Community discussions

MikroTik App
 
Sitron
newbie
Topic Author
Posts: 37
Joined: Wed Jul 29, 2009 11:49 pm
Location: Arendal, Norway

IPv6 and IPSec: Established, but no traffic

Wed Jun 07, 2017 7:39 pm

I have two Mikrotik's with IPv6 and IPv4. IPsec with IPv4 works great, but I can not get IPv6 to work - that is, the IPsec it established, but when I try to send data from one end to the other, the traffic is dropped somewhere (but not at the firewall).

Site 1:
/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder 

 1     ;;; IPv6
       address=2001:4610:a:xxxx::2ca7/128 local-address=2001:466f:f000:39::xxxx:da88 auth-method=rsa-key key=GW remote-key=Knes generate-policy=no policy-template-group=group1 exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

/ip ipsec policy print    
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=group1 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 2  A  ;;; IPv6
       src-address=2001:4663:xxxx::/64 src-port=any dst-address=2001:464b:xxxx::/64 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2001:466f:f000:39::xxxx:da88 sa-dst-address=2001:4610:a:xxxx::2ca7 proposal=default priority=0 ph2-count=1 

/ip ipsec remote-peers print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              REMOTE-ADDRESS                  REMOTE-DYNAMIC-ADDRESS          UPTIME              
 0 R                       established        2001:4610:a:xxxx::2ca7                                            14m13s
Site 2:
/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder 
 1     ;;; IPv6
       address=2001:466f:f000:39::xxxx:da88/128 local-address=2001:4610:a:xxxx::2ca7 auth-method=rsa-key key=Knes remote-key=GW generate-policy=no policy-template-group=group1 exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

/ip ipsec policy print    
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=group1 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

 2  A  ;;; IPv6
       src-address=2001:464b:xxxx::/64 src-port=any dst-address=2001:4663:xxxx::/64 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2001:4610:a:xxxx::2ca7 sa-dst-address=2001:466f:f000:39::xxxx:da88 proposal=default priority=0 ph2-count=1 

/ip ipsec remote-peers print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              REMOTE-ADDRESS                   REMOTE-DYNAMIC-ADDRESS                   UPTIME              
 0                         established        2001:466f:f000:39::xxxx:da88                                                 19m39s
The IPsec is established, but when I try connect/ping from 2001:4663:xxxx::/64 to 2001:464b:xxxx::/64 or vice versa, I see a ESP-packet leave one router, but I do not see a reply. What is wrong?
 
operat0r
newbie
Posts: 32
Joined: Mon May 29, 2017 9:18 pm

Re: IPv6 and IPSec: Established, but no traffic

Thu Jun 08, 2017 2:39 pm

Are you able to ping ipv6 addresses at all ? (ipv6.google.com)
Panagiotis Botos
Networking Engineer
 
Sitron
newbie
Topic Author
Posts: 37
Joined: Wed Jul 29, 2009 11:49 pm
Location: Arendal, Norway

Re: IPv6 and IPSec: Established, but no traffic

Mon Jun 12, 2017 8:02 am

Are you able to ping ipv6 addresses at all ? (ipv6.google.com)
Yes, IPv6 works from both sites. My only issue is that the sites can not communicate with each other via IPv6. If I remove the configuration for the IPSec tunnel, the sites can communicate over IPv6.
 
Sitron
newbie
Topic Author
Posts: 37
Joined: Wed Jul 29, 2009 11:49 pm
Location: Arendal, Norway

Re: IPv6 and IPSec: Established, but no traffic

Mon Jun 12, 2017 11:00 pm

I have run "Packet Sniffer" on both sides, streaming to a Linux-box running trafr, and I discovered the following:
- All IPv6 packets from Mikrotik on Site1 to Mikrotik on Site2 are seen on both sides. isakmp, icmpv6, ssh and so on.
- All IPv6 ESP or IPv6 AH packets are sent from my Mikrotik on Site1, but never seen on the Mikrotik on Site2. The same is for those packets sent from Site2, they are never seen on Site1.
- I have tried to disable the firewall, and made the firewall "accept all". Did not help.
- I do not have this problem over IPv4.

I really do not understand why this is happening? Could it be something with MTU? Could my ISP be blocking some IPSec traffic?
 
idlemind
Forum Guru
Forum Guru
Posts: 1147
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPv6 and IPSec: Established, but no traffic

Fri Jun 16, 2017 5:30 am

I have run "Packet Sniffer" on both sides, streaming to a Linux-box running trafr, and I discovered the following:
- All IPv6 packets from Mikrotik on Site1 to Mikrotik on Site2 are seen on both sides. isakmp, icmpv6, ssh and so on.
- All IPv6 ESP or IPv6 AH packets are sent from my Mikrotik on Site1, but never seen on the Mikrotik on Site2. The same is for those packets sent from Site2, they are never seen on Site1.
- I have tried to disable the firewall, and made the firewall "accept all". Did not help.
- I do not have this problem over IPv4.

I really do not understand why this is happening? Could it be something with MTU? Could my ISP be blocking some IPSec traffic?
It could be MTU, as long as you're accepting ICMP and they are setup to send it out when MTU is too large you shouldn't have a problem though. It could be your firewall rules. It also could be the Interwebs between you and them with someone blocking that traffic.

Just to be certain, you are going WAN IPv6 address to WAN IPv6 address correct? If not then you may need forward rules for UDP:500 and the protocol ESP. Technically I was able to get a VPN up with UDP:500 and session established and session related over IPv6 but that was just my experience. Do you have a config we can look at?
 
Sitron
newbie
Topic Author
Posts: 37
Joined: Wed Jul 29, 2009 11:49 pm
Location: Arendal, Norway

Re: IPv6 and IPSec: Established, but no traffic

Fri Jun 16, 2017 7:27 pm

I have run "Packet Sniffer" on both sides, streaming to a Linux-box running trafr, and I discovered the following:
- All IPv6 packets from Mikrotik on Site1 to Mikrotik on Site2 are seen on both sides. isakmp, icmpv6, ssh and so on.
- All IPv6 ESP or IPv6 AH packets are sent from my Mikrotik on Site1, but never seen on the Mikrotik on Site2. The same is for those packets sent from Site2, they are never seen on Site1.
- I have tried to disable the firewall, and made the firewall "accept all". Did not help.
- I do not have this problem over IPv4.

I really do not understand why this is happening? Could it be something with MTU? Could my ISP be blocking some IPSec traffic?
It could be MTU, as long as you're accepting ICMP and they are setup to send it out when MTU is too large you shouldn't have a problem though. It could be your firewall rules. It also could be the Interwebs between you and them with someone blocking that traffic.

Just to be certain, you are going WAN IPv6 address to WAN IPv6 address correct? If not then you may need forward rules for UDP:500 and the protocol ESP. Technically I was able to get a VPN up with UDP:500 and session established and session related over IPv6 but that was just my experience. Do you have a config we can look at?
I did some more testing, by sending both AH and ESP-packets (IPv6) from the routers to a third-party. And the packets from one of the sites (with ISP1) arrived correctly. But the packets from site 2 (with ISP2) did not arrive at all. Then I sent the same packages from the third-party to my routers, and they arrived correctly at ISP1, but not at ISP2. So it seems like the one ISP is blocking IP protocol 50 and 51 over IPv6, but not IPv4 :-/
 
idlemind
Forum Guru
Forum Guru
Posts: 1147
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPv6 and IPSec: Established, but no traffic

Fri Jun 16, 2017 7:40 pm

Good times! It's important to remember that while a lot of people have turned up IPv6 in places it hasn't been tested very much. An example is I found a bug with RADIUS attributes for IPv6 addressing not being sent from some ASA code versions. Well after Cisco thought they had it all sorted out. Someone else beat me to it but the bug was only reported in 2017. Several years after it was announced and supposed to be working.

TLDR; IPv6 is awesome, it can be very very useful. Don't be afraid to talk to other networks and their engineers. It is totally possible you're the first person hitting a misconfiguration.

A work-around:

Run a SSTP tunnel between the two endpoints. I think at this point it is TCP only and wouldn't offer great performance but you'd have an encrypted tunnel between the two devices. You could layer GRE under it if you need multicast (I don't think SSTP supports multicast, I could be wrong). That said tunnel in a tunnel vs IPSec transport mode with GRE underneath sucks.

You could configure both with routing setup to prefer the IPSec transport mode with GRE the minute the ISP fixes their crap. You can verify with traceroute for the IPs assigned to the IPSec tunnel (GRE underneath). Unless you were planning to operate with IPSec only.
 
enzain
just joined
Posts: 22
Joined: Wed Jan 17, 2018 9:15 pm

Re: IPv6 and IPSec: Established, but no traffic

Fri Apr 05, 2019 10:16 pm

Hi all!

I have same case.

I set-up IPSec Tunnel over IPv6 addresses

I see SA's, but bytes counters is 0

In policy i have required encrypt for all protocols.


M.b. i wrong in protocol and need set some other value, not 255?

Who is online

Users browsing this forum: No registered users and 91 guests