Community discussions

MikroTik App
 
cdjb
just joined
Topic Author
Posts: 4
Joined: Tue Jul 27, 2021 7:13 pm

ipsec issue Firmware 6.45+

Tue Aug 03, 2021 12:20 pm

We have upgraded our Mikrotik (Roadworrier setup?) Form 6.44.5/6 to the latest Long term Version 6.47.10. This didn't work even when the peer was set.

To find out where issue occurred I've downgraded to the first version that uses peer in /ip ipsec policy

I've added the peer correctly I think.
6.44.5
/ip ipsec policy
add dst-address=0.0.0.0/0 level=unique sa-dst-address=<strongswan-internet-ip> \
sa-src-address=0.0.0.0 src-address=172.26.28.56/29 tunnel=yes
add dst-address=172.26.0.0/16 level=unique sa-dst-address=<strongswan-internet-ip> \
sa-src-address=0.0.0.0 src-address=172.26.30.56/29 tunnel=yes

6.45.9
/ip ipsec policy
add action=none dst-address=172.26.28.0/22 src-address=172.26.28.0/22
add dst-address=0.0.0.0/0 level=unique peer=peer1 sa-dst-address=\
<strongswan-internet-ip> sa-src-address=0.0.0.0 src-address=172.26.28.56/29 tunnel=\
yes
add dst-address=172.26.0.0/16 level=unique peer=peer1 sa-dst-address=\
<strongswan-internet-ip> sa-src-address=0.0.0.0 src-address=172.26.30.56/29 tunnel=\
yes

To me the configuration looks fine.

When using Firmware version 6.44.5 the ipsec connection is setup correctly.
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
profile_1
/ip ipsec peer
add address=<strongswan-internet-ip>/32 exchange-mode=ike2 name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 lifetime=1h pfs-group=none
/ip ipsec identity
add auth-method=rsa-signature certificate=<my-cert> \
generate-policy=port-strict peer=peer1 remote-id=ignore
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=172.26.28.0/22 src-address=172.26.28.0/22
add dst-address=0.0.0.0/0 level=unique sa-dst-address=<strongswan-internet-ip> \
sa-src-address=0.0.0.0 src-address=172.26.28.56/29 tunnel=yes
add dst-address=172.26.0.0/16 level=unique sa-dst-address=<strongswan-internet-ip> \
sa-src-address=0.0.0.0 src-address=172.26.30.56/29 tunnel=yes

strongswan log
Aug 2 16:52:04 strongswan ipsec[508]: 05[NET] received packet: from <hex-behind-nat-internet-ip>[4500] to <strongswan-internet-ip>[4500] (240 bytes)
Aug 2 16:52:04 strongswan ipsec[508]: 05[ENC] parsed CREATE_CHILD_SA response 45 [ No TSi TSr SA ]
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] selecting proposal:
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] proposal matches
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] selecting traffic selectors for us:
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] selecting traffic selectors for other:
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] config: 172.26.28.56/29, received: 172.26.28.56/29 => match: 172.26.28.56/29
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] config: 172.26.30.56/29, received: 172.26.28.56/29 => no match
Aug 2 16:52:04 strongswan ipsec[508]: 05[IKE] CHILD_SA mikrotik-hex{100420} established with SPIs caf85ecb_i 081e4c00_o and TS 0.0.0.0/0 === 172.26.28.56/29
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] proposing traffic selectors for us:
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] 0.0.0.0/0
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] proposing traffic selectors for other:
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] 172.26.28.56/29
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] 172.26.30.56/29
Aug 2 16:52:04 strongswan ipsec[508]: 05[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug 2 16:52:04 strongswan ipsec[508]: 05[IKE] establishing CHILD_SA mikrotik-hex{100421} reqid 1432
Aug 2 16:52:04 strongswan ipsec[508]: 05[ENC] generating CREATE_CHILD_SA request 46 [ SA No TSi TSr ]
Aug 2 16:52:04 strongswan ipsec[508]: 05[NET] sending packet: from <strongswan-internet-ip>[4500] to <hex-behind-nat-internet-ip>[4500] (224 bytes)

6.45.9 doesn't setup the connection correctly
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
profile_1
/ip ipsec peer
add address=<strongswan-internet-ip>/32 exchange-mode=ike2 name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 lifetime=1h pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=<my-cert> \
generate-policy=port-strict peer=peer1 remote-id=ignore
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=172.26.28.0/22 src-address=172.26.28.0/22
add dst-address=0.0.0.0/0 level=unique peer=peer1 sa-dst-address=\
<strongswan-internet-ip> sa-src-address=0.0.0.0 src-address=172.26.28.56/29 tunnel=\
yes
add dst-address=172.26.0.0/16 level=unique peer=peer1 sa-dst-address=\
<strongswan-internet-ip> sa-src-address=0.0.0.0 src-address=172.26.30.56/29 tunnel=\
yes

strongswan
Aug 2 13:20:26 strongswan ipsec[508]: 06[NET] received packet: from <hex-behind-nat-internet-ip>[4500] to <strongswan-internet-ip>[4500] (416 bytes)
Aug 2 13:20:26 strongswan ipsec[508]: 06[ENC] parsed CREATE_CHILD_SA request 63 [ No SA TSi TSr ]
Aug 2 13:20:26 strongswan ipsec[508]: 06[CFG] looking for a child config for 0.0.0.0/0 === 172.26.28.56/29
Aug 2 13:20:26 strongswan ipsec[508]: 06[CFG] proposing traffic selectors for us:
Aug 2 13:20:26 strongswan ipsec[508]: 06[CFG] 0.0.0.0/0
Aug 2 13:20:26 strongswan ipsec[508]: 06[CFG] proposing traffic selectors for other:
Aug 2 13:20:26 strongswan ipsec[508]: 06[CFG] <hex-behind-nat-internet-ip>/32
Aug 2 13:20:26 strongswan ipsec[508]: 06[IKE] traffic selectors 0.0.0.0/0 === 172.26.28.56/29 unacceptable
Aug 2 13:20:26 strongswan ipsec[508]: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 2 13:20:26 strongswan ipsec[508]: 06[ENC] generating CREATE_CHILD_SA response 63 [ N(TS_UNACCEPT) ]
Aug 2 13:20:26 strongswan ipsec[508]: 06[NET] sending packet: from <strongswan-internet-ip>[4500] to <hex-behind-nat-internet-ip>[4500] (80 bytes)

Is this a bug or is it a "misconfiguration"?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ipsec issue Firmware 6.45+

Tue Aug 03, 2021 12:31 pm

I'm not sure if it is the reason in this case but it is always a bit risky to make large version jumps in case some feature you use has received a lot of rework.
The configuration may get incorrectly converted. As you already noted, IPsec has changed a lot, some config has moved and some things are now done differently.
I converted routers one major version at a time and it went fine, alhough some dummy names appeared in the config that I manually changed to match the related items (e.g. peer names in identities).
Maybe some detail went wrong in your case.
 
zobelhelas
just joined
Posts: 3
Joined: Sat Jan 20, 2018 3:52 pm

Re: ipsec issue Firmware 6.45+

Wed Aug 04, 2021 5:05 pm

I'm not sure if it is the reason in this case but it is always a bit risky to make large version jumps in case some feature you use has received a lot of rework.
The configuration may get incorrectly converted. As you already noted, IPsec has changed a lot, some config has moved and some things are now done differently.
I converted routers one major version at a time and it went fine, alhough some dummy names appeared in the config that I manually changed to match the related items (e.g. peer names in identities).
Maybe some detail went wrong in your case.
Well, but i even see the same issue as described on a complete factory resetted router with the newest firmware. IPSEC worked for me up to 6.44, but once I upgrade the firmware to 6.45 or above and afterwards factory reset the config and the configure e.g. a hEX as road road warrior, IPSEC connections from a hEX to a strongSwan remote do not work and give exactly the error messages as described above.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ipsec issue Firmware 6.45+

Wed Aug 04, 2021 5:54 pm

Ok I have an IPsec tunnel between a RB2011 running 6.48.3 and a Linux system running Strongswan so it should be possible to get it working.
Maybe you need to set the policies in strongswan (I did that, but it is a long time ago, I don't know if it was because of an issue).
Or check if the proposals and policies strongswan is using are in fact configured in the MikroTik (e.g. sha256, aes-256). Defaults could be lower.
 
cdjb
just joined
Topic Author
Posts: 4
Joined: Tue Jul 27, 2021 7:13 pm

Re: ipsec issue Firmware 6.45+

Wed Aug 04, 2021 7:22 pm

Ok I have an IPsec tunnel between a RB2011 running 6.48.3 and a Linux system running Strongswan so it should be possible to get it working.
Maybe you need to set the policies in strongswan (I did that, but it is a long time ago, I don't know if it was because of an issue).
Or check if the proposals and policies strongswan is using are in fact configured in the MikroTik (e.g. sha256, aes-256). Defaults could be lower.
Is your RB2011 nated when it connects to the internet?

This is our ipsec configuration. Can you please compare it to yours?

conn %mikrotik-hex
left=<strongswan-internet-ip>
leftcert=<uour_cert>
leftsubnet=0.0.0.0/0
right=%any
keyexchange=ikev2
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
auto=add

conn mikrotik-hex8
also=%mikrotik-hex
rightid="CN=<our_cn>"
rightsubnet=172.26.28.56/29,172.26.30.56/29

As mentioned before, we didn't have any issues when using firmware 6.44.* and also older firmware versions, we also have used 6.43.8, 6.40.4, 6.43.12 with the current strongswan configuration.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: ipsec issue Firmware 6.45+

Wed Aug 04, 2021 7:31 pm

In my case I use ikev1, psk, and no NAT.
 
cdjb
just joined
Topic Author
Posts: 4
Joined: Tue Jul 27, 2021 7:13 pm

Re: ipsec issue Firmware 6.45+

Tue Aug 10, 2021 2:26 pm

I've just tested the latest long term, stable, testing and development release.
Non of them solved the issue.

Who is online

Users browsing this forum: Bing [Bot], LeoNaXe and 77 guests