Community discussions

MUM Europe 2020
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

IPsec and Freeswan

Wed Mar 08, 2006 4:23 pm

Can anyone help me how to configure IPsec tunel between MikroTIK and Freeswan IP Sec?
 
Tonda
Member Candidate
Member Candidate
Posts: 164
Joined: Thu Jun 30, 2005 12:59 pm

Wed Mar 08, 2006 5:11 pm

Have you tried to look into manual? There is an example http://www.mikrotik.com/docs/ros/2.9/ip/ipsec
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

Wed Mar 08, 2006 5:13 pm

yes, I did, there is no info about freeswan. To work with freeswan I need to define secure key and there is no place to do it on Mikrotik.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Wed Mar 08, 2006 5:16 pm

http://www.mikrotik.com/docs/ros/2.9/ip ... t#5.44.8.4
"MikroTik Router and Linux FreeS/WAN"

is that not what you are looking for?
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

Wed Mar 08, 2006 11:38 pm

no, it is not working :(
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Thu Mar 09, 2006 8:37 pm

So, post your configs for each side along with ISAKMP and IPSEC logs.

Regards

Andrew
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

Fri Mar 10, 2006 5:34 pm

Yes, I would be very thankful if you can help me. Here it is:

Linux Debian side:
-----------------------------------------

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# basic configuration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
klipsdebug=none
uniqueids=yes
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes

conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig

conn orakor_zv
authby=secret
auto=start
compress=no
left=11.87.214.163
leftid=@11.87.214.163
leftnexthop=11.87.214.161
leftsubnet=131.0.0.0/24
pfs=no
right=11.87.217.30
rightid=@11.87.217.30
rightnexthop=11.87.208.19
rightsubnet=192.168.1.0/24



And MikroTIk side:
-----------------------------------------


[admin@MikroTik] ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - invalid
0 src-address=192.168.1.0/24:any dst-address=131.0.0.0/24:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=11.87.217.30 sa-dst-address=11.87.214.163 proposal=test1
manual-sa=none dont-fragment=clear
[admin@MikroTik] ip ipsec> peer print
Flags: X - disabled
0 address=11.87.214.163/32:500 secret="test1" generate-policy=yes exchange-mode=main send-initial-contact=yes
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
[admin@MikroTik] ip ipsec> proposal print
Flags: X - disabled
0 name="test1" auth-algorithms=md5 enc-algorithms=3des lifetime=0s lifebytes=0 pfs-group=modp1024
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

Fri Mar 10, 2006 6:07 pm

Sorry, I forgot to write how is this configuration working.

When I try to ping each-other, I can see on Mikrotik:

IPsec counters:
------------------
Out Accepter: increasing
Out Dropped: increasing
Out Encrypted: 0
In Accepted: increasing
In Dropped: 0
In Decrypted: 0
ISAKP Out Accepter: increasing
ISAKPM In Accepted: increasing

In Log file I can see:
--------------------------
ipsec info: ipsec packet discarded: src=92.168.1.7 dst=131.0.0.200
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Sun Mar 12, 2006 10:38 am

You're authenticating using a shared secret. At the MT end this is defined as 'test1' but I don't see this setup at the Debian end.

I'm pretty sure that you need to drop the @ from the ID strings at the Debian end.

Generate policy=yes is only used for dynamic IPSEC connections. As you know the connecting IP address change this to =no.

I would suggest that you re-check the FreeSwan documentation as I don't see any IPSEC proposal in your connection setup; i.e. something that refers to md5, 3DES, unless these values are all default.

Turn on ISAKMP debugging on the MT and post the connection log.

Regards

Andrew
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Sun Mar 12, 2006 5:58 pm

Turn on ISAKMP debugging on the MT and post the connection log.
how could IPSec debugging be switched on?
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Mon Mar 13, 2006 3:39 pm

system logging> add topics=ike action=memory
Regards

Andrew
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

Wed Mar 15, 2006 3:55 pm

there are my log informations:

On Mikrotik:
------------------
when I start ping to the second side of the tunel I get following messages:

21:43:21 ipsec,ike,info queuing SA request, phase 1 with peer 11.87.214.163 will be established first
21:43:21 ipsec,ike,info initiating phase 1, starting mode Identity Protection (local 11.87.208.78:500) (remote
unknown)
21:43:21 ipsec,info ipsec packet discarded: src=192.168.1.7 dst=131.0.0.200
21:43:22 ipsec,info ipsec packet discarded: src=192.168.1.7 dst=131.0.0.200
21:43:23 ipsec,info ipsec packet discarded: src=192.168.1.7 dst=131.0.0.200
21:43:52 ipsec,ike,info dequeuing SA request to 80.87.214.163, phase 1 wait timed out


On the Debian side I can see following messages in the log:
----------------------------------------------------------------------
Mar 15 10:59:07 proxy pluto[22383]: "orakor_zv" #274: responding to Main Mode
Mar 15 10:59:07 proxy pluto[22383]: "orakor_zv" #274: peer requested 86400 seconds which exceeds our limit 28800 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
Mar 15 10:59:07 proxy pluto[22383]: "orakor_zv" #274: no acceptable Oakley Transform
Mar 15 10:59:07 proxy pluto[22383]: "orakor_zv" #274: sending notification NO_PROPOSAL_CHOSEN to 11.87.208.78:500
Mar 15 10:59:07 proxy pluto[22383]: ERROR: asynchronous network error report on eth0 for message to 11.87.208.78 port 500, complainant 11.87.208.78: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Wed Mar 15, 2006 4:36 pm

The Debian log says it all:
peer requested 86400 seconds which exceeds our limit 28800 seconds
So the Debian machine complains that MikroTik wants to use a encryption key for a longer time than the Debian config allows as a maximum, and the connection is denied.

So, you either have to lower the peer lifetime in MikroTik from 1 day (the default, that's the 86400 seconds in the error log) to something below 28800 seconds (8 hours), or configure the lifetime on the Debian side to accept a lifetime of 1 day (which is the default in MikroTik).

I'd suggest lowering to 8 hours (or below) on the RouterOS side.

Best regards,
Christian Meis
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

Wed Mar 15, 2006 5:31 pm

I have changed the time limit on MikrotTIK side and now I can see:

On Mikrotik Log the same as before

On Debian Log:
---------------------

Mar 15 12:40:12 proxy pluto[22383]: "orakor_zv" #300: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Mar 15 12:40:12 proxy pluto[22383]: "orakor_zv" #300: starting keying attempt 76 of an unlimited number
Mar 15 12:40:12 proxy pluto[22383]: "orakor_zv" #311: initiating Main Mode to replace #300
Mar 15 12:40:12 proxy pluto[22383]: "orakor_zv" #311: ERROR: asynchronous network error report on eth0 for message to 11.87.208.78 port 500, complainant 11.87.208.78: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Mar 15 12:40:42 proxy last message repeated 2 times
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Thu Mar 16, 2006 6:17 pm

Well, the log alone doesn't help further anymore. Sounds like your encryption settings on both sides are not compatible...

Best regards,
Christian Meis

Who is online

Users browsing this forum: Bing [Bot], bpwl, eworm and 148 guests