Community discussions

MUM Europe 2020
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 2:41 pm

Hi there,
i trying to establish a side to side tunnel with an mikrotik ccr1009 as zentral unit and an component from another reseller as dezentral unit.
If i configure the phase 1 to sha1 everything works fine! But if i change the settings to sha256 for phase1 i get in the mikrotik log the following output:

No suitable proposal found.
10.20.13.xxx failed to get vaild proposal
....

Any ideas whats wrong here? If i use sha1 in phase1 i can use sha256 in phase2 that works, but not in phase1.
Thanks!
Kind regards
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 2:46 pm

You need to set sha256 for phase1 on both ends, not just on CCR.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 2:57 pm

Yes,
thats what i have done, but it still not working.
I currently try it again but it won't work. if i change the settings for phase1 one both devices to sha1/aes128/dh1024 everythink works great and then i can use for phase2 sha256/aes256/dh4096.

But phase1 did not work.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 3:03 pm

enable ipsec debug logs, there you should be able to see what exactly remote peer is expecting.
Also which RouterOS version you are running?
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 3:25 pm

Hi,
i am running currently 6.43rc4 on the ccr.
Instead i try it with another vendor router as dezentral device and it happens the same thing. so there must be anything wrong with my ccr.

I added an screenshot from the ipsec logs
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 3:29 pm

If you are using winbox then there is a bug in RC version that does not set phase1 correctly. Use terminal to change settings.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 3:44 pm

Thanks for your really really quick help!
That fixed my issue, any idea how i can fix that to contiune working with winbox?

Thanks!
Kind regards
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 3:46 pm

That requires software fix which we intend to fix in future versions.
You can downgrade to 6.42 current, if you intend to use winbox.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec PH-1 did not working with sha256

Mon Jul 23, 2018 4:05 pm

Thats a great idea, security vulnerabilities are also fixed in the stable branche or?
Could i simply downgrade as upgrade?

THanks

Who is online

Users browsing this forum: Google [Bot] and 81 guests