Community discussions

MikroTik App
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

On IPsec tunnel termination, existing stream impacted

Sat Jun 12, 2021 3:23 pm

Hi All,

Could you help me figure out why, when I disconnect my IPsec tunnel, I have existing connections to the internet that no longer receive traffic?

Network diagram enclosed.

Scenario / use case:
1- a user on the PC is having a skype call or follow a webinar with someone on the internet (or any other real-time type of traffic that makes the issue very visible)
2- the mikrotik creates a IPSec tunnel towards the remote LAN (in this scenario here the mirkotik is the VPN client)
3- the IPSec tunnel terminates
4- the webinar/skype call freezes (and the mikrotik firewall reports plenty of packets discarded)

It seems that once the IPsec tunnel terminates, existing connections that have nothing to do with that tunnel gets impacted

Could you please help me troubleshoot this error?

I have srcnat rules for both outgoing traffic towards internet and traffic for the remove lan via IPSec.
No matter the order of those rules, I still get this behavior.

Kind Regards
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: On IPsec tunnel termination, existing stream impacted

Sat Jun 12, 2021 5:29 pm

There is no way to troubleshoot that without configuration included.
However, I would recommend you instead of using a direct IPsec tunnel, to use a GRE or IPIP tunnel with IPsec encryption between the two LAN networks.
That will solve many problems, including the workarounds you need for NAT etc.
Just create such an interface on each end, set an IP address on each end (e.g. 192.168.0.1/30 and 192.168.0.2/30) and set a static route for 192.168.x.0/24 with gateway set to the tunnel IP of the remote end.
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Sun Jun 13, 2021 5:47 pm

Hi pe1chl,

thanks for your response,

I understand your alternative to build a GRE tunnel (or IPIP). It could be easier indeed.
I attempted exploring this first, but I'm not sure this is applicable: I don't control the remote gateway and it expects an IPSec connection (authentication in the form of IKEv1 PSK + XAUTH)
When setting a GRE, I cannot find areas where to define what DH group to use, or the encryption algorithm to use (DES, AES ...)

On a side note, I should add that my interest is for my lan to access the remote lan, not vice-versa.
In other words, I'm not after a 2-sided site2site setup, but rather 1-sided: to open to the hosts behind my router the access of the remote subnet.
But it's a marginal comment just to ensure the proper context is set: even if we establish a 2-sided site2site setup, then I would be able to restrict flows with firewall rules.

Unless you have other views, it seems I'm stuck with the current setup I have: in /IP IPSec, to define the connection parameters for Mikrotik to act as a VPN IPSec client.


Here below is my relevant configuration in the srcnat:
/ip firewall address-list add address=192.168.1.0/24 comment="Local subnet" list=subnetLocal
/ip firewall address-list add address=192.168.2.0/24 comment="Remote subnet" list=subnetRemote

/ip firewall nat
add action=src-nat chain=srcnat comment="nat local lan to remote lan" dst-address-list=subnetRemote src-address-list=subnetLocal to-addresses=192.168.2.201
add action=masquerade chain=srcnat comment="NAT to WAN1" ipsec-policy=out,none out-interface="WAN1(ETH)"
As you guessed, 192.168.2.201 is the static IP the mikrotik router receives when establishing the VPN connection

Is there some advice you could share to troubleshoot this situation?

Thanks
Last edited by eguun on Sun Jun 13, 2021 6:04 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: On IPsec tunnel termination, existing stream impacted  [SOLVED]

Sun Jun 13, 2021 6:03 pm

You could try to replace masquerade with src-nat and the external address that is on wan1. Hopefully it is static.
This can sometimes fix problems, sometimes it can introduce new problems.
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Sun Jun 13, 2021 6:07 pm

Thanks, I will give it a try.

I explored a bit the GRE setup further, and it seems I have no areas where to setup the DH group to use or the encryption algorithm (DES, 3DES, AES ...).
I edited my post, but you already answered.

By any chance, do you know if this is configurable?
If yes, where to do it? it doesn't seem documented there: https://wiki.mikrotik.com/wiki/Manual:Interface/Gre
If no, what settings are used by default in DH and encryption?

Thanks
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Sun Jun 13, 2021 6:12 pm

In the meantime, I experimented with changing from src-nat to marquerade and hardcoding the IP, it doesn't change the behavior unfortunatly: I'm still getting packet dropped from an internet stream when Ipsec disconnects from remote lan

doesn't work
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Sun Jun 13, 2021 6:34 pm

I experimented further:

- I disabled srcnat, except the one for masquerading the lan to internet.
- With the mikrotik router, I established an IPsec connection to the remote lan
- (no traffic could go through from my lan since the srcnat rule was disabled)
- When disconnecting the Ipsec tunnel, again the same behavior occured: packet dropped from an internet stream when Ipsec disconnects from remote lan

Conclusion:
since all nat was disabled and still the error occurs, I'm not sure this issue is with the nat.
What other areas could cause this issue and be worth troubleshooting?

Thanks
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: On IPsec tunnel termination, existing stream impacted

Sun Jun 13, 2021 8:08 pm

When you cannot control what the remote end does, you cannot simply switch to GRE tunneling. You need cooperation from the other end.
To control the settings of the encryption parameters, you need to setup the IPsec manually instead of by setting it in the GRE interface.
You can look what is created dynamically in IPsec in case you set IPsec in the GRE interface, then unset that and create the same IPsec settings manually.
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Mon Jun 14, 2021 9:33 am

Thanks pe1chl,

I'm not sure the effort invested in moving away from NAT to GRE is the solution to my issue at hand:
If I disable all my nat (except the nat to internet), then I still face this issue detailed in the first post.
So I'm doubtful that the nat itself is the cause of this misbehavior.
You can look what is created dynamically in IPsec in case you set IPsec in the GRE interface, then unset that and create the same IPsec settings manually.
-> that I have done: currently (and before the first post) the router has all IPSec parameters defined in /IP IPsec
Following your advise, I have kept my Ipsec settings and added a GRE interface to match the remote lan subnet. And it seems to pick-up the traffic (ie: both TX and RX counters increment when traffic flows). So all good there.
But as described above, this still doesn't fix my issue: even with all nat disabled, I still get that issue: packets dropped from an internet stream when Ipsec disconnects from remote lan

Is there any other area I could troubleshoot?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: On IPsec tunnel termination, existing stream impacted

Mon Jun 14, 2021 10:45 am

I have no idea why that would happen.
Issues that could occur:
- quite wide IPsec policy is active and when it terminates it disturbs the connection tracking (that should not occur with GRE/IPsec as the policy covers only protocol-47 traffic between the 2 public IP addresses, nothing related to 192.168.x.x)
- masquerade rule will clear all active sessions when it thinks the public IP connection has changed. src-nat will not do that. that is why I recommended src-nat.
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Mon Jun 14, 2021 11:07 am

Thanks pe1chl,

I will work and test around these 2 areas: policies and GRE.

Maybe worth mentionning: my router is nated behind another gateway that owns the public IP.
So when I replaced masquerade with srcnat, the static IP I wrote was a private class IP
Do you think this could play a role?

Thanks
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Mon Jun 14, 2021 2:33 pm

Update:
I have experimented further, disabling a all ipsec policies and all nat and the issue dissapeared when I replaced the masquerade nat with srcnat.
I kept masquerade replaced with srcnat and re-enabled all what I disabled, and the issue seems gone.

So in short: your first advise to replace masquerade with srcnat seems to work ... and I don't know why it didn't worked when I tried it yesterday.
Many thanks pe1chl

I'm now further testing this new setup ... keeping my fingers crossed that it works in the long run.

@pe1chl: you mentionned that replacing masquerade with srcnat could bring some other issues. What type of other issues do you have in mind?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: On IPsec tunnel termination, existing stream impacted

Mon Jun 14, 2021 7:24 pm

The issue is when the public IP changes, there would have to be a script to change the srcnat rule and delete all the connections.
masquerade does this automatically.
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

Re: On IPsec tunnel termination, existing stream impacted

Mon Jun 14, 2021 8:27 pm

Thanks pe1chl,

yes, I understand makes sense that one has to maintain this hardcoded parameter.
But on the connection killing part, is this really important, or would these connection eventually die out?

Cheers

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot], JDF, RHWwijk and 86 guests