Community discussions

MUM Europe 2020
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1271
Joined: Sun Sep 18, 2011 7:00 pm

IPSEC with ORacle cloud - understadn the setting

Sun Aug 18, 2019 5:04 pm

Hello ,
I'm trying to setup a vpn to Oracle cloud .
but I jsut can't seem to understadn the setting I need to do in the Mikrotik
this is what Oracle is using on their side:
SAKMP Protocol version 1
Exchange type: Main mode
Authentication method: pre-shared-keys
Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96)
Diffie-Hellman group: group 5, group 2, group 1
IKE session key lifetime: 28800 seconds (8 hours)
IPSec protocol: ESP, tunnel-mode
Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
Authentication algorithm: HMAC-SHA1-96
IPSec session key lifetime: 3600 seconds (1 hour)
Perfect Forward Secrecy (PFS): enabled, group 5
where do I use all this setting?

If I remember correct
phase1 is the peer
phase2 is the proposel
?

this is what I have in Mikrotik
/ip ipsec proposal
set [ find default=yes ] lifetime=1h pfs-group=modp1536
/ip ipsec peer
add address=RemotePublicIP/32 dh-group=modp1536,modp1024,modp768 enc-algorithm=aes-256,aes-192,aes-128,blowfish,des lifetime=8h secret=*************************

In Mikrotik I can see I get "Remote peer" but not Installed SAs
and also I get error "failed to pre-process ph2 packet."
in the cloud side I see IPSec is down

Thanks ,
 
sindy
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC with ORacle cloud - understadn the setting

Sun Aug 18, 2019 6:01 pm

Phase 1:
Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc, Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96), Diffie-Hellman group: group 5, group 2, group 1, IKE session key lifetime: 28800 seconds (8 hours)
=> /ip ipsec profile add name=oracle enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 dh-group=modp1536 lifetime=8h
(see e.g. this link for translation of DH group numbers to actual cryptographic methods used and the recommendation on (not) using them)

ISAKMP Protocol version 1, Exchange type: Main mode => ip ipsec peer add name=oracle exchange-mode=main address=ip.of.oracle.peer profile=oracle

Authentication method: pre-shared-keys => /ip ipsec identity add peer=oracle auth-method=pre-shared-key secret=the-preshared-key

Phase 2:
Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc, Authentication algorithm: HMAC-SHA1-96, IPSec session key lifetime: 3600 seconds (1 hour), Perfect Forward Secrecy (PFS): enabled, group 5 => /ip ipsec proposal add lifetime=1h enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc auth-algorithms=sha1 pfs-group=modp1536
IPSec protocol: ESP, tunnel-mode => /ip ipsec policy add ipsec-protocols=esp tunnel=yes peer=oracle sa-dst-address=ip.of.oracle.peer sa-src-address=0.0.0.0 src-address=some.local.sub.net/netmask dst-address=some.remote.sub.net/netmask level=unique [some other details (protocol, port)]

You may need several policies depending on how many disjunct subnets on each side you need to connect.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1271
Joined: Sun Sep 18, 2011 7:00 pm

Re: IPSEC with ORacle cloud - understadn the setting

Tue Aug 20, 2019 11:32 am

I mange to make it work
using what you wrote and some "playing around"

now I can the IPSEC is up on bith side (Mikrotik and Oracle cloud)
but I don't have a ping to the server
how and where can I check what is the problem?

I ask the same thing in Oracle and waiting for answer - but I want to be ready and see everytihng is OK on Mikrotik side

** when I traceroute to the remote network it doesn't seem to get there and I get reaply from anotehr computer on the network
/tool traceroute 172.100.58.100
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1                                  100%    2 timeout
 2 10.232.56.9                        0%    2  44.9ms      40    35.1    44.9
 3 10.139.203.242                     0%    2  56.8ms    68.5    56.8    80.1
 4 10.140.9.130                       0%    2  34.8ms    38.2    34.8    41.5
 5 10.140.9.133                       0%    2  46.3ms    42.2      38    46.3
 6 10.140.9.141                       0%    2  41.5ms    40.7    39.8    41.5
 7 10.140.23.37                       0%    2  82.3ms    80.2      78    82.3
 8 10.140.23.2                        0%    2  79.5ms    61.6    43.7    79.5
 9 10.140.19.17                       0%    2  39.9ms      39      38    39.9
10 10.139.0.42                        0%    2  39.8ms    39.7    39.5    39.8
11 31.168.255.226                     0%    2  39.9ms    50.1    39.9    60.2
12 31.168.255.225                     0%    2  43.4ms    41.6    39.8    43.4
13 62.219.189.214                     0%    2  56.5ms    48.3      40    56.5
14 212.179.124.85                     0%    2  91.8ms    91.7    91.6    91.8
15 212.179.124.38                     0%    2 103.8ms    96.3    88.7   103.8
16 212.179.161.218                    0%    2 105.7ms   100.3    94.9   105.7
17 46.33.89.237                       0%    2 102.2ms   105.1   102.2     108
18 89.149.180.226                     0%    2  99.9ms    99.9    99.9    99.9
19 130.117.15.149                     0%    1 107.8ms   107.8   107.8   107.8
20 130.117.0.1                        0%    1    98ms      98      98      98
21 154.54.58.234                      0%    1 142.3ms   142.3   142.3   142.3
22 66.28.4.197                        0%    1 177.3ms   177.3   177.3   177.3

maybe I miss something in the config of the ipse? something about route this subnet using IPSEC?


Thanks ,
Last edited by David1234 on Tue Aug 20, 2019 12:19 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC with ORacle cloud - understadn the setting

Tue Aug 20, 2019 12:08 pm

If the policy (or policies) are marked as Active at Mikrotik side, the phase 2 negotiation was successful. So the next things to check would be that at Mikrotik side you don't NAT connections towards the destination subnet at Oracle side to the WAN IP, that a firewall at Oracle side doesn't drop pings from the Mikrotik subnet, and that the source address of the pings matches the src-address of the policy.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1271
Joined: Sun Sep 18, 2011 7:00 pm

Re: IPSEC with ORacle cloud - understadn the setting

Tue Aug 20, 2019 12:38 pm

1. I don't NAT the IPSEC
 /ip firewall nat
add action=masquerade chain=srcnat dst-address-list=!172.100.58.0/24
2. I have disable the firewall on the ORacle side to be sure
3. My computer is 10.0.0.188/24 and in the policy is
add disabled=yes dst-address=172.100.0.0/16 sa-dst-address=Oracle.ip \
    sa-src-address=0.0.0.0 src-address=10.0.0.0/24 tunnel=yes

 
sindy
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC with ORacle cloud - understadn the setting

Tue Aug 20, 2019 12:44 pm

In the masquerade rule, use dst-address instead of dst-address-list, I doubt 172.../24 is the name of the list?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1271
Joined: Sun Sep 18, 2011 7:00 pm

Re: IPSEC with ORacle cloud - understadn the setting

Tue Aug 20, 2019 1:02 pm

:shock: :shock: :shock: :shock: :shock: :shock:
my mistake
now it's working

Thanks !
 
mlonigro
just joined
Posts: 4
Joined: Mon Dec 09, 2019 7:26 pm

Re: IPSEC with ORacle cloud - understadn the setting

Mon Dec 09, 2019 11:17 pm

What about tunnel redundancy. It's possible to make this type of configuration? Oracle Cloud IPSEC gives you 2 endpoints (AWS style) for a routed VPN not a policy IPSEC VPN.
 
mlonigro
just joined
Posts: 4
Joined: Mon Dec 09, 2019 7:26 pm

Re: IPSEC with ORacle cloud - understadn the setting

Fri Dec 13, 2019 8:35 pm

Anyone? I found this example to connect to AWS:

https://kkc.github.io/2018/03/14/AWS-VP ... uterBoard/

Maybe I can follow this procedure to connect to Oracle Cloud. Instead of using a VTI interface (like libreswan, not supported by RouterOS), this example use IP alias in the WAN interface. It works?

Routed IPSEC is required for any major cloud provider, so it's strange to me that I can't found a standard procedure.

Thank you!
 
sindy
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC with ORacle cloud - understadn the setting

Sat Dec 14, 2019 11:53 pm

The AWS suggestion is an awful (and clever) workaround to absence of IPsec VTI in RouterOS. The IP addresses they use in the example could be attached to any interface, not just the WAN one, and it would work the same way. The whole thing is that the BGP traffic towards each of these two addresses is handled by a matching policy at Mikrotik side which is only associated to one of the peers, and thus emerges from the corresponding VTI at cloud side. However, lots of changes have been done in IPsec handling since 6.36. So now in 6.45.7, if you have two policies with exactly the same traffic selector and thus only one of them may be active at a time, and the peer to which the active one of them is attached becomes unreachable, the other policy doesn't become active automatically and you have to push the change by disabling the one attached to the dead peer. Plus an inactive policy does not negotiate the traffic selector with the peer, so while both peers are up, the cloud side may prefer the one with which RouterOS did not negotiate the traffic selector, so the traffic will not arrive (or will arrive but won't be accepted at RouterOS side because it didn't come through the proper SA, I can't test this case without a VTI on the remote side)

So in any case, to provide an automatic failover, you'll need a periodically scheduled script checking the state of the preferred peer and enabling both policies (the one for the payload and the one for the BGP) only on the peer which should be used.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mlonigro
just joined
Posts: 4
Joined: Mon Dec 09, 2019 7:26 pm

Re: IPSEC with ORacle cloud - understadn the setting

Mon Dec 16, 2019 4:10 pm

Thank's Sindy, you give me valious information. I'll made some tests very soon. I tell you how it works.

Hope the VTI support comes up very soon.

Regards
The AWS suggestion is an awful (and clever) workaround to absence of IPsec VTI in RouterOS. The IP addresses they use in the example could be attached to any interface, not just the WAN one, and it would work the same way. The whole thing is that the BGP traffic towards each of these two addresses is handled by a matching policy at Mikrotik side which is only associated to one of the peers, and thus emerges from the corresponding VTI at cloud side. However, lots of changes have been done in IPsec handling since 6.36. So now in 6.45.7, if you have two policies with exactly the same traffic selector and thus only one of them may be active at a time, and the peer to which the active one of them is attached becomes unreachable, the other policy doesn't become active automatically and you have to push the change by disabling the one attached to the dead peer. Plus an inactive policy does not negotiate the traffic selector with the peer, so while both peers are up, the cloud side may prefer the one with which RouterOS did not negotiate the traffic selector, so the traffic will not arrive (or will arrive but won't be accepted at RouterOS side because it didn't come through the proper SA, I can't test this case without a VTI on the remote side)

So in any case, to provide an automatic failover, you'll need a periodically scheduled script checking the state of the preferred peer and enabling both policies (the one for the payload and the one for the BGP) only on the peer which should be used.
 
sindy
Forum Guru
Forum Guru
Posts: 4218
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC with ORacle cloud - understadn the setting

Mon Dec 16, 2019 7:27 pm

Hope the VTI support comes up very soon.
I'll be pleasantly surprised if it does. In my understanding, it is not easy to conform to the IPsec RFC when using a VTI, as the RFC requires that incoming traffic matching a mirrored traffic selector of any policy with action=encrypt must be only accepted if it comes through an SA bound to that policy, whereas the traffic selector underlying the VTI may be basically any:any->any:any (or, better to say, has to be if you want it not to interfere with the "normal way" of routing). So even if the implementors decide to put the RFC conformance aside while using a VTI, they have to do that selectively, i.e. adjust the behaviour depending on the mode ("vanilla IPsec" vs. VTI).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mlonigro
just joined
Posts: 4
Joined: Mon Dec 09, 2019 7:26 pm

Re: IPSEC with ORacle cloud - understadn the setting

Tue Jan 14, 2020 8:29 pm

The proposed solution mentioned above did not work. I had to implement it with policy ipsec and create a failover script between the tunnels. Personally, I don't like the failover to be implemented with a script and I think there should be a solution to this type of connectivity in the Mikrotik roadmap. I do not know if it is an RFC problem as you indicate sindy, but currently there are many cloud providers that need traffic selectors of the type 0.0.0.0/0 - 0.0.0.0/0

Thank you for the help!

Who is online

Users browsing this forum: bgpro, Horci and 149 guests