:05 ipsec,debug,packet decrypted payload, but not trimed. 
17:40:05 ipsec,debug,packet c6809192 2aa3fa16 46908c8c 015629b3 0b75a1c8 6dab5c84 729a76a7 e25d643a 
17:40:05 ipsec,debug,packet 0ab77184 5e0e73f4 3fc7a2ac deb45f09 
17:40:05 ipsec,debug,packet padding len=10 
17:40:05 ipsec,debug,packet skip to trim padding. 
17:40:05 ipsec,debug,packet decrypted. 
17:40:05 ipsec,debug,packet 18fb156d 760d9cf9 6abfae28 89b48f9d 05100201 00000000 0000004c c6809192 
17:40:05 ipsec,debug,packet 2aa3fa16 46908c8c 015629b3 0b75a1c8 6dab5c84 729a76a7 e25d643a 0ab77184 
17:40:05 ipsec,debug,packet 5e0e73f4 3fc7a2ac deb45f09 
17:40:05 ipsec,debug begin. 
17:40:05 ipsec,debug seen nptype=5(id) len=37266 
17:40:05 ipsec invalid length of payload 
17:40:05 ipsec,error <site2 ip addr> parsing packet failed, possible cause: wrong password 
17:40:05 ipsec,debug ===== received 76 bytes from <site2 ip addr>[500] to <site1 ip addr>[500] 
17:40:05 ipsec,debug,packet 18fb156d 760d9cf9 6abfae28 89b48f9d 05100201 00000000 0000004c 557b31d3 
17:40:05 ipsec,debug,packet ace10aa2 9023620d 46558029 c21b6bd5 b9e5c8a5 3d75da9b 3a9c08b1 cfbbaf8d 
17:40:05 ipsec,debug,packet d059824d 1007300a 7d03da8d 
17:40:05 ipsec,debug,packet encryption(aes) 
17:40:05 ipsec,debug,packet IV was saved for next processing: 
17:40:05 ipsec,debug,packet cfbbaf8d d059824d 1007300a 7d03da8d 
17:40:05 ipsec,debug,packet encryption(aes) 
17:40:05 ipsec,debug,packet with key: 
17:40:05 ipsec,debug,packet 89c10f71 81f06938 366bbba8 d47965e9 
17:40:05 ipsec,debug,packet decrypted payload by IV: 
17:40:05 ipsec,debug,packet 3a516d71 385d2046 8e78cf4e f31ef1df 
17:40:05 ipsec,debug,packet decrypted payload, but not trimed. 
17:40:05 ipsec,debug,packet c6809192 2aa3fa16 46908c8c 015629b3 0b75a1c8 6dab5c84 729a76a7 e25d643a 
17:40:05 ipsec,debug,packet 0ab77184 5e0e73f4 3fc7a2ac deb45f09 
17:40:05 ipsec,debug,packet padding len=10 
17:40:05 ipsec,debug,packet skip to trim padding. 
17:40:05 ipsec,debug,packet decrypted. 
17:40:05 ipsec,debug,packet 18fb156d 760d9cf9 6abfae28 89b48f9d 05100201 00000000 0000004c c6809192 
17:40:05 ipsec,debug,packet 2aa3fa16 46908c8c 015629b3 0b75a1c8 6dab5c84 729a76a7 e25d643a 0ab77184 
17:40:05 ipsec,debug,packet 5e0e73f4 3fc7a2ac deb45f09 
17:40:05 ipsec,debug begin. 
17:40:05 ipsec,debug seen nptype=5(id) len=37266 
17:40:05 ipsec invalid length of payload 
17:40:05 ipsec,error <site2 ip addr> parsing packet failed, possible cause: wrong password
Top
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 264
Joined: Mon Oct 07, 2019 11:42 pm

Re: EOIP over IPSEC tunnel connection is unstable

Tue Feb 23, 2021 10:18 am

Did you check this? viewtopic.php?f=23&t=169538 I've got it working perfectly fine.
Top
Post Reply

Who is online

Users browsing this forum: 5h4k4, UkRainUa and 82 guests
  4. RouterOS
  5. Beginner Basics