Hello,
looks like a ipsec ike2 bug @ ros
I have set up a IPsec IKE2 Tunnel form a Mikrotik to a Cisco Asa, but got Packet loss after short time.
the Logfiles show me:
Initial Request 10.12.xxx.yyy > 10.29.aaa.bb (cisco asa 2 mikrotik)
May 17 20:45:50 ipsec processing payload: TS_I
May 17 20:45:50 ipsec 10.12.xxx.yyy
May 17 20:45:50 ipsec 10.12.0.0/16
May 17 20:45:50 ipsec processing payload: TS_R
May 17 20:45:50 ipsec 10.29.aaa.bb
May 17 20:45:50 ipsec 10.29.0.0/16
May 17 20:45:50 ipsec canditate selectors: 10.29.aaa.bb <=> 10.12.xxx.yyy
May 17 20:45:50 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.xxx.yyy
May 17 20:45:50 ipsec canditate selectors: 10.29.aaa.bb <=> 10.12.0.0/16
May 17 20:45:50 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 20:45:50 ipsec searching for policy for selector: 10.29.aaa.bb <=> 10.12.xxx.yyy
May 17 20:45:50 ipsec recorded wild match: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 20:45:50 ipsec updated selector: 10.29.aaa.bb <=> 10.12.0.0/16
May 17 20:45:50 ipsec IPsec-SA established: CISCO-IP[500]->MIKROTIK-IP[500] spi=0xd860bfb
May 17 20:45:50 ipsec IPsec-SA established: MIKROTIK-IP[500]->CISCO-IP[500] spi=0x26e99e7d
Initial Request 10.29.aaa.bb > 10.20.6.201 (mikrotik 2 cisco asa)
May 17 20:45:57 ipsec initiator selector: 10.29.0.0/16
May 17 20:45:57 ipsec adding payload: TS_I
May 17 20:45:57 ipsec responder selector: 10.20.0.0/16
May 17 20:45:57 ipsec adding payload: TS_R
May 17 20:45:57 ipsec processing payload: TS_I
May 17 20:45:57 ipsec 10.29.0.0/16
May 17 20:45:57 ipsec processing payload: TS_R
May 17 20:45:57 ipsec 10.20.0.0/16
May 17 20:45:57 ipsec my vs peer's selectors:
May 17 20:45:57 ipsec 10.29.0.0/16 vs 10.29.0.0/16
May 17 20:45:57 ipsec 10.20.0.0/16 vs 10.20.0.0/16
May 17 20:45:57 ipsec IPsec-SA established: CISCO-IP[500]->MIKROTIK-IP[500] spi=0x3b1ac0a
May 17 20:45:57 ipsec IPsec-SA established: MIKROTIK-IP[500]->CISCO-IP[500] spi=0x3756b15d
Initial Request 10.12.vvv.www > 10.29.ccc.dd (cisco asa 2 mikrotik)
May 17 21:04:25 ipsec processing payload: TS_I
May 17 21:04:25 ipsec 10.12.vvv.www
May 17 21:04:25 ipsec 10.12.0.0/16
May 17 21:04:25 ipsec processing payload: TS_R
May 17 21:04:25 ipsec 10.29.ccc.dd
May 17 21:04:25 ipsec 10.29.0.0/16
May 17 21:04:25 ipsec canditate selectors: 10.29.ccc.dd <=> 10.12.vvv.www
May 17 21:04:25 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.vvv.www
May 17 21:04:25 ipsec canditate selectors: 10.29.ccc.dd <=> 10.12.0.0/16
May 17 21:04:25 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 21:04:25 ipsec searching for policy for selector: 10.29.ccc.dd <=> 10.12.vvv.www
May 17 21:04:25 ipsec recorded wild match: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 21:04:25 ipsec updated selector: 10.29.ccc.dd <=> 10.12.0.0/16
May 17 21:04:25 ipsec initiator selector: 10.12.0.0/16
May 17 21:04:25 ipsec adding payload: TS_I
May 17 21:04:25 ipsec responder selector: 10.29.ccc.dd
May 17 21:04:25 ipsec adding payload: TS_R
May 17 21:04:25 ipsec IPsec-SA established: CISCO-IP[500]->MIKROTIK-IP[500] spi=0xa63194d
May 17 21:04:25 ipsec IPsec-SA established: MIKROTIK-IP[500]->CISCO-IP[500] spi=0x4dcceb7c
if cisco starts a sa, there will be IP to /16 net
if mikrotik starts a sa, there will be /16 net to /16 net
so i get 2 * 2 SA
for "10.29.aaa.bb <=> 10.12.0.0/16"
and "10.29.ccc.dd <=> 10.12.0.0/16"
when 10.12.xxx.yyy sends a ping to 10.29.aaa.bb it goes through the correct SA
but return packet goes through later added wrong sa.
it sends ping via 0xd860bfb and gets response via 0x4dcceb7c and asa drops this:
ciscolog: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= xxxxxxxxx, sequence number= yyyy)
from MIKROTIK-IP (user= MIKROTIK-IP) to CISCO-IP.
The decapsulated inner packet doesn't match the negotiated policy in the SA.
The packet specifies its destination as 10.12.xxx.yyy, its source as 10.29.aaa.bb, and its protocol as icmp.
The SA specifies its local proxy as 10.12.0.0/255.255.0.0/ip/0 and its remote_proxy as 10.29.ccc.dd/255.255.255.255/ip/0.
the IPsec Polices are all defined as /16 and as unique
with IKE1 all works ok.
Re: IPsec IKE2 to Cisco ASAc
What version RouterOS and ASA image do you have ? I have some IKEv2 Site-to-Site tunnels between Mikrotik (6.48.2) / ASA ver 9.12(3)12 and I don't see any problems with packet loss.
Re: IPsec IKE2 to Cisco ASAc
ros 6.47.9
asa is at customer, I don't know but should be a current version
packet loss starts when a second SA on the same policy is initiated
so a random ping of another address can cause the tunnel to stop working.
as long as just 1 ip to another is active it is ok
as long as mikrotik starts firs packet all is ok
asa is at customer, I don't know but should be a current version
packet loss starts when a second SA on the same policy is initiated
so a random ping of another address can cause the tunnel to stop working.
as long as just 1 ip to another is active it is ok
as long as mikrotik starts firs packet all is ok
Re: IPsec IKE2 to Cisco ASAc
Here you have answer. viewtopic.php?t=117345#p579708asa is at customer, I don't know but should be a current version
With more then one Policies the only one SA is used what give a communication only at one Enc.Domain / PrefixSelector and others not work. Level=unique solve problem.