IKEv2 with mode-config address on wrong interface

eworm · Mon Jan 22, 2018 4:24 pm

Hello everybody,

I have a number of Mikrotik devices connected via IPSEC/IKEv2. This works just fine in general, but looks like I have a wired issue with NAT. First devices behind NAT connects without any issues. If I connect a second device behind the same NAT the connection is established, but mode-config address is assigned to a wrong (random?) interface:

[admin@milkrotik] > / ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   10.1.1.1/24        10.1.1.0        br-intern
 1   192.168.1.1/24     192.168.1.0     br-guest
 2 D 10.1.2.18/24       10.1.2.0        en
 3 D 172.31.255.250/24  172.31.255.0    wl-intern
[admin@mikrotik] > / ip route print where dst-address=0.0.0.0/0 dynamic
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.1.2.1                  1

As you can see the default gateway is available via interface "en". The mode-config address (172.31.255.250/24) is assigned to "wl-intern" (which does not have any other addresses but is bridged to "br-intern"), though. Anything I can do to fix this? Or can anybody confirm this is an issue in RouterOS?

emils · Tue Jan 23, 2018 10:18 am

Please send supout.rif file to support@mikrotik.com and I will look into it.

eworm · Tue Jan 23, 2018 1:59 pm

Please send supout.rif file to support@mikrotik.com and I will look into it.

I opened Ticket#2018012322003459.

eworm · Fri Feb 16, 2018 11:48 pm

Fixed in 6.42rc28 with

*) ipsec - properly detect interface for "mode-config" client IP address assignment;

Thanks a lot, Mikrotik!

UpRunTech · Fri Feb 21, 2020 3:05 am

I am testing some roadwarrior setups with mode-config sending an IP for the remote end to use. At the remote end though the IP address is then assigned to a 'random' interface without rhyme or reason. How can I tell IPSEC to take the assigned address and bind it to whatever interface I need it to go to?

For example, in testing this I manually assigned 192.168.99.2 to a GRE interface and when I joined the VPN IPSEC decided to dynamically bind 192.168.99.2 (sent by the remote mode-config) to VLAN200 (one of my other interfaces). So the address list has 192.168.99.2 on GRE *and* VLAN200. This seems broken!? Using Long Term 6.45.8.

eworm · Fri Feb 21, 2020 10:07 am

You have the same address inside and outside the GRE tunnel?
Looks like your havoc originates there.

Anyway, this issue is resolved, please one a new topic with details on your topic.

UpRunTech · Fri Feb 21, 2020 12:11 pm

You have the same address inside and outside the GRE tunnel?
Looks like your havoc originates there.

Anyway, this issue is resolved, please one a new topic with details on your topic.

Well 2 problems, but getting back to the interface issue, seeing as you can assign which interface gets the address, how does the router make a good choice? Today it decided one of my VLAN interfaces would do.

IKEv2 with mode-config address on wrong interface [SOLVED]

IKEv2 with mode-config address on wrong interface

Re: IKEv2 with mode-config address on wrong interface

Re: IKEv2 with mode-config address on wrong interface

Re: IKEv2 with mode-config address on wrong interface [SOLVED]

Re: IKEv2 with mode-config address on wrong interface

Re: IKEv2 with mode-config address on wrong interface

Re: IKEv2 with mode-config address on wrong interface

Who is online