Page 1 of 1

IPSEC - one way SPI SA not installed

Posted: Mon Feb 10, 2014 11:34 pm
by morph
I'm trying to create an ipsec vpn tunnel between a Mikrotik and a cisco router.
It seems that the SPI SA in the direction Mikrotik -> Cisco is installed fine but the
SPI SA in direction Cisco -> Mikrotik is not installed (there is no addtime).

[admin@MikroTik] /ip ipsec installed-sa>> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x382B108 src-address=192.168.10.200 dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="adc4c7acfdbf86e3a9750c0e0a81f569"
enc-key="d3e54e4f122fc8920e651aec4157afd887b
addtime=feb/10/2014 22:12:58 expires-in=27m5
current-bytes=60

1 E spi=0xF778A1E src-address=190.X.X.X dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="448e14a463e062902f5d70507b1dbbcb"
enc-key="74309e284428767f831c42f833544d147b7
add-lifetime=24m/30m
[admin@MikroTik] /ip ipsec installed-sa>>

Does anyone know what can cause this and how to fix it?

Regards.

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 12:12 am
by efaden
I'm trying to create an ipsec vpn tunnel between a Mikrotik and a cisco router.
It seems that the SPI SA in the direction Mikrotik -> Cisco is installed fine but the
SPI SA in direction Cisco -> Mikrotik is not installed (there is no addtime).

[admin@MikroTik] /ip ipsec installed-sa>> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x382B108 src-address=192.168.10.200 dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="adc4c7acfdbf86e3a9750c0e0a81f569"
enc-key="d3e54e4f122fc8920e651aec4157afd887b
addtime=feb/10/2014 22:12:58 expires-in=27m5
current-bytes=60

1 E spi=0xF778A1E src-address=190.X.X.X dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="448e14a463e062902f5d70507b1dbbcb"
enc-key="74309e284428767f831c42f833544d147b7
add-lifetime=24m/30m
[admin@MikroTik] /ip ipsec installed-sa>>

Does anyone know what can cause this and how to fix it?

Regards.
Need to see the export and the settings from the Cisco. Could be a wide variety of stuff. Any errors? Did you try turning on ipsec debugging to the log and seeing if there are errors?

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 12:26 am
by morph
Hi efaden,
These are the settings on the cisco:
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0

crypto ipsec transform-set TS esp-3des esp-md5-hmac 
!
crypto dynamic-map hq-vpn 10
 set security-association lifetime seconds 86400
 set transform-set TS 
 match address VPN1-TRAFFIC
!
!
crypto map VPN 1 ipsec-isakmp dynamic hq-vpn 

ip access-list extended VPN1-TRAFFIC
 permit ip 10.32.0.0 0.0.255.255 192.168.10.0 0.0.0.255
There are no errors in the logs.

Regards.

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 12:29 am
by morph
I'm getting the same problem when trying to connect the Mikrotik to a pfSense firewall.
On the side of the Cisco and pfSense there are no errors displayed.
The only problem I see is that the SA is not installed on the Mikrotik.

Regards.

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 12:30 am
by efaden
Post your export. Did you try turning on debugging?

Sent from my SCH-I545 using Tapatalk

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 12:45 am
by morph
Post your export. Did you try turning on debugging?

Sent from my SCH-I545 using Tapatalk
Hi Efaden,
When you say export are you looking for the ipsec configuration?
/ip firewall nat
add chain=srcnat dst-address=10.32.0.0/16 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=yes \
    out-interface=ether1-gateway
add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16
/ip ipsec peer
add address=190.X.X.X/32 enc-algorithm=3des hash-algorithm=md5 secret=\
    PASSWORD send-initial-contact=no
/ip ipsec policy
add dst-address=10.32.0.0/16 sa-dst-address=190.X.X.X sa-src-address=\
    0.0.0.0 src-address=192.168.10.0/24 tunnel=yes
I tried turning debugging but I didn't see anything that looks suspicious in the log window.

Regards.

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 1:08 am
by ditonet
sa-src-address=0.0.0.0
SA-Src-Address should be set to your public (WAN) IP, and this NAT rule is not necessary:
add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16
BTW, you didn't post your 'IPSec/Proposal' settings.

HTH,

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 1:14 am
by morph
sa-src-address=0.0.0.0
SA-Src-Address should be set to your public (WAN) IP, and this NAT rule is not necessary:
add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16
BTW, you didn't post your 'IPSec/Proposal' settings.

HTH,
I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.

Here is the proposal setting:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 1:43 am
by ditonet
I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 1:54 am
by efaden
I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,

Thats what I do...

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 9:01 am
by morph
I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,
The 3G stick gets a private address from the provider that is then nat-ed to a public address.

I tried to connect the mikrotik through a LAN cable to my home router. With the above setup (sa-src-address=0.0.0.0) the IPSec did work. So the Mikrotik was behind NAT (my OpenWRT router) and IPSec formed with (sa-src-address=0.0.0.0).

For test I also tried to connect the mikrotik to a Pfsense box and also got the problem with the SA (using the USB stick and also when using LAN cable behind my home router).

Re: IPSEC - one way SPI SA not installed

Posted: Tue Feb 11, 2014 2:21 pm
by efaden
I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,
The 3G stick gets a private address from the provider that is then nat-ed to a public address.

I tried to connect the mikrotik through a LAN cable to my home router. With the above setup (sa-src-address=0.0.0.0) the IPSec did work. So the Mikrotik was behind NAT (my OpenWRT router) and IPSec formed with (sa-src-address=0.0.0.0).

For test I also tried to connect the mikrotik to a Pfsense box and also got the problem with the SA (using the USB stick and also when using LAN cable behind my home router).

I think you need to script the IP into the SA. Never tried this setup though.