Page 1 of 1

Support for IKEv2 Fragmentation (RFC 7383)

Posted: Thu Jul 16, 2020 11:19 am
by achenor
There are few threads with people saying that they cannot establish an IPSec VPN connection no matter what, including me (see last posts here). After doing a bit of debugging of the traffic, I found that the problem is IP fragmentation. More specifically the first IKE_AUTH response is a UDP packet >1500 bytes (most likely contains the server's certificate) and gets fragmented in 2 but I only get the last fragment. As a result, RouterOS can't reassemble the packet and tries again sending the authentication request until the max retries is reached and is restarting the process (every about 24 seconds)

wireshark log on a successful connection:
107 3.248516    <mt_public_ip>  <vpn_server_ip> ISAKMP  458 IKE_AUTH MID=01 Initiator Request
114 3.330866    <vpn_server_ip> <mt_public_ip>  IPv4    1514    Fragmented IP protocol (proto=UDP 17, off=0, ID=69b3) [Reassembled in #115]
115 3.331053    <vpn_server_ip> <mt_public_ip>  IKE_AUTH MID=01 Responder Response
wireshark log on a failed connection attempt:
31  3.934743    <mt_public_ip>  <vpn_server_ip> ISAKMP  522 IKE_AUTH MID=01 Initiator Request
32  4.059967    <vpn_server_ip> <mt_public_ip>  IPv4    1506    Fragmented IP protocol (proto=UDP 17, off=1480, ID=36c7)
39  8.930363    <mt_public_ip>  <vpn_server_ip> ISAKMP  522 IKE_AUTH MID=01 Initiator Request
40  9.054702    <vpn_server_ip> <mt_public_ip>  IPv4    1506    Fragmented IP protocol (proto=UDP 17, off=1480, ID=38d1)

My conclusion is that the UDP fragment gets dropped from my ISP, since the same mikrotik router with the same configuration is able to establish a connection on another internet provider. Then the question is why my other devices connected to the same mikrotik (laptop, phone, etc) are able to establish an IKEv2 connection with my ISP provider? The only difference that I see in the logs is an additional payload sent by in the IKE_SA_INIT request named "IKEV2_FRAGMENTATION_SUPPORTED" which is an addon to the protocol to solve exactly the issue with IP fragmentation (RFC 7383).

wireshark log on a successful connection from my laptop:
81  4.689065    <laptop_private_ip>  <vpn_server_ip> ISAKMP  558 IKE_AUTH MID=01 Initiator Request
82  4.823807    <vpn_server_ip> <laptop_private_ip>  ISAKMP  1282    IKE_AUTH MID=01 Responder Response (fragment 1/3)
83  4.823810    <vpn_server_ip> <laptop_private_ip>  ISAKMP  1282    IKE_AUTH MID=01 Responder Response (fragment 2/3)
84  4.823811    <vpn_server_ip> <laptop_private_ip>  ISAKMP  658 IKE_AUTH MID=01 Responder Response (fragment 3/3)

Does RouterOS support this IKEv2 Fragmentation extension? If so how to enable it? And if not, is there anywhere in the roadmap?

Re: Support for IKEv2 Fragmentation (RFC 7383)

Posted: Tue Jul 28, 2020 3:02 am
by xornetsl
+1 for this issue!
I have the same problem. One of my uplinks of a particular ipsec endpoint have a ip-fragments filter enabled and I use certificate authorization scheme that just doesn't work there =(
strongswan and other black-box vendors have kind a "fragmentation=yes" that can split long IKE messages according to the MTU of outgoung interface. Are there any plans to implement this feature in ROS?

Re: Support for IKEv2 Fragmentation (RFC 7383)

Posted: Sat Oct 03, 2020 5:14 am
by Institor
Same issue. Disgusting multiple NAT on satellite internet access, error 809 on windows clients (IKEv2 + RSA certificates)...
Can't change provider, and experiments with MTU on client interfaces is very dangerous/impossible (they are 1500km away with sat access, so... :)) and i doubt it will help.
We can only hope that feature will be in ROS7, i think.

Re: Support for IKEv2 Fragmentation (RFC 7383)

Posted: Sat Oct 03, 2020 11:35 am
by sindy
For the meantime, use EC certificates rather than RSA ones. They fit into a single packet. Currently they are not supported by SCEP, though.

Re: Support for IKEv2 Fragmentation (RFC 7383)

Posted: Thu Oct 15, 2020 7:59 pm
by Institor
Some progress...
Release 6.48beta48
*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);