Hello,
I'm trying to get IPsec connections from dynamic IP Adresses to work, but I have some issues with that.
First of all I can't get it to succesfully establish Phase One if the Identety for the peer with Address 0.0.0.0/0 has any local ID or Remote ID then auto set.
The Log says:
22:14:42 ipsec,error 192.168.88.2 failed to get valid proposal.
22:14:42 ipsec,error 192.168.88.2 failed to pre-process ph1 packet (side: 1, statu
s 1).
22:14:42 ipsec,error 192.168.88.2 phase1 negotiation failed.
As soon as i set the Address in the Peer it straight works without any changes on the Identity.
However if i set the Local and Remote ID on auto it works.
The second issue i have, is that i have many peers that come from a dynamic IP and for every of those i would need different policies.
Is there any Way to identify a peer by it's ID instead of using the address.
Before Mikrotik i used a Bintec router and that one allways used the remote id to identify the peer.
As far as i understood it with Mikrotik I can only have one peer with no address and therefore also only one profile but multiple Identetys for that peer then.
That would also mean i can't assign different policies then.
Is there any way to get multiple peers with dynamic IP addresses to work?
Re: IPsec dynamic IP address
You should learn how to write your questions in a more organized way. Code formatting is also a thing (useful for displaying a logs).
If you want different policies for specific clients, then you should properly setup remote-id matching as well as specific mode configs and policies. I've done similar thing here with 3rd router.
Since you cannot match who is who by IP, try to find other ways to match users. Like some other IDs or certificates. Up to you here. :)
As I've mentioned, you should create a separate mode config, policy and identity for each peer you would need a specific settings. For everything else, where "static IP of ipsec/ike" does not matter, you can use ip pool for automatic IPs assignment for IPSEC clients.
If you want different policies for specific clients, then you should properly setup remote-id matching as well as specific mode configs and policies. I've done similar thing here with 3rd router.
Since you cannot match who is who by IP, try to find other ways to match users. Like some other IDs or certificates. Up to you here. :)
As I've mentioned, you should create a separate mode config, policy and identity for each peer you would need a specific settings. For everything else, where "static IP of ipsec/ike" does not matter, you can use ip pool for automatic IPs assignment for IPSEC clients.
-
-
mauricekleinaetherus
just joined
- Posts: 3
- Joined:
Re: IPsec dynamic IP address
Thank you for your reply.
My main problem is also, that i can't match the identities by the remote id.
If i configure an identity with a local or a remote id that isn't auto the phase one won't establish.
Here the example configuration:
Site A with static IP 192.168.88.1:
/ip ipsec peer
/ip ipsec identity
Site B with dynamic IP:
/ip ipsec peer
/ip ipsec identity
With this configuration i get the following error on Site A (Static IP)
When i change both IDs in Site A identity to auto (the default value) it works:
/ip ipsec identity
Is that a bug or why does it behave like that?
I've read the Mikrotik IPsec wiki multiple times now but couldn't find anything about that behaviour.
Becuase i worked with many Bintec devices before i know that it's possible to identify the peers by ID even when it's coming from an dynamic IP but i can't set it up that way on the Mikrotik.
My main problem is also, that i can't match the identities by the remote id.
If i configure an identity with a local or a remote id that isn't auto the phase one won't establish.
Here the example configuration:
Site A with static IP 192.168.88.1:
/ip ipsec peer
Code: Select all
name="peer1" passive=yes profile=AES256-SHA256-DH14
exchange-mode=aggressive send-initial-contact=yes
Code: Select all
peer=peer1 auth-method=pre-shared-key my-id=fqdn:88.1 remote-id=fqdn:88.2
secret="test" generate-policy=no
/ip ipsec peer
Code: Select all
name="peer1" address=192.168.88.1/32 profile=AES256-SHA256-DH14
exchange-mode=aggressive send-initial-contact=yes
Code: Select all
peer=peer1 auth-method=pre-shared-key my-id=fqdn:88.2 remote-id=fqdn:88.1
secret="test" generate-policy=no
Code: Select all
23:42:56 ipsec,error no identity suits proposal
23:42:56 ipsec,error 192.168.88.2 failed to get valid proposal.
23:42:56 ipsec,error 192.168.88.2 failed to pre-process ph1 packet (side: 1, statu
s 1).
23:42:56 ipsec,error 192.168.88.2 phase1 negotiation failed.
/ip ipsec identity
Code: Select all
peer=peer1 auth-method=pre-shared-key secret="test" generate-policy=no
I've read the Mikrotik IPsec wiki multiple times now but couldn't find anything about that behaviour.
Becuase i worked with many Bintec devices before i know that it's possible to identify the peers by ID even when it's coming from an dynamic IP but i can't set it up that way on the Mikrotik.
Re: IPsec dynamic IP address
Just a shot into the darkness: I know that my-id and remote-id work normally in combination with pre-shared key authentication, but I've never used aggresive mode of IKE(v1), and I've never used just digits and dots as fqdn-type ID, so maybe some formal check fails. So try, one by one, whether adding a letter to the beginning and end of each id (such as a88.1a and b88.2b) and/or changing exchange-mode to main would help.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.