Community discussions

 
Farseer
just joined
Topic Author
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

IPSec VPN tunnels not working when upgraded to 6.45.1

Sat Jul 06, 2019 3:23 pm

Hi,

So I have 1 HO, and 2 branches and previously these devices were on 6.43.12 and connected from the individual branch to the HO via IPSec VPN. Had almost no issues for a long time but with occasional hiccups. Today I upgraded all the devices to 6.45.1.

Here is what I did and what happened :

1) Upgraded firmware from 6.43.12 to 6.45.1
2) Disabled scheduler objection that ran a script to resolve DDNS names to fill in the resulting IP addresses into SA-SRC-ADDRESS and SA-DST-ADDRESS
3) Tunnels stayed open for a bit but then dropped.
4) All IPSec windows showed the peer column as "unknown" in all policies (HO and Branches). I went in into each policy object and just applied to get it to update and the unknown changed to the DDNS name of the relevant peer.
5) HO Router IPSec shows "no phase2" for both policies
6) Branch Routers IPSec shows either "no phase2" or "msg1 sent"
7) checking branch routers IPSec Policy Status tab shows SA Src. Address as 0.0.0.0. HO router shows the same in SA Src. Address 0.0.0.0.
8* Logs show "failed to pre-process ph2 packet" or "peer sent packet for dead phase2" on all routers.

I am sure there is no issue with the firmware, but I think with the way they changed the IPSec, something is misconfigured. Any idea what is missing?
 
Farseer
just joined
Topic Author
Posts: 17
Joined: Sat Feb 09, 2019 11:25 pm

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Sat Jul 06, 2019 4:18 pm

Alright so I managed to get it to work. I was basically playing around with the settings and found that :

1) 0.0.0.0 on SA SRC address is not an issue, if phase2 connects the tunnel will work.
2) I went into IPSec > Peers and set Local Address as first, the ip of the router on that end of the tunnel and then secondly, as the public IP of that branch/office. After that, kill all the connections in Active Peers and Flush the SA's. And go back and set it the Peers > Local to blank and disabled. Worked out for me.
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 136
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Sat Jul 06, 2019 9:07 pm

That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
User avatar
voljka
just joined
Posts: 17
Joined: Tue Oct 27, 2009 4:34 pm

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Thu Aug 08, 2019 12:33 pm

That is a security feature that was developed since 6.44! You need to set both Remote and Local Peer IP! Before there was just remote peer IP!
Thanks for this comment, it saved me. can you point me to exact release note, where this feature was introduced? I'm unable to find it...

Who is online

Users browsing this forum: Bing [Bot] and 44 guests