Community discussions

MikroTik App
 
ijk987
just joined
Topic Author
Posts: 1
Joined: Sun Aug 11, 2019 3:00 pm

IPSec connection to CentOS

Thu Aug 15, 2019 6:07 pm

Greetings! Could you help me, please, with the following problem...

I'm trying to connect Mikrotik RB2011iL-RM with RouterOS 6.45.2 to CentOS 7 with Libreswan 3.25. CentOS has public static IP address, and Mikrotik - public dynamic one. Authentication is based on x.509 certificates issued by private CA

CentOS configuration:
conn hub-spoke
    left=1.1.1.1
    leftcert=hub
    leftid=%fromcert
    leftrsasigkey=%cert
    right=%any
    rightcert=spoke
    rightid=%fromcert
    rightrsasigkey=%cert
    ikev2=insist
    ike=aes256-sha512;ecp_521
    esp=aes256-sha512;ecp_521
    type=transport
    authby=rsasig
    auto=start
RouterOS configuration:
ip ipsec profile add name="profile1" dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512
ip ipsec peer add name="peer1" address=1.1.1.1 exchange-mode=ike2 profile=profile1 send-initial-contact=yes
ip ipsec proposal add name="proposal1" auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=ecp521  
ip ipsec policy group add name="group1"
ip ipsec policy add dst-address=1.1.1.1 group=group1 proposal=proposal1 protocol=all template=yes 
ip ipsec identity add auth-method=digital-signature generate-policy=port-override peer=peer1 policy-template-group=group1 certificate=spoke.cer remote-certificate=hub.cer match-by=certificate

The problem is that the connection is not established.

In active peers I see the following:
0 N message-1-sent 24s 1 1.1.1.1
And this is the log:
21:30:19 ipsec ike2 starting for: 1.1.1.1
21:30:19 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
21:30:19 ipsec,debug => (size 0x1c)
21:30:19 ipsec,debug 0000001c 00004005 38c668e0 8b5a6c52 e383aab1 5bdd778e d2a08712
21:30:19 ipsec adding notify: NAT_DETECTION_SOURCE_IP
21:30:19 ipsec,debug => (size 0x1c)
21:30:19 ipsec,debug 0000001c 00004004 26fff464 e83a0cd5 71ec2546 f2968059 329cc905
21:30:19 ipsec adding payload: NONCE
21:30:19 ipsec,debug => (size 0x1c)
21:30:19 ipsec,debug 0000001c 447e2269 8cb92dc1 6c01ecab bfd8832f 8f4805b4 7378cb36
21:30:19 ipsec adding payload: KE
21:30:19 ipsec,debug => (size 0x8c)
21:30:19 ipsec,debug 0000008c 00150000 00012278 f1f6f125 40e855ad 82d158f4 6a6cba54 f95bf6da
21:30:19 ipsec,debug 64a07b99 f08d9520 c98a9093 81cfa68b 97b7831a 915b7b9b 85662cb5 32a41385
21:30:19 ipsec,debug 46ef42ce 2e1de697 9eba007e eced7341 a2578f11 53e8f03f b03a669d 4c4c248f
21:30:19 ipsec,debug cd6db75e 86efafbb 144c3b78 5d652602 99d3e55a 4a327e75 8da1af2f 1a1d6d26
21:30:19 ipsec,debug 818c25f4 849b396a 4d8ab376
21:30:19 ipsec adding payload: SA
21:30:19 ipsec,debug => (size 0x30)
21:30:19 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000007
21:30:19 ipsec,debug 03000008 0300000e 00000008 04000015
21:30:19 ipsec <- ike2 request, exchange: SA_INIT:0 1.1.1.1[4500]
21:30:19 ipsec,debug ===== sending 300 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
21:30:19 ipsec,debug 1 times of 304 bytes message will be sent to 1.1.1.1[4500]
21:30:19 firewall,info output: in:(unknown 0) out:ether1-gateway, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 332
21:30:19 ipsec,debug ===== received 341 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
21:30:19 ipsec -> ike2 reply, exchange: SA_INIT:0 1.1.1.1[4500]
21:30:19 ipsec ike2 initialize recv
21:30:19 ipsec payload seen: SA (48 bytes)
21:30:19 ipsec payload seen: KE (140 bytes)
21:30:19 ipsec payload seen: NONCE (36 bytes)
21:30:19 ipsec payload seen: NOTIFY (8 bytes)
21:30:19 ipsec payload seen: NOTIFY (28 bytes)
21:30:19 ipsec payload seen: NOTIFY (28 bytes)
21:30:19 ipsec payload seen: CERTREQ (25 bytes)
21:30:19 ipsec processing payload: NONCE
21:30:19 ipsec processing payload: SA
21:30:19 ipsec IKE Protocol: IKE
21:30:19 ipsec  proposal #1
21:30:19 ipsec   enc: aes256-cbc
21:30:19 ipsec   prf: hmac-sha512
21:30:19 ipsec   auth: sha512
21:30:19 ipsec   dh: ecp521
21:30:19 ipsec matched proposal:
21:30:19 ipsec  proposal #1
21:30:19 ipsec   enc: aes256-cbc
21:30:19 ipsec   prf: hmac-sha512
21:30:19 ipsec   auth: sha512
21:30:19 ipsec   dh: ecp521
21:30:19 ipsec processing payload: KE
21:30:19 firewall,info input: in:ether1-gateway out:(unknown 0), src-mac cc:e1:7f:00:d4:a6, proto UDP, 1.1.1.1:4500->2.2.2.2:4500, len 373
21:30:19 ipsec,debug => shared secret (size 0x42)
21:30:19 ipsec,debug 0058c765 b6b640d8 5e1df40d caa7de61 ec1576cf fb2f1bea 927bc329 1b25ee8a
21:30:19 ipsec,debug 4e73c0c9 de4149c8 5f2634ac f6004e9c 0e12a339 62b5bc0e 04ba1a59 9ff09c6e
21:30:19 ipsec,debug 882b
21:30:19 ipsec,debug => skeyseed (size 0x40)
21:30:19 ipsec,debug d8120129 5d3b92a1 0d6cd502 bf35419b 6391c88f 699be36f 5b929527 7f7d93f7
21:30:19 ipsec,debug b0c3b230 ad30367f ddf050df 3d7a8ffa 287e6aa7 1ae0d41b be918ebb 8b182fc4
21:30:19 ipsec,debug => keymat (size 0x40)
21:30:19 ipsec,debug fc52252e 56ed11a5 45f9a691 f88173ba b288b17c 477811f3 5a7eb666 e2c0d4cb
21:30:19 ipsec,debug 8baf3b94 af451971 6ed61a34 12fc6b64 3e40a279 3c6bfc93 f963491c e91249e3
21:30:19 ipsec,debug => SK_ai (size 0x40)
21:30:19 ipsec,debug c65a9c53 8002d363 9110a0c8 cad97808 79a87832 9274ab09 ab853e65 452d6695
21:30:19 ipsec,debug 2bd5d7e5 088ba631 515b8937 f790c89c c25a3919 d877940d bac86057 fcbcf4d9
21:30:19 ipsec,debug => SK_ar (size 0x40)
21:30:19 ipsec,debug c09c2bad da4d0158 d627b871 e0d9147f e30d01f7 2eed4740 c8c1d14b a03f9639
21:30:19 ipsec,debug 40834fc0 e92bc4ab c22fc9da 3f092aaa 2f572a6a 5e3ecb25 b05d11b5 3a847844
21:30:19 ipsec,debug => SK_ei (size 0x20)
21:30:19 ipsec,debug 91837f8c 21d1dc18 5363e1de 20bd6003 0567a2cd 965c6d1c d949a8aa 43c15d6d
21:30:19 ipsec,debug => SK_er (size 0x20)
21:30:19 ipsec,debug adab20bc dfdcd3c6 c746debc 02004d93 3d44ea7b f693026f a8852258 35a8c419
21:30:19 ipsec,debug => SK_pi (size 0x40)
21:30:19 ipsec,debug 60d97d84 fb3929b7 5902541b 68e3af0c c6140516 cb45a2ab 10385400 e979b053
21:30:19 ipsec,debug 92f61e08 4162513b 688fb0f5 40e406c9 0065917c f7b664d9 de20c2e1 da9e2840
21:30:19 ipsec,debug => SK_pr (size 0x40)
21:30:19 ipsec,debug 5fb4f1a8 cfec07ff 4b8daf17 f421af34 eed97d4d b9e5252e 580b5883 38b271c1
21:30:19 ipsec,debug eb297ec9 9d22b683 c59c1191 6ea9ba68 ab0b6d73 13c8ad71 e5a01be8 aad35e59
21:30:19 ipsec,info new ike2 SA (I): 2.2.2.2[4500]-1.1.1.1[4500] spi:2091f7c8b508d8ca:e85f9f5e641aadde
21:30:19 ipsec processing payloads: NOTIFY
21:30:19 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
21:30:19 ipsec   notify: NAT_DETECTION_SOURCE_IP
21:30:19 ipsec   notify: NAT_DETECTION_DESTINATION_IP
21:30:19 ipsec (NAT-T) REMOTE
21:30:19 ipsec KA list add: 2.2.2.2[4500]->1.1.1.1[4500]
21:30:19 ipsec init child
21:30:19 ipsec init child continue
21:30:19 ipsec offering proto: 3
21:30:19 ipsec  proposal #1
21:30:19 ipsec   enc: aes256-cbc
21:30:19 ipsec   auth: sha512
21:30:19 ipsec my ID (DER DN): test
21:30:19 ipsec adding payload: ID_I
21:30:19 ipsec,debug => (size 0x19)
21:30:19 ipsec,debug 00000019 09000000 300f310d 300b0603 5504030c 04746573 74
21:30:19 ipsec processing payload: NONCE
21:30:19 ipsec,debug => auth nonce (size 0x20)
21:30:19 ipsec,debug 6cfc8544 926dbdf4 60ca4b94 65825274 742a214f 6b8698f8 888432c4 0cb48d50
21:30:19 ipsec,debug => SK_p (size 0x40)
21:30:19 ipsec,debug 60d97d84 fb3929b7 5902541b 68e3af0c c6140516 cb45a2ab 10385400 e979b053
21:30:19 ipsec,debug 92f61e08 4162513b 688fb0f5 40e406c9 0065917c f7b664d9 de20c2e1 da9e2840
21:30:19 ipsec,debug => idhash (size 0x40)
21:30:19 ipsec,debug 0416abdf 3a0948c7 3160ecae 03789f8a 149b1b4d 2ef73979 5ec9ea36 ee55088d
21:30:19 ipsec,debug 19bb9324 a394cd36 dfde7283 79714417 f2f066a2 7e107ec4 bdb9b663 bd20f782
21:30:21 ipsec,debug => my auth (first 0x100 of 0x200)
21:30:21 ipsec,debug 1639b694 92f6ac50 34f846af e98a0f44 7f8fe883 40f2f17b c3a246bb cc95cb76
21:30:21 ipsec,debug 9afb4ba8 0fa506c4 07923ab4 19085802 25e646a4 f8b656d1 6f20dfec b0634bfe
21:30:21 ipsec,debug fef57d48 b31479d3 de607b4c c08d644b e34e15d3 ff79df22 6e84bc03 ceed7190
21:30:21 ipsec,debug b0ee1e5d 10c68833 bf275773 0f6da096 6dfac039 e6c906f8 869a81c8 ca3d1c85
21:30:21 ipsec,debug e4b1e60b cf9a25c5 32a985b1 96a9dd93 31048e63 d30c8301 a759a3e2 046821a1
21:30:21 ipsec,debug e42218f8 ccffdf87 12295aec 8922c1f0 bb564a8f 64145938 f89d6ed9 96628b48
21:30:21 ipsec,debug 59b470cb a1f11be8 0b1532d9 28b38637 43d4a52d a0dab0bc c03829e0 ee494269
21:30:21 ipsec,debug 6ee78c2c 0d836a8a 4dfb3a86 a0c3e031 6c159673 abd06fd7 91fb6bc5 333c5bdc
21:30:21 ipsec adding payload: AUTH
21:30:21 ipsec,debug => (first 0x100 of 0x208)
21:30:21 ipsec,debug 00000208 01000000 1639b694 92f6ac50 34f846af e98a0f44 7f8fe883 40f2f17b
21:30:21 ipsec,debug c3a246bb cc95cb76 9afb4ba8 0fa506c4 07923ab4 19085802 25e646a4 f8b656d1
21:30:21 ipsec,debug 6f20dfec b0634bfe fef57d48 b31479d3 de607b4c c08d644b e34e15d3 ff79df22
21:30:21 ipsec,debug 6e84bc03 ceed7190 b0ee1e5d 10c68833 bf275773 0f6da096 6dfac039 e6c906f8
21:30:21 ipsec,debug 869a81c8 ca3d1c85 e4b1e60b cf9a25c5 32a985b1 96a9dd93 31048e63 d30c8301
21:30:21 ipsec,debug a759a3e2 046821a1 e42218f8 ccffdf87 12295aec 8922c1f0 bb564a8f 64145938
21:30:21 ipsec,debug f89d6ed9 96628b48 59b470cb a1f11be8 0b1532d9 28b38637 43d4a52d a0dab0bc
21:30:21 ipsec,debug c03829e0 ee494269 6ee78c2c 0d836a8a 4dfb3a86 a0c3e031 6c159673 abd06fd7
21:30:21 ipsec cert: test
21:30:21 ipsec adding payload: CERT
21:30:21 ipsec,debug => (first 0x100 of 0x536)
21:30:21 ipsec,debug 00000536 04308205 2d308203 15a00302 01020210 240aedba 09b967cc bc43f261
21:30:21 ipsec,debug c9d672ec 300d0609 2a864886 f70d0101 0d050030 15311330 11060355 04030c0a
21:30:21 ipsec,debug 50726976 61746520 4341301e 170d3139 30383033 31343137 33385a17 0d323030
21:30:21 ipsec,debug 38303231 34313733 385a300f 310d300b 06035504 030c0474 65737430 82022230
21:30:21 ipsec,debug 0d06092a 864886f7 0d010101 05000382 020f0030 82020a02 82020100 a6ca611d
21:30:21 ipsec,debug c17aec0b f79a4b6d 524ee6e3 e18a67a9 cbf38beb 63e43936 6d4f1c70 f171947e
21:30:21 ipsec,debug 53d627c5 6dceccd3 94af70ad 2e5b1782 8ffe5d8d f6323749 b364ee4e d3adab45
21:30:21 ipsec,debug ab79c9c6 47c4afbd f303a0ea c06f97e2 4caf43f9 ffe93125 042bdf7c 0a794160
21:30:21 ipsec adding notify: INITIAL_CONTACT
21:30:21 ipsec,debug => (size 0x8)
21:30:21 ipsec,debug 00000008 00004000
21:30:21 ipsec adding payload: SA
21:30:21 ipsec,debug => (size 0x2c)
21:30:21 ipsec,debug 0000002c 00000028 01030403 07df2198 0300000c 0100000c 800e0100 03000008
21:30:21 ipsec,debug 0300000e 00000008 05000000
21:30:21 ipsec initiator selector: 2.2.2.2
21:30:21 ipsec adding payload: TS_I
21:30:21 ipsec,debug => (size 0x18)
21:30:21 ipsec,debug 00000018 01000000 07000010 0000ffff 6dcbc951 6dcbc951
21:30:21 ipsec responder selector: 1.1.1.1
21:30:21 ipsec adding payload: TS_R
21:30:21 ipsec,debug => (size 0x18)
21:30:21 ipsec,debug 00000018 01000000 07000010 0000ffff b9cdd296 b9cdd296
21:30:21 ipsec adding notify: USE_TRANSPORT_MODE
21:30:21 ipsec,debug => (size 0x8)
21:30:21 ipsec,debug 00000008 00004007
21:30:21 ipsec <- ike2 request, exchange: AUTH:1 1.1.1.1[4500]
21:30:21 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
21:30:21 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
21:30:21 firewall,info output: in:(unknown 0) out:ether1-gateway, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 2272
21:30:24 ipsec,debug KA: 2.2.2.2[4500]->1.1.1.1[4500]
21:30:24 ipsec,debug 1 times of 1 bytes message will be sent to 1.1.1.1[4500]
21:30:24 firewall,info output: in:(unknown 0) out:ether1-gateway, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 29
21:30:26 ipsec retransmit
21:30:26 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
21:30:26 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
21:30:26 firewall,info output: in:(unknown 0) out:ether1-gateway, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 2272
21:30:31 ipsec retransmit
21:30:31 ipsec,debug ===== sending 2240 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
21:30:31 ipsec,debug 1 times of 2244 bytes message will be sent to 1.1.1.1[4500]
21:30:31 firewall,info output: in:(unknown 0) out:ether1-gateway, proto UDP, 2.2.2.2:4500->1.1.1.1:4500, len 2272
In CentOS I logged all incoming UDP datagrams and there was no 2272-byte datagrams. Only 332- and 373-byte ones!
So it's look like Mikrotik send datagrams, but they don't reach CentOS. But at the same time when I use another CentOS instance
instead of Mikrotik, everything works - connection is established and it's established regardless of ESP encapsulation (i.e. as when using UDP 500 and UDP 4500, as when using UDP 500 and ESP). Another interesting fact - when CentOS is located in LAN segment - everything works too!

I also tried another "clean" (after reset) Mikrotik RB2011iL router - but result was the same

And one more observation: Mikrotik is using UDP 4500 even with "nat-traversal=no" profile option

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], dioeyandika, GoogleOther [Bot], menyarito and 84 guests