Problem with IPsec, IKEv1, dynamic addresses

mweidner · Mon Mar 23, 2020 9:06 pm

Hi all,

maybe I'm missing only one little thing, but I can't get this VPN up and running.

At the peer there is a really old VPN device that does support only a small subset of IPsec.
Additionally it's behind a NAT device with dynamic addresses.

So I've setup a test environment to try it out.
Unfortunately I wasn't able to get it up and running.

The config on the MikroTik looks like this:

# mar/23/2020 19:01:02 by RouterOS 6.46.4
# software id =
#
#
#
/ip ipsec policy group
add name=dynamic-group
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 name=bossV7 proposal-check=exact
/ip ipsec peer
add comment=172.16.166.96/27 exchange-mode=aggressive local-address=212.99.205.48 name=dynamic passive=yes profile=bossV7 send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=dynamic-proposal pfs-group=modp1536
/ip ipsec identity
add generate-policy=port-strict my-id=fqdn:i.dont.know peer=dynamic policy-template-group=dynamic-group remote-id=fqdn:you.dont.know secret=testtesttest
/ip ipsec policy
add dst-address=172.16.166.96/27 group=dynamic-group proposal=dynamic-proposal src-address=10.150.0.0/16 template=yes

When I try to contact the MikroTik, I see that the device at the peer uses the correct settings.
But the MikroTik doesn't answer.

Instead I get this in the logs:

18:42:34 ipsec,info respond new phase 1 (Aggressive): 212.99.205.48[500]<=>109.40.240.78[18738]
18:42:34 ipsec,debug begin.
18:42:34 ipsec,debug seen nptype=1(sa) len=60
18:42:34 ipsec,debug seen nptype=4(ke) len=196
18:42:34 ipsec,debug seen nptype=10(nonce) len=20
18:42:34 ipsec,debug seen nptype=5(id) len=21
18:42:34 ipsec,debug seen nptype=13(vid) len=20
18:42:34 ipsec,debug seen nptype=13(vid) len=20
18:42:34 ipsec,debug seen nptype=13(vid) len=20
18:42:34 ipsec,debug seen nptype=13(vid) len=20
18:42:34 ipsec,debug seen nptype=13(vid) len=20
18:42:34 ipsec,debug seen nptype=13(vid) len=20
18:42:34 ipsec,debug seen nptype=13(vid) len=12
18:42:34 ipsec,debug seen nptype=13(vid) len=20
18:42:34 ipsec,debug succeed.
18:42:34 ipsec,debug received payload of type ke
18:42:34 ipsec,debug received payload of type nonce
18:42:34 ipsec,debug received payload of type id
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug received unknown Vendor ID
18:42:34 ipsec,debug 0048e227 0bea8395 ed778d34 3cc2a076
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug received unknown Vendor ID
18:42:34 ipsec,debug 810fa565 f8ab1436 9105d706 fbd57279
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug received payload of type vid
18:42:34 ipsec,debug remote supports DPD
18:42:34 ipsec,debug total SA len=56
18:42:34 ipsec,debug 00000001 00000001 00000030 00010001 00000028 00010000 80010007 800e0100
18:42:34 ipsec,debug 80020002 80030001 80040005 800b0001 000c0004 00015180
18:42:34 ipsec,debug begin.
18:42:34 ipsec,debug seen nptype=2(prop) len=48
18:42:34 ipsec,debug succeed.
18:42:34 ipsec,debug proposal #0 len=48
18:42:34 ipsec,debug begin.
18:42:34 ipsec,debug seen nptype=3(trns) len=40
18:42:34 ipsec,debug succeed.
18:42:34 ipsec,debug transform #0 len=40
18:42:34 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
18:42:34 ipsec,debug,packet encryption(aes)
18:42:34 ipsec,debug type=Key Length, flag=0x8000, lorv=256
18:42:34 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
18:42:34 ipsec,debug hash(sha1)
18:42:34 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
18:42:34 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group
18:42:34 ipsec,debug dh(modp1536)
18:42:34 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
18:42:34 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
18:42:34 ipsec,debug pair 0:
18:42:34 ipsec,debug  0x80c9970: next=(nil) tnext=(nil)
18:42:34 ipsec,debug proposal #0: 1 transform
18:42:34 ipsec,debug -checking with pre-shared key auth-
18:42:34 ipsec,debug prop#=0, prot-id=ISAKMP, spi-size=0, #trns=1
18:42:34 ipsec,debug trns#=0, trns-id=IKE
18:42:34 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
18:42:34 ipsec,debug type=Key Length, flag=0x8000, lorv=256
18:42:34 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
18:42:34 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key
18:42:34 ipsec,debug type=Group Description, flag=0x8000, lorv=1536-bit MODP group
18:42:34 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
18:42:34 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
18:42:34 ipsec,debug -compare proposal #1: Local:Peer
18:42:34 ipsec,debug (lifetime = 86400:86400)
18:42:34 ipsec,debug (lifebyte = 0:0)
18:42:34 ipsec,debug enctype = AES-CBC:AES-CBC
18:42:34 ipsec,debug (encklen = 256:256)
18:42:34 ipsec,debug hashtype = SHA:SHA
18:42:34 ipsec,debug authmethod = pre-shared key:pre-shared key
18:42:34 ipsec,debug dh_group = 1536-bit MODP group:1536-bit MODP group
18:42:34 ipsec,error no identity suits proposal
18:42:34 ipsec,error 109.40.240.78 failed to get valid proposal.
18:42:34 ipsec,error 109.40.240.78 failed to pre-process ph1 packet (side: 1, status 1).
18:42:34 ipsec,error 109.40.240.78 phase1 negotiation failed.

Is there anybody out there who can help me.

Thanks,
Mathias

Problem with IPsec, IKEv1, dynamic addresses

Problem with IPsec, IKEv1, dynamic addresses

Who is online