MikroTik

Hi,

today I discovered a strange behaviour between a linux client using strongSwan and an RB1100AHx4.

One of our customers is using the MikroTik as IPSec concentrator, were many IPSec connections were terminated and routed from the MikroTik into the customers network. While analyzing another Problem on the linux machine i stumbled about the following:

The linux machine (running strongSwan) has an established IPSec connection and traffic is exchanged trough IPSec. To analyze the traffic which is sent using IPSec I created a rule to forward all decapsulated IPSec traffic to NFLOG. Like described in the strongsSwan Wiki (https://wiki.strongswan.org/projects/st ... rafficDump).

While analyzing the traffic (captured with tcpdump and forwarded to a machine running wireshark) I saw some packets were missing in the protocol which uses the IPSec connection. After starting another tcpdump on the interface which is used to establish the VPN connection. I can see that the missing packets were arriving on this interface.

Our customer is using IPSec, IKEv2 and Mode Conf.
The linux machines define a "virtual IP address" which matches the Mode Config defined on the MikroTik Router. The Virtual IP-Adresses were used in the customers network to route the Packets to the MikroTik (IPSec concentrator)

The RB1100 has an established IPSec connection, a ChildSA is created and a dynamic policy exists which defines that all data moves from 10.0.0.0/8 to the Virtual IP has to be encrypted.

BUT I can see there are some packages which doesn't follow this policy. I can see data Data from a host 10.x.y.z arriving on interface on the linux machine which should have been sent over IPSec.

Unfortunately I'm not allowed to shared the configuration or a supout.rif of the MikroTik Router because of an NDA.

Does anyone have an idea, or have seen a similar behaviour?

Kind regards

I faced wrong IPSEC behavior in 7.1b4. Packets route wrong way, in my case it was IPSEC tunnel where packets should not be routed to. Support looked at dumps and told it’s working, no packets routed wrong. I believe my eyes, not support, when I see tcpdump’ed traffic at the end of the tunnel, at strongswan server. I may assume something broken in core. Many weeks they don’t offer any solution, you may ask why I use beta, but they sold me device which supports only beta. I don’t know if it is your case or not, or you use more stable firmware, but your problem may be similar to mine.

What is the share (percentage) of packets missed by the policy? Is fasttracking disabled?

The Router is running some of the latest ROS6.4x stable release, which exactly I don't know. I have currently no access to the device.

@sindy
It depends on how much packets are transmitted per seconds. Further investigation showed that repeatedly every 10 seconds a packet is arrives on the interface which is not IPSec encapsulated. I think repeating every 10 seconds is the remarkable point.

The running protocol causes very low traffic (arround 20 captured packets in wireshark per minute) only when some events occur there is more traffic, but usally not more then 100 packets per minute.

I think fasttrack is not running on the device. At least there is no Firewall Rule defined with action=fasttrack-connection. Just a statefull firewall configuration with arround 40 rules.

The capture on the interface shows 2 to 5 ESP entries, and the one which should have been IPSec encapsultated. And I can only see packets coming from network to the linux machiche.
(10.x.y.z src-address) and as target the "virtual ip" (mode conf)