Page 1 of 1

IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 2:41 pm
by n4p
Hi there,
i trying to establish a side to side tunnel with an mikrotik ccr1009 as zentral unit and an component from another reseller as dezentral unit.
If i configure the phase 1 to sha1 everything works fine! But if i change the settings to sha256 for phase1 i get in the mikrotik log the following output:

No suitable proposal found.
10.20.13.xxx failed to get vaild proposal
....

Any ideas whats wrong here? If i use sha1 in phase1 i can use sha256 in phase2 that works, but not in phase1.
Thanks!
Kind regards

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 2:46 pm
by mrz
You need to set sha256 for phase1 on both ends, not just on CCR.

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 2:57 pm
by n4p
Yes,
thats what i have done, but it still not working.
I currently try it again but it won't work. if i change the settings for phase1 one both devices to sha1/aes128/dh1024 everythink works great and then i can use for phase2 sha256/aes256/dh4096.

But phase1 did not work.

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 3:03 pm
by mrz
enable ipsec debug logs, there you should be able to see what exactly remote peer is expecting.
Also which RouterOS version you are running?

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 3:25 pm
by n4p
Hi,
i am running currently 6.43rc4 on the ccr.
Instead i try it with another vendor router as dezentral device and it happens the same thing. so there must be anything wrong with my ccr.

I added an screenshot from the ipsec logs

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 3:29 pm
by mrz
If you are using winbox then there is a bug in RC version that does not set phase1 correctly. Use terminal to change settings.

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 3:44 pm
by n4p
Thanks for your really really quick help!
That fixed my issue, any idea how i can fix that to contiune working with winbox?

Thanks!
Kind regards

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 3:46 pm
by mrz
That requires software fix which we intend to fix in future versions.
You can downgrade to 6.42 current, if you intend to use winbox.

Re: IPSec PH-1 did not working with sha256

Posted: Mon Jul 23, 2018 4:05 pm
by n4p
Thats a great idea, security vulnerabilities are also fixed in the stable branche or?
Could i simply downgrade as upgrade?

THanks