Hello,
looks like a ipsec ike2 bug @ ros
I have set up a IPsec IKE2 Tunnel form a Mikrotik to a Cisco Asa, but got Packet loss after short time.
the Logfiles show me:
Initial Request 10.12.xxx.yyy > 10.29.aaa.bb (cisco asa 2 mikrotik)
May 17 20:45:50 ipsec processing payload: TS_I
May 17 20:45:50 ipsec 10.12.xxx.yyy
May 17 20:45:50 ipsec 10.12.0.0/16
May 17 20:45:50 ipsec processing payload: TS_R
May 17 20:45:50 ipsec 10.29.aaa.bb
May 17 20:45:50 ipsec 10.29.0.0/16
May 17 20:45:50 ipsec canditate selectors: 10.29.aaa.bb <=> 10.12.xxx.yyy
May 17 20:45:50 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.xxx.yyy
May 17 20:45:50 ipsec canditate selectors: 10.29.aaa.bb <=> 10.12.0.0/16
May 17 20:45:50 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 20:45:50 ipsec searching for policy for selector: 10.29.aaa.bb <=> 10.12.xxx.yyy
May 17 20:45:50 ipsec recorded wild match: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 20:45:50 ipsec updated selector: 10.29.aaa.bb <=> 10.12.0.0/16
May 17 20:45:50 ipsec IPsec-SA established: CISCO-IP[500]->MIKROTIK-IP[500] spi=0xd860bfb
May 17 20:45:50 ipsec IPsec-SA established: MIKROTIK-IP[500]->CISCO-IP[500] spi=0x26e99e7d
Initial Request 10.29.aaa.bb > 10.20.6.201 (mikrotik 2 cisco asa)
May 17 20:45:57 ipsec initiator selector: 10.29.0.0/16
May 17 20:45:57 ipsec adding payload: TS_I
May 17 20:45:57 ipsec responder selector: 10.20.0.0/16
May 17 20:45:57 ipsec adding payload: TS_R
May 17 20:45:57 ipsec processing payload: TS_I
May 17 20:45:57 ipsec 10.29.0.0/16
May 17 20:45:57 ipsec processing payload: TS_R
May 17 20:45:57 ipsec 10.20.0.0/16
May 17 20:45:57 ipsec my vs peer's selectors:
May 17 20:45:57 ipsec 10.29.0.0/16 vs 10.29.0.0/16
May 17 20:45:57 ipsec 10.20.0.0/16 vs 10.20.0.0/16
May 17 20:45:57 ipsec IPsec-SA established: CISCO-IP[500]->MIKROTIK-IP[500] spi=0x3b1ac0a
May 17 20:45:57 ipsec IPsec-SA established: MIKROTIK-IP[500]->CISCO-IP[500] spi=0x3756b15d
Initial Request 10.12.vvv.www > 10.29.ccc.dd (cisco asa 2 mikrotik)
May 17 21:04:25 ipsec processing payload: TS_I
May 17 21:04:25 ipsec 10.12.vvv.www
May 17 21:04:25 ipsec 10.12.0.0/16
May 17 21:04:25 ipsec processing payload: TS_R
May 17 21:04:25 ipsec 10.29.ccc.dd
May 17 21:04:25 ipsec 10.29.0.0/16
May 17 21:04:25 ipsec canditate selectors: 10.29.ccc.dd <=> 10.12.vvv.www
May 17 21:04:25 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.vvv.www
May 17 21:04:25 ipsec canditate selectors: 10.29.ccc.dd <=> 10.12.0.0/16
May 17 21:04:25 ipsec canditate selectors: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 21:04:25 ipsec searching for policy for selector: 10.29.ccc.dd <=> 10.12.vvv.www
May 17 21:04:25 ipsec recorded wild match: 10.29.0.0/16 <=> 10.12.0.0/16
May 17 21:04:25 ipsec updated selector: 10.29.ccc.dd <=> 10.12.0.0/16
May 17 21:04:25 ipsec initiator selector: 10.12.0.0/16
May 17 21:04:25 ipsec adding payload: TS_I
May 17 21:04:25 ipsec responder selector: 10.29.ccc.dd
May 17 21:04:25 ipsec adding payload: TS_R
May 17 21:04:25 ipsec IPsec-SA established: CISCO-IP[500]->MIKROTIK-IP[500] spi=0xa63194d
May 17 21:04:25 ipsec IPsec-SA established: MIKROTIK-IP[500]->CISCO-IP[500] spi=0x4dcceb7c
if cisco starts a sa, there will be IP to /16 net
if mikrotik starts a sa, there will be /16 net to /16 net
so i get 2 * 2 SA
for "10.29.aaa.bb <=> 10.12.0.0/16"
and "10.29.ccc.dd <=> 10.12.0.0/16"
when 10.12.xxx.yyy sends a ping to 10.29.aaa.bb it goes through the correct SA
but return packet goes through later added wrong sa.
it sends ping via 0xd860bfb and gets response via 0x4dcceb7c and asa drops this:
ciscolog: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= xxxxxxxxx, sequence number= yyyy)
from MIKROTIK-IP (user= MIKROTIK-IP) to CISCO-IP.
The decapsulated inner packet doesn't match the negotiated policy in the SA.
The packet specifies its destination as 10.12.xxx.yyy, its source as 10.29.aaa.bb, and its protocol as icmp.
The SA specifies its local proxy as 10.12.0.0/255.255.0.0/ip/0 and its remote_proxy as 10.29.ccc.dd/255.255.255.255/ip/0.
the IPsec Polices are all defined as /16 and as unique
with IKE1 all works ok.