Community discussions

MikroTik App
 
burkon
newbie
Topic Author
Posts: 39
Joined: Tue Sep 12, 2006 2:57 pm
Location: DE

Quality of IPSec Implementation

Thu Mar 27, 2008 10:56 am

Hi,

I'm having a litte trouble with IPSec on ROS 3.6. I have set up
a l2tp in IPSec tunnel. Which works when both ends are on a
static IP.

But I ran into following troubles:

ROS crashed or lost all connectivity after SAs expired. (Sorry
had no one in place who could do more then press the reset button)
Had a crash too when disabling a faulty configuration.

Is there some means of dead peer detection? Or some other way to make
the renegotiation speed up after one end is rebooted?

Is it possible to have a IPsec road warrior setup with MT clients?

MT ROS is somewhat my swiss army knife for networking. But it is weak for
building VPNs.

PPTP is unsecure
L2TP over IPSec has issues
and Openvpn has missing features (and missing docu)

Has anybody some hints to get the IPSec issues solved?

Thanks
Ekkehard
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6630
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Quality of IPSec Implementation

Mon Mar 31, 2008 12:34 pm

Thank you about Expired SA, we are researching for the ways to reproduce the same problem and see what we can do.

PPTP is not insecure, when encryption is used.
OpenVPN documentation is here,
http://wiki.mikrotik.com/wiki/OpenVPN
 
burkon
newbie
Topic Author
Posts: 39
Joined: Tue Sep 12, 2006 2:57 pm
Location: DE

Re: Quality of IPSec Implementation

Mon Apr 07, 2008 12:57 pm

On PPTP security:

Can we agree that there is an ongoing debate on PPTPs security.
I prefer to use it. But sometimes I'm required to use something else.

On OpenVPN:

The Wiki docu is a nice Howto.
But I think the reference documentation is still missing.
I think the options need to be thoroughly described especially how
far the implementation really is done (e.g. OpenVPN over TCP/UDP).

What I am really missing is the ability to set up an openVPN Connection
based wholly on certificates to prevent issues with the
user having to enter the password all the time. (on Windows clients
you can not store the passwotd in a seperate file)

Thanks
Ekkehard
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6630
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Quality of IPSec Implementation

Mon Apr 07, 2008 4:12 pm

Ekkehard,

Is it possible to get more information about IPSec issues,
ROS crashed or lost all connectivity after SAs expired. (Sorry
had no one in place who could do more then press the reset button)
Had a crash too when disabling a faulty configuration.
I have tried different configurations to reproduce your problems, I was not able to find any problems.
Give us more detailed problems, how it is possible to reproduce this problem.
 
User avatar
jp
Long time Member
Long time Member
Posts: 603
Joined: Wed Mar 02, 2005 5:06 am
Location: Maine
Contact:

Re: Quality of IPSec Implementation

Tue Apr 08, 2008 12:48 am

OpenVPN with UDP and certificates works very nicely, and fast too. It is relatively easy to setup in windows/linux distributions.
 
hippo
just joined
Posts: 24
Joined: Wed Mar 26, 2008 2:12 pm

Re: Quality of IPSec Implementation

Tue Apr 08, 2008 1:26 pm

I think what you are experiencing is the same problems as I have been having, see:
http://forum.mikrotik.com/viewtopic.php?f=2&t=22975

For a detailed instruction for how to reproduce the problem
br
Hippo
 
rabbtux
newbie
Posts: 49
Joined: Mon Dec 11, 2006 7:19 pm

Re: Quality of IPSec Implementation

Sat Apr 12, 2008 5:56 pm

OpenVPN with UDP and certificates works very nicely, and fast too. It is relatively easy to setup in windows/linux distributions.
you were speaking of OpenVPN in general, or were you indicating this works well for you in the MT versions??
 
dsovereen
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Fri Oct 22, 2004 7:54 pm
Location: Michigan, USA
Contact:

Re: Quality of IPSec Implementation

Mon Apr 14, 2008 6:03 pm

I have what appears to be the same or at least very similar problem.

I have IPSec between three Mikrotik RouterOS units. If one of the units reboots, the other units will lose connectivity to the network behind the rebooted RouterOS.

The only way I can restore connectivity is to flush the installed SA table on the other two Mikrotiks. The error "unknown SPI ..." appears in the log of the units when this happens. It's quite frustrating that RouterOS doesn't detect this and renegotiate to get IPSec working between the units automatically after a reboot.

Dave

Who is online

Users browsing this forum: Baidu [Spider], biomesh, gogle, nichky, r00t, SEJohnsen, sindy, Sob and 194 guests