Community discussions

MikroTik App
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jan 03, 2019 5:26 pm

Dynamic IPSec policy isn't created

Mon Oct 12, 2020 12:04 pm

Hello,

I try to establish a successful IPSec tunnel between a RB4011 and my laptop with the Shrew IPSec client.
Everything seems well, Shrew says that the tunnel is established, but I can't ping the router.
So I looked at the log, and had a phase 2 failure, due to the missing of a matching policy, so I checked, and there was obviously a problem because no dynamic policy was created, even if there was an active peer.

Here is my IPSec configuration on the RB :
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.99
add name=pool-vpn ranges=172.16.100.1-172.16.100.20

/ip firewall address-list
add address=172.16.100.1-172.16.100.20 list=VPN

/ip ipsec mode-config
set [ find default=yes ] src-address-list=VPN
add address-pool=pool-vpn address-prefix-length=32 name=vpn split-include=192.168.2.0/24 system-dns=no

/ip ipsec policy group
add name=vpn

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn

/ip ipsec peer
add exchange-mode=aggressive name=vpn passive=yes profile=vpn send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=1h name=vpn pfs-group=modp2048

/ip ipsec identity
add generate-policy=port-strict mode-config=vpn peer=vpn policy-template-group=vpn secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

/ip ipsec policy
add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=192.168.2.0/24 template=yes
What did I miss ?

Joris
 
sindy
Forum Guru
Forum Guru
Posts: 5918
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dynamic IPSec policy isn't created

Tue Oct 13, 2020 4:37 pm

I cannot see anything wrong in your configuration (except that I've read somewhere that aggressive mode is not considered secure any more, but I'm no crypto expert, and it's off-topic anyway), so the only issue I can imagine is a bug associated to IKE(v1)'s policy negotiation (or specifically to aggressive mode), or a mismatch between the proposed list of transforms for phase 2 (/ip ipsec proposal).

Mikrotik's log should show you enough info if you:
  • terminate the Shrew connection
  • set /system logging add topics=ipsec,!packet
  • run /log print follow-only file=ipsec-start where topics~"ipsec"
  • start the Shrew connection and wait until it reaches a stable state (which takes less than a second if I remember well)
  • break the /log print ...
  • download the file ipsec-start.txt and start studying it.
Do you have any specific reason to use Shrew rather than the Windows' embedded VPN client in IKEv2 mode?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jan 03, 2019 5:26 pm

Re: Dynamic IPSec policy isn't created

Fri Oct 16, 2020 7:25 pm

Thanks for your answer, I will try to log this way.

And I will try to use the embedded ikev2 client, which I didn't knew it was a thing :/

That's why I was using Shrew...

Joris
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jan 03, 2019 5:26 pm

Re: Dynamic IPSec policy isn't created

Mon Oct 19, 2020 5:49 pm

Hello,

So I tried with IKEv2 embedded client, but, correct me if I'm wrong, it need either a certificate or a login/password.
In ROS I use a PSK (and don't want to use certificates), so it can't work...
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jan 03, 2019 5:26 pm

Re: Dynamic IPSec policy isn't created

Mon Oct 19, 2020 6:26 pm

So, with the logs, I found the problem !

This line was wrong :
/ip ipsec policy
add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=192.168.2.0/24 template=yes
The correct one is :
/ip ipsec policy
add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=0.0.0.0/0 template=yes
I'm not sure to understand why, but I'm happy with that...

Joris

Who is online

Users browsing this forum: Bing [Bot], JJCinAZ and 71 guests