Community discussions

just joined
Topic Author
Posts: 1
Joined: Mon Aug 12, 2019 5:12 pm

basic ipsec server config

Mon Aug 12, 2019 5:35 pm


I'm trying to setup a basic ipsec responder with my mikrotik, running on v6.45.3.
The mikrotik router is the responder, and the initiators will be linux PCs with strongswan. The have to get a dynamic address from the responder.

First, I set up an ip pool:
/ip pool
add name=23-2 ranges=
then a mode config:
/ip ipsec mode-config
add address-pool=23-1 name=cfg1 system-dns=no
then a peer and an identity
/ip ipsec peer
add address= exchange-mode=ike2 local-address= name=test2 passive=yes
/ip ipsec identity
add mode-config=cfg1 peer=test2 remote-id=fqdn:testttt secret=blablabla
and my policy:
/ip ipsec policy
add dst-address= peer=test2 sa-dst-address= sa-src-address= src-address= tunnel=yes
my remote client is now able to connect to my mikrotik, but it does not get an ip from the pool:
[admin@MikroTik] > /ip ipsec active-peers print 
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                                                                                                 DYNAMIC-ADDRESS                                                                       
 0 R  testttt              established        9s                                                                                                                 

on the client side, I get a ts_unacceptable error:
charon: 10[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built

What could be wrong ? isn't it the way to configure an ipsec server ?


Forum Guru
Forum Guru
Posts: 3774
Joined: Mon Dec 04, 2017 9:19 pm

Re: basic ipsec server config

Sun Aug 18, 2019 7:31 pm

TS is Traffic Selector. The (src-address,dst-address[,protocol[,src-port,dst-port]]) tuple (which is the Traffic Selector itself) of a policy at one peer must match the (dst-address,src-address[,protocol[,dst-port,src-port]]) tuple of the policy at the other peer. If they don't match exactly, no SA is not created for the matching traffic.

With mode-config which assigns an address, it is necessary that one policy was auto-generated per each subnet specified in the split-include list of the mode-config to which the identity at responder side refers as src-address at the responder side and dst-address at the initiator side, and with the address assigned to the initiator by the responder as the dst-address on responder side and src-address at initiator side. But for this to happen, the policy-generate parameter of that identity must be set to port-strict or port-override. If no split-include list is given, by default it means So if strongswan gets a mode-config with an IP address and no split-include, it creates a policy with dst-address= and src-address set to the address it got assigned, but the Mikrotik doesn't create a corresponding policy and phase 2 fails.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 79 guests