Community discussions

MikroTik App
 
Farseer
just joined
Topic Author
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

IPSec VPN tunnels not working when upgraded to 6.45.1

Sat Jul 06, 2019 3:23 pm

Hi,

So I have 1 HO, and 2 branches and previously these devices were on 6.43.12 and connected from the individual branch to the HO via IPSec VPN. Had almost no issues for a long time but with occasional hiccups. Today I upgraded all the devices to 6.45.1.

Here is what I did and what happened :

1) Upgraded firmware from 6.43.12 to 6.45.1
2) Disabled scheduler objection that ran a script to resolve DDNS names to fill in the resulting IP addresses into SA-SRC-ADDRESS and SA-DST-ADDRESS
3) Tunnels stayed open for a bit but then dropped.
4) All IPSec windows showed the peer column as "unknown" in all policies (HO and Branches). I went in into each policy object and just applied to get it to update and the unknown changed to the DDNS name of the relevant peer.
5) HO Router IPSec shows "no phase2" for both policies
6) Branch Routers IPSec shows either "no phase2" or "msg1 sent"
7) checking branch routers IPSec Policy Status tab shows SA Src. Address as 0.0.0.0. HO router shows the same in SA Src. Address 0.0.0.0.
8* Logs show "failed to pre-process ph2 packet" or "peer sent packet for dead phase2" on all routers.

I am sure there is no issue with the firmware, but I think with the way they changed the IPSec, something is misconfigured. Any idea what is missing?
 
Farseer
just joined
Topic Author
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Sat Jul 06, 2019 4:18 pm

Alright so I managed to get it to work. I was basically playing around with the settings and found that :

1) 0.0.0.0 on SA SRC address is not an issue, if phase2 connects the tunnel will work.
2) I went into IPSec > Peers and set Local Address as first, the ip of the router on that end of the tunnel and then secondly, as the public IP of that branch/office. After that, kill all the connections in Active Peers and Flush the SA's. And go back and set it the Peers > Local to blank and disabled. Worked out for me.
 
User avatar
ingdaka
Member
Member
Posts: 336
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Sat Jul 06, 2019 9:07 pm

That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE | RIPE NCC Certified Professional
 
User avatar
voljka
just joined
Posts: 17
Joined: Tue Oct 27, 2009 4:34 pm

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Thu Aug 08, 2019 12:33 pm

That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!
Thanks for this comment, it saved me. can you point me to exact release note, where this feature was introduced? I'm unable to find it...
 
Krusty
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Fri May 02, 2008 11:14 pm

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Tue Nov 12, 2019 9:30 am

Id like se relese note for this too. This was hella long nightmare to search for it !
 
sindy
Forum Guru
Forum Guru
Posts: 5083
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Tue Nov 12, 2019 2:36 pm

That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!
I cannot confirm this to be the case in 6.45.7. Here, you can still have no local-address set on peer and it works anyway. Maybe it was an unintentional change somewhere between 6.43.whatever and 6.45.1?

Other than that, officially (i.e. according to the documentation), sa-src-address and sa-dst-address of the policy, which used to be configurable, became read-only properties, and once the peer property of the policy gets set, both the sa-xxx-address are really dynamically inherited from the peer's ones. But the configuration auto-conversion does not automatically do the reverse matching and assign peer value to policies based on sa-src-address and sa-dst-address.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 117 guests