RouterOS <- IPIP Tunnel -> Cisco IOS

lz1dsb · Thu Feb 22, 2018 12:31 am

I have been struggling for the past couple of days with a reletively simple setup. It didn't work, so I have decided to emulate it in GNS3. Sure enough I've got the same result like in the real network. So here's the situation
1. A Cisco router behind a NAT device
2. A Mikrotik router (emulated with CHR image version 6.39.2) which has a public IP configured directly on it's WAN interface
3. Both routers are configured with an IPIP tunnel between them. Topology attached
4. NAT is not an issue as I could see the IPsec signalling packets back and forth. I could also see not only udp port 500 but also udp port 4500 being opened on the NAT router - which means the NAT-T mechanism works. Which is also evident in the logs (attached).
5. So far what I could see is that initial Phase1 succeeds.
6. But when it comes to negotiate Phase 2 the signalling brakes. On the Mikroting oruter I could see in the debugs:
22:04:12 ipsec policy not found
22:04:12 ipsec failed to get proposal for responder.
22:04:12 ipsec,error 213.149.143.84 failed to pre-process ph2 packet.

From "debug crypto isakmp" on the Cisco Router:
*Feb 21 22:14:22.833: ISAKMP: (1070):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1

(the clocks of the routers are off course not synchronized as this is a test setup in a virtual GNS3 topology)

The question is... why this happens. I do believe I have matching IPsec configs:
1. Mikrotik router:

/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=aes-256-cbc,aes-128-cbc name=dup-001-router-1
/ip ipsec peer
add address=213.149.143.84/32 comment=dup-001-router-1 enc-algorithm=aes-256 hash-algorithm=md5 secret=<PSK>
/ip ipsec policy
add comment=dup-001-router-1 dst-address=213.149.143.84/32 proposal=dup-001-router-1 protocol=ipsec-esp src-address=77.70.67.28/32

2. Cisco IOS router:

crypto isakmp policy 2
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <PSK> address 77.70.67.28
crypto isakmp profile grg13vpn-boyan
   keyring default
   match identity address 77.70.67.28 255.255.255.255
crypto ipsec transform-set ipip-boyan esp-aes esp-md5-hmac
 mode transport
crypto ipsec profile ipip-boyan-profile
 set transform-set ipip-boyan
 set isakmp-profile grg13vpn-boyan

Any ideas?

lz1dsb · Mon Feb 26, 2018 11:24 pm

So after changing both sides to tunnel mode, I've found the following into the RouterOS debug:

20:01:20 ipsec,debug proposal #1: 1 transform
20:01:20 ipsec,debug got the local address from ID payload 77.70.67.28[0] prefixlen=32 ul_proto=4
20:01:20 ipsec,debug got the peer address from ID payload 192.168.0.101[0] prefixlen=32 ul_proto=4
20:01:20 ipsec,debug updating policy address because of NAT in transport mode
20:01:20 ipsec,debug new peer address 213.149.143.84[0]
20:01:20 ipsec searching for policy
20:01:20 ipsec policy not found
20:01:20 ipsec failed to get proposal for responder.
20:01:20 ipsec,error 213.149.143.84 failed to pre-process ph2 packet.

Interestingly enough, I have an IPsec policy for 213.149.143.84

[admin@boyan] > ip ipsec export
# feb/26/2018 21:20:12 by RouterOS 6.39.2
# software id =
#
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=dup-001-router-1
/ip ipsec peer
add address=213.149.143.84/32 comment=dup-001-router-1 enc-algorithm=3des hash-algorithm=md5 secret=\
    B0yanE1n4X1aB
/ip ipsec policy
add comment=dup-001-router-1 dst-address=213.149.143.84/32 proposal=dup-001-router-1 protocol=ipsec-esp \

[admin@boyan] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

 1     ;;; dup-001-router-1
       src-address=77.70.67.28/32 src-port=any dst-address=213.149.143.84/32 dst-port=any
       protocol=ipsec-esp action=encrypt level=require ipsec-protocols=esp tunnel=no
       proposal=dup-001-router-1 priority=0 ph2-count=0

I wonder why after Phase1 suceeds, encryption and hashing algorighms are negotiated, the policy fails because it does not find the ip address when it's there? What am I missing?

lz1dsb · Fri Mar 02, 2018 5:02 pm

I tried to change the policy on the RouterOS like this:
/ip ipsec policy
add comment=dup-001-router-1 dst-address=192.168.0.0/24 proposal=dup-001-router-1 protocol=ipsec-esp sa-dst-address=213.149.143.84 sa-src-address=77.70.67.28 src-address=77.70.67.28/32 tunnel=yes

but still int he ipsec debugs in RouterOS I see:

14:58:31 ipsec,debug got the local address from ID payload 77.70.67.28[0] prefixlen=32 ul_proto=4
14:58:31 ipsec,debug got the peer address from ID payload 192.168.0.104[0] prefixlen=32 ul_proto=4
14:58:31 ipsec searching for policy
14:58:31 ipsec policy not found
14:58:31 ipsec failed to get proposal for responder.

My understanding is that when I use tunnel mode I need to specify the private subnet behind the NAT. And that's what I do, 192.168.0.0/24 is the subnet behind the remote NAT and it's the network the Cisco IOS router initiates the IPsec from.
The RouterOS has the public IP address directly configured on it's interface so that's why I have it also specified as a src-address.
I'm still clueless what exactly I'm missing...

pe1chl · Fri Mar 02, 2018 6:16 pm

This is always extremely tricky to get right... I hope to check again later this weekend, on first sight I see no errors.

pe1chl · Fri Mar 02, 2018 7:59 pm

I checked in my older attempts to make GRE/IPsec work over NAT, and I see that I never got IPsec transport over NAT to work.
I'm not even sure it is possible.
As a workaround I used GRE over IPsec tunnel, and it worked. But you tried that already.
It is correct that you need to specify the local address for the tunnel endpoints, that is the address behind the NAT.

I see this error in your MikroTik config:
/ip ipsec policy
protocol=ipsec-esp
This should be protocol=4, the protocol you want to transport (IPIP)

lz1dsb · Tue Mar 06, 2018 9:16 am

I checked in my older attempts to make GRE/IPsec work over NAT, and I see that I never got IPsec transport over NAT to work.
I'm not even sure it is possible.
As a workaround I used GRE over IPsec tunnel, and it worked. But you tried that already.
It is correct that you need to specify the local address for the tunnel endpoints, that is the address behind the NAT.

I see this error in your MikroTik config:
/ip ipsec policy
protocol=ipsec-esp
This should be protocol=4, the protocol you want to transport (IPIP)

Thank you for your comment pe1chl.
Indeed you're right. I'll check it in the GNS3 topology I'm experimenting with. But I wonder, I might have to tunde my Cisco IOS configs a little bit as well...
I'll post my results once I test it.

Regards,
Boyan

tippenring · Tue Mar 06, 2018 6:54 pm

No protocol chosen means that the responder rejected all offered IPSec proposals.

You have PFS configured on the Cisco (group 2), but I don't see it on the MT. Try adding

pfs-group=modp1024

to the dup-001-router-1 policy.

tippenring · Tue Mar 06, 2018 6:56 pm

No protocol chosen means that the responder rejected all offered IPSec proposals.

You have PFS configured on the Cisco (group 2), but I don't see it on the MT. Try adding
Code: Select all
pfs-group=modp1024
to the dup-001-router-1 policy.

Correction. Not PFS. It's the phase 1 DH group that mismatches I believe.

RouterOS <- IPIP Tunnel -> Cisco IOS

RouterOS <- IPIP Tunnel -> Cisco IOS

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

Re: RouterOS <- IPIP Tunnel -> Cisco IOS

Who is online