Community discussions

MUM Europe 2020
 
zrelieskim
just joined
Topic Author
Posts: 1
Joined: Sat Nov 30, 2019 1:15 pm

ESP Sequence number errors on ipsec tunnel

Sat Nov 30, 2019 1:32 pm

Hi,

I am trying to create LAN to LAN connection between Fritz!Box 7430 router and 951G-2HnD routerboard.

The initial connection is not a problem, both routers see it as established and accepted. The problem is that the data is not working in one direction Mikrotik->Firtz!Box.
The SA data counters increase as they should but the packets are never received on the remote side. After doing packet capture i suspect the problems are
sequence numbers of the ESP protocol.

The Fritzbox drops every ESP packet stating that the sequence number is off by 1.

Below is the Wireshark export of the two packets (Mikrotik ping response and fritz!BOX error. The initiating command was sent from fritzbox: ping <mikrotik_local_ip> -l 100
No.     Time           Source                Destination           Protocol Length Info
    152 16.551186      <mikrotik_ip>          <fritzbox_ip>        ESP      214    ESP (SPI=0x0f612fe7)

Frame 152: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits)
Ethernet II, Src: JuniperN_3b:95:44 (44:f4:77:3b:95:44), Dst: AvmAudio_4d:bf:da (7c:ff:4d:4d:bf:da)
Internet Protocol Version 4, Src: <mikrotik_ip>, Dst: <fritzbox_ip>
Encapsulating Security Payload
    ESP SPI: 0x0f612fe7 (258027495)
    ESP Sequence: 1

No.     Time           Source                Destination           Protocol Length Info
    153 16.551281      <fritzbox_ip>        <mikrotik_ip>          ICMP     70     Destination unreachable (Communication administratively filtered)

Frame 153: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Ethernet II, Src: AvmAudio_4d:bf:da (7c:ff:4d:4d:bf:da), Dst: JuniperN_3b:95:44 (44:f4:77:3b:95:44)
Internet Protocol Version 4, Src: <fritzbox_ip>, Dst: <mikrotik_ip>
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 13 (Communication administratively filtered)
    Checksum: 0xbda9 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: <mikrotik_ip>, Dst: <fritzbox_ip>
    Encapsulating Security Payload
        ESP SPI: 0x0f612fe7 (258027495)
        ESP Sequence: 1
        [Expected SN: 2]
            [Expert Info (Warning/Sequence): Wrong Sequence Number for SPI 0f612fe7 - 1 repeated]
                [Wrong Sequence Number for SPI 0f612fe7 - 1 repeated]
                [Severity level: Warning]
                [Group: Sequence]
        [Previous Frame: 152]
Does anyone has any clue what could be the problem here.

Who is online

Users browsing this forum: MSN [Bot] and 54 guests