Community discussions

MikroTik App
 
mauricekleinaetherus
just joined
Topic Author
Posts: 3
Joined: Sat Dec 26, 2020 4:47 pm

IPsec dynamic IP address

Tue Dec 29, 2020 10:24 pm

Hello,

I'm trying to get IPsec connections from dynamic IP Adresses to work, but I have some issues with that.
First of all I can't get it to succesfully establish Phase One if the Identety for the peer with Address 0.0.0.0/0 has any local ID or Remote ID then auto set.
The Log says:
22:14:42 ipsec,error 192.168.88.2 failed to get valid proposal.
22:14:42 ipsec,error 192.168.88.2 failed to pre-process ph1 packet (side: 1, statu
s 1).
22:14:42 ipsec,error 192.168.88.2 phase1 negotiation failed.

As soon as i set the Address in the Peer it straight works without any changes on the Identity.

However if i set the Local and Remote ID on auto it works.

The second issue i have, is that i have many peers that come from a dynamic IP and for every of those i would need different policies.
Is there any Way to identify a peer by it's ID instead of using the address.
Before Mikrotik i used a Bintec router and that one allways used the remote id to identify the peer.
As far as i understood it with Mikrotik I can only have one peer with no address and therefore also only one profile but multiple Identetys for that peer then.
That would also mean i can't assign different policies then.
Is there any way to get multiple peers with dynamic IP addresses to work?
 
erkexzcx
Member Candidate
Member Candidate
Posts: 151
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPsec dynamic IP address

Wed Dec 30, 2020 1:05 pm

You should learn how to write your questions in a more organized way. Code formatting is also a thing (useful for displaying a logs).

If you want different policies for specific clients, then you should properly setup remote-id matching as well as specific mode configs and policies. I've done similar thing here with 3rd router.

Since you cannot match who is who by IP, try to find other ways to match users. Like some other IDs or certificates. Up to you here. :)

As I've mentioned, you should create a separate mode config, policy and identity for each peer you would need a specific settings. For everything else, where "static IP of ipsec/ike" does not matter, you can use ip pool for automatic IPs assignment for IPSEC clients.
 
mauricekleinaetherus
just joined
Topic Author
Posts: 3
Joined: Sat Dec 26, 2020 4:47 pm

Re: IPsec dynamic IP address

Sat Jan 02, 2021 11:54 pm

Thank you for your reply.

My main problem is also, that i can't match the identities by the remote id.
If i configure an identity with a local or a remote id that isn't auto the phase one won't establish.

Here the example configuration:

Site A with static IP 192.168.88.1:

/ip ipsec peer
name="peer1" passive=yes profile=AES256-SHA256-DH14 
       exchange-mode=aggressive send-initial-contact=yes
/ip ipsec identity
 peer=peer1 auth-method=pre-shared-key my-id=fqdn:88.1 remote-id=fqdn:88.2 
      secret="test" generate-policy=no
Site B with dynamic IP:

/ip ipsec peer
name="peer1" address=192.168.88.1/32 profile=AES256-SHA256-DH14 
       exchange-mode=aggressive send-initial-contact=yes
/ip ipsec identity
peer=peer1 auth-method=pre-shared-key my-id=fqdn:88.2 remote-id=fqdn:88.1 
      secret="test" generate-policy=no
With this configuration i get the following error on Site A (Static IP)
23:42:56 ipsec,error no identity suits proposal 
23:42:56 ipsec,error 192.168.88.2 failed to get valid proposal. 
23:42:56 ipsec,error 192.168.88.2 failed to pre-process ph1 packet (side: 1, statu
s 1). 
23:42:56 ipsec,error 192.168.88.2 phase1 negotiation failed.
When i change both IDs in Site A identity to auto (the default value) it works:

/ip ipsec identity
peer=peer1 auth-method=pre-shared-key secret="test" generate-policy=no
Is that a bug or why does it behave like that?
I've read the Mikrotik IPsec wiki multiple times now but couldn't find anything about that behaviour.
Becuase i worked with many Bintec devices before i know that it's possible to identify the peers by ID even when it's coming from an dynamic IP but i can't set it up that way on the Mikrotik.
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec dynamic IP address

Tue Jan 12, 2021 9:35 am

Just a shot into the darkness: I know that my-id and remote-id work normally in combination with pre-shared key authentication, but I've never used aggresive mode of IKE(v1), and I've never used just digits and dots as fqdn-type ID, so maybe some formal check fails. So try, one by one, whether adding a letter to the beginning and end of each id (such as a88.1a and b88.2b) and/or changing exchange-mode to main would help.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: aboiles, CZFan, Google [Bot], kalto, xt22 and 168 guests