Community discussions

 
mikruser
Member
Member
Topic Author
Posts: 373
Joined: Wed Jan 16, 2013 6:28 pm

6.38/6.39 kill ipsec

Wed Jan 11, 2017 12:47 pm

Hello,

After upgrade to 6.38 ipsec tunnel dont work.

I downgrade to 6.37.3 and tunnel work again.
Last edited by mikruser on Fri Apr 28, 2017 10:35 pm, edited 1 time in total.
do not ask me why it is necessary.
 
uldis
MikroTik Support
MikroTik Support
Posts: 3424
Joined: Mon May 31, 2004 2:55 pm

Re: 6.38 kill ipsec

Wed Jan 11, 2017 12:49 pm

Please make support output file and send it to support@mikrotik.com so we could see your configuration and reproduce this problem
 
futsker
just joined
Posts: 10
Joined: Tue Jan 17, 2017 1:41 pm

Re: 6.38 kill ipsec

Tue Jan 17, 2017 1:56 pm

The same actual problem. IPSec tunnels stop working after upgrade to 6.38, 6.38.1, 6.39.x
Downgrade to 6.37.3 restore ipsec tunels.

Any solutions?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5893
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: 6.38 kill ipsec

Tue Jan 17, 2017 4:11 pm

Contact support with attached supout file. It is almost impossible to guess what ipsec config you have and what might not work.
 
mikruser
Member
Member
Topic Author
Posts: 373
Joined: Wed Jan 16, 2013 6:28 pm

Re: 6.38 kill ipsec

Tue Jan 17, 2017 4:28 pm

It is almost impossible to guess what ipsec config you have and what might not work.
I have a config that works for many years on any version before 6.38
It is incredible that Mikrotik release such bugged version.
This is absolutely unacceptable for enterprise.
do not ask me why it is necessary.
 
futsker
just joined
Posts: 10
Joined: Tue Jan 17, 2017 1:41 pm

Re: 6.38 kill ipsec

Tue Jan 17, 2017 5:01 pm

Can't make supout.rif
When progress 15% router going reboot. No files created in filesystem.

os version: 6.37.4
hw version: RouterBOARD 3011UiAS, firmware ipq8060, 3.35
 
User avatar
acruhl
Member
Member
Posts: 359
Joined: Fri Jul 03, 2015 7:22 pm

Re: 6.38 kill ipsec

Sat Jan 21, 2017 3:43 pm

I'm also having this problem.

Interestingly, ipsec for IPv6 between the same 2 routers works fine.

I sent a supout.rif file to MikroTik support. Hopefully they can fix it quickly since it was working fine before.
Stuff.
 
flexo
just joined
Posts: 1
Joined: Fri Jan 27, 2017 4:23 pm
Location: Germany
Contact:

Re: 6.38 kill ipsec

Fri Jan 27, 2017 4:44 pm

i've the same Problem after Upgrading from 6.38 to 6.38.1 Tunnel work for few hours /system resource print shows 100% CPU-Usage after 4 Hours /ip ipsec peers print no output /ip ipsec installed-sa print no output after Router Reboot it works again..
 
mikruser
Member
Member
Topic Author
Posts: 373
Joined: Wed Jan 16, 2013 6:28 pm

Re: 6.38 kill ipsec

Fri Apr 28, 2017 10:34 pm

6.39 also have this issue and kill IPsec

Why mikrotik developers release bugged versions?????
do not ask me why it is necessary.
 
junior013
just joined
Posts: 3
Joined: Thu Jun 08, 2017 10:42 am

Re: 6.38/6.39 kill ipsec

Sat Sep 02, 2017 12:59 pm

I don't remember, when it started, but with version 6.40.3 I still have this problem. Load randomly rises over 80-90% (on a 16 core CCR, where normal load is 2-3%) and communication over IpSec tunnels stops. All other function, like routing between local ethernet ports, works well, IpSec connections seems established, but no communication over them.
After reboot it works, sometimes for a day, sometimes for a month.
 
Illuru
just joined
Posts: 2
Joined: Fri Nov 02, 2018 2:30 pm

Re: 6.38/6.39 kill ipsec

Thu Nov 22, 2018 2:10 pm

Hello,
I have the same issue. Two devices, both 6.43.4. HEX S and RB3011.
# nov/22/2018 13:04:06 by RouterOS 6.43.4
# software id = 52XB-TREB
#
# model = RouterBOARD 3011UiAS
# serial number = xxxxxxxxx
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp4096,modp2048 enc-algorithm=\
aes-256,aes-192,aes-128 hash-algorithm=sha256 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=MyProposal \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.5.101-192.168.5.254
add name=static_pool ranges=192.168.5.1-192.168.5.100
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=12.34.56.122/30 interface=sw1-e1-WAN network=12.34.56.120
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=forward
add action=accept chain=forward
add action=accept chain=forward connection-state=established,related
add action=accept chain=input in-interface=bridge1
add action=accept chain=input comment=ipsec-ike-natt dst-port=4500 protocol=\
udp
add action=accept chain=forward comment=\
"Test: Regel zum Surfen, Hausnetz, tcp" in-interface=bridge1 protocol=tcp \
src-address=192.168.5.0/24
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=forward comment=vpn01 dst-address=192.168.5.0/24 \
in-interface=sw1-e1-WAN ipsec-policy=in,ipsec src-address=192.168.2.0/24
add action=accept chain=forward comment="Regel zum Surfen, vpn!" \
in-interface=bridge1 protocol=tcp src-address=192.168.89.0/24
add action=accept chain=forward comment=ipsec-ike-natt dst-port=4500 \
in-interface=sw1-e1-WAN protocol=udp
add action=accept chain=forward comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment=test connection-state="" protocol=\
ipsec-esp
add action=accept chain=forward comment=test connection-state="" protocol=\
ipsec-esp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=53 in-interface=bridge1 protocol=tcp
add action=accept chain=forward comment="Portforwarding pptp!" dst-port=1723 \
protocol=tcp
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=forward dst-address=192.168.5.111
add action=accept chain=input dst-address=192.168.5.111
add action=drop chain=forward comment="Regel zum Surfen"
add action=drop chain=input log=yes log-prefix="Drop Input"
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes \
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes \
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=192.168.2.0/24 \
src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
src-address=192.168.2.0/24
add action=accept chain=srcnat disabled=yes dst-address-list=192.168.2.0/24 \
out-interface=sw1-e1-WAN src-address-list=192.168.5.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=sw1-e1-WAN
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.5.0/24 \
src-address=192.168.2.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.5.0/24 src-address=\
192.168.2.0/24
add action=notrack chain=prerouting dst-address=192.168.2.0/24 src-address=\
192.168.5.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec peer
add address=65.43.21.132/32 comment=vpn01 exchange-mode=ike2 secret=\
"geheim"
/ip ipsec policy
set 0 disabled=yes
add comment=vpn01 dst-address=192.168.2.0/24 proposal=MyProposal \
sa-dst-address=65.43.21.132 sa-src-address=12.34.56.122 src-address=\
192.168.5.0/24 tunnel=yes
/ip route
add distance=1 gateway=12.34.56.121
add comment=vpn01 distance=1 dst-address=192.168.2.0/24 gateway=bridge1
add comment=vpn01 distance=1 dst-address=192.168.5.0/24 gateway=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.5.0/24,192.168.89.0/24
set ssh address=192.168.5.0/24,192.168.2.0/24
set api disabled=yes
set winbox address=192.168.5.0/24,192.168.2.0/24
set api-ssl disabled=yes
Something is wrong.
Thanks in advanced

Who is online

Users browsing this forum: No registered users and 46 guests