Community discussions

 
ilja
newbie
Topic Author
Posts: 49
Joined: Thu Feb 22, 2018 1:15 pm

IPSec Strongswan configuration fails

Thu Mar 15, 2018 8:56 am

Hey all.

I am trying to connect RouterOS to VPN server, but it keeps giving me error 'failed to get proposal for policy.
I have VPN server vpn.opt.example.co.rw which is set up and working. I have a bunch of Rapsberry Pi which are connected to that VPN server and works totally fine.

I know and can see all the working configurations between VPN server(run on linux machine) and any of connected Raspberry Pi's (linux machine), which are:
VPN(running strongSwan U5.4.0/K3.16.0-4-amd64):
cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
 charondebug="ike 1, knl 1, cfg 1"

conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 authby=secret
 dpdaction=clear
 dpddelay=10

conn mp_iap
 left=%defaultroute
 right=%any
 leftsubnet=10.0.0.0/8,172.30.0.0/16
 rightsourceip=10.10.0.0/16
 leftfirewall=yes
 auto=add
 dpdaction=clear
 dpddelay=20s
 forceencaps=yes
 compress=yes

conn iap-4-001
 rightsourceip=10.10.4.1
 rightid=iap-4-001@example.co.rw
 also=mp_iap

conn iap-4-107
 rightsourceip=10.10.4.107
 rightid=iap-4-107@example.co.rw
 also=mp_iap
 
 cat ipsec.secrets
 iap-4-001@example.co.rw : PSK WOOdexample
 iap-4-107@example.co.rw : PSK WOOdexample
From Raspberry Pi iap-4-001 (running strongSwan U5.3.3/K4.9.35-v7+):
cat ipsec.conf
 # ipsec.conf - strongSwan IPsec configuration file

# basic configuration files
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        authby=secret
        dpdaction=restart
        dpddelay=10

conn office
        left=%defaultroute
        leftid=iap-4-001@example.co.rw
        leftfirewall=yes
        leftsourceip=%config
        right=vpn.ops.example.co.rw
        rightsubnet=10.0.0.0/8
        auto=add
 
cat ipsec.secrets
 : PSK WOOdexample 
  
There two machine's connection works perfectly. But when I try to configure RouterOS like:
[admin@MikroTik-gitaraga-router] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1 T   group=M src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=MeshPower VPN 
       template=yes 

 2  XI  src-address=0.0.0.0/0 src-port=any dst-address=10.0.0.0/8 dst-port=any protocol=all 
       action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 
       sa-dst-address=46.101.50.333 proposal=MeshPower VPN ph2-count=0 
[admin@MikroTik-gitaraga-router] > /ip ipsec policy group print
Flags: * - default 
 #   NAME                                                                                              
 0 * default                                                                                           
 1   M                                                                                                 
[admin@MikroTik-gitaraga-router] > /ip ipsec peer print         
Flags: X - disabled, D - dynamic, R - responder 
 0     address=vpn.ops.example.co.rw auth-method=pre-shared-key secret="WOOdexample" 
       generate-policy=no policy-template-group=M exchange-mode=ike2 send-initial-contact=yes 
       my-id=key-id:iap-4-107@example.co.rw hash-algorithm=sha1 enc-algorithm=3des 
       dh-group=modp1536 lifetime=1d dpd-interval=2m 
[admin@MikroTik-gitaraga-router] > /ip ipsec proposal print
Flags: X - disabled, * - default 
 0 X* name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc 
      lifetime=1m pfs-group=none 

 1    name="MeshPower VPN" auth-algorithms=sha1 enc-algorithms=3des lifetime=1m pfs-group=modp1536
Checking RouterOS log file it shows me error:
"failed to get proposal for policy"
Please see full log here as pic here - https://ibb.co/fu1E4c

I was very hesitant about what encryption algorithms to choose when configuring routeros, but i have found some default values in strongswan docs - https://wiki.strongswan.org/projects/st ... onnSection

Can anyone please help me to setup strongswan on Routeros?
 
ilja
newbie
Topic Author
Posts: 49
Joined: Thu Feb 22, 2018 1:15 pm

Re: IPSec Strongswan configuration fails

Thu Mar 15, 2018 2:55 pm

Any experts in IPSec?
 
ilja
newbie
Topic Author
Posts: 49
Joined: Thu Feb 22, 2018 1:15 pm

Re: IPSec Strongswan configuration fails

Fri Mar 16, 2018 8:07 am

Anyone please? :?
 
ilja
newbie
Topic Author
Posts: 49
Joined: Thu Feb 22, 2018 1:15 pm

Re: IPSec Strongswan configuration fails

Mon Mar 19, 2018 3:18 pm

Please?
 
ilja
newbie
Topic Author
Posts: 49
Joined: Thu Feb 22, 2018 1:15 pm

Re: IPSec Strongswan configuration fails

Sat Mar 24, 2018 10:17 am

---abandoned due to inactivity---
 
emikrotik
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Jun 19, 2015 9:30 am

Re: IPSec Strongswan configuration fails

Tue Mar 27, 2018 7:26 am

Hi,

I had the same issue, I believe phase 2 doesn't rekey the SPI. I was not able to come up with a solution.
 
vilpalu
just joined
Posts: 13
Joined: Mon Feb 12, 2018 1:04 pm

Re: IPSec Strongswan configuration fails

Tue Mar 27, 2018 10:18 am

i think you forget ipsec.conf to choose encryption methods:
ike=3des-sha1-modp1536!
esp=aes256-sha1

also authmode change to if you want use psk:
rightauth=psk
leftauth=psk

in mikrotik config i think you must determinate source addresses not 0.0.0.0/0 because router may tunnel tunnel's traffic.
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: IPSec Strongswan configuration fails

Tue Mar 27, 2018 2:09 pm

ilja,

1. On the policies list you can have actual "policies", and just "templates" - that are not working policies, just "bases" for dynamically creating policies, which match the other end's policies.
2. Your only "policy" (which is not a template) is disabled
3. Your IPSec peer has "generate-policy" set to "no".

You should either set "generate policy" to yes (port-strict usually) or enable/create the policy that will match exactly the policy configured on Strongswan.

Who is online

Users browsing this forum: No registered users and 76 guests