IPSec

LuizMeier · Thu Jun 11, 2015 4:28 pm

Good morning!

I faced today a problem while configuring an IPSec VPN for one of our providers.

They have sent me a document with the configurations I would need to set up to have an encrypted communication with them, once they are an finance company.

I will put here the configuration that they sent me with example addresses and after that what I have done trying to get this working.

Data sent by company

Rule/ACL for Edge Internet Equipment
Source Destination Destination(description) Protocolo/ Porta
100.100.100.101 200.200.200.200 ISAKMP UDP 500
100.100.100.101 200.200.200.200 ESP 50
200.200.200.200 100.100.100.101 ISAKMP UDP 500
200.200.200.200 100.100.100.101 ESP 50

Rule/ACL Crypto Domain – VPN Phase 2
192.168.1.32/27 300.300.300.0/24 Finance Services IP

Phase 1
encryption algorithm: AES
hash algorithm: SHA
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

Phase 2
Mode: ESP
Transform-set: esp-aes esp-sha-hmac
Diffie-Hellman group: #2
Security association lifetime: 4608000 kilobytes/3600 seconds

Preshared Key: XXXXX

What I did

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc,aes-256-ctr
/ip ipsec peer
add address=200.200.200.200/32 comment=Finance enc-algorithm=aes-256 hash-algorithm=sha256 secret=XXXXX
/ip ipsec policy
add dst-address=300.300.300.0/24 sa-dst-address=200.200.200.200 sa-src-address=100.100.100.101 src-address=192.168.1.32/27 tunnel=yes
/ip ipsec remote-peers print
 0 local-address=200.195.161.50 remote-address=177.54.222.7 state=message-1-sent side=initiator 
/ip firewall nat
add chain=srcnat action=accept comment=Finance dst-address=300.300.300.0/24 src-address=192.168.1.32/27

/ip address
add address=192.168.1.33/27 interface=ether6-lan network=192.168.1.32
add address=100.100.100.101/29 interface=ether8-inet network=100.100.100.100

My Log

10:24:37 ipsec,debug,packet ===
10:24:37 ipsec,debug initiate new phase 1 negotiation: 100.100.100.101[500]<=>200.200.200.200[500]
10:24:37 ipsec,debug begin Identity Protection mode.
10:24:37 ipsec,debug,packet new cookie:
10:24:37 ipsec,debug,packet 143f933a772bcb12
10:24:37 ipsec,debug,packet add payload of len 56, next type 13
10:24:37 ipsec,debug,packet add payload of len 16, next type 13
10:24:37 ipsec,debug,packet add payload of len 16, next type 0
10:24:37 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
10:24:37 ipsec,debug,packet sockname 100.100.100.101[500]
10:24:37 ipsec,debug,packet send packet from 100.100.100.101[500]
10:24:37 ipsec,debug,packet send packet to 200.200.200.200[500]
10:24:37 ipsec,debug,packet src4 100.100.100.101[500]
10:24:37 ipsec,debug,packet dst4 200.200.200.200[500]
10:24:37 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
10:24:37 ipsec,debug,packet 143f933a 772bcb12 00000000 00000000 01100200 00000000 00000080 0d00003c
10:24:37 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
10:24:37 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 0d000014 12f5f28c
10:24:37 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
10:24:37 ipsec,debug,packet resend phase1 packet 143f933a772bcb12:0000000000000000
10:24:47 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
10:24:47 ipsec,debug,packet sockname 100.100.100.101[500]
10:24:47 ipsec,debug,packet send packet from 100.100.100.101[500]
10:24:47 ipsec,debug,packet send packet to 200.200.200.200[500]
10:24:47 ipsec,debug,packet src4 100.100.100.101[500]
10:24:47 ipsec,debug,packet dst4 200.200.200.200[500]
10:24:47 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
10:24:47 ipsec,debug,packet 143f933a 772bcb12 00000000 00000000 01100200 00000000 00000080 0d00003c
10:24:47 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
10:24:47 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 0d000014 12f5f28c
10:24:47 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
10:24:47 ipsec,debug,packet resend phase1 packet 143f933a772bcb12:0000000000000000

Nollitik · Thu Jun 11, 2015 9:05 pm

Looks like you're having problems completing IPsec phase 1 so it can't go on to phase 2. I take it you're doing a site to site.

LuizMeier · Thu Jun 11, 2015 9:14 pm

Looks like you're having problems completing IPsec phase 1 so it can't go on to phase 2. I take it you're doing a site to site.

That is what i think so, but I don't see what I need to change.

Nollitik · Fri Jun 12, 2015 6:30 am

Please look at the site to site section here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

LuizMeier · Fri Jun 12, 2015 4:17 pm

Please look at the site to site section here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

Hi!,

I've tried that, but still get the same thing. I flagged other boxes to meet the requirements that provider sent me.

Feklar · Fri Jun 12, 2015 9:27 pm

Are you sure they are looking for 256 bits for SHA and AES for phase 1? SHA1 and AES128 is the more likely option they are wanting/needing.

rmmccann · Fri Jun 12, 2015 9:29 pm

You may want to verify what level of AES and SHA they are expecting.

You simply list AES for the encryption algorithm and SHA for the hash, however in your peer config you have aes-256 and sha-256 specified. I suspect this is where phase 1 is failing.

shaoranrch · Sun Jun 14, 2015 3:19 pm

I assume the other side is using Cisco gear due to the sintax.

If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up.

LuizMeier · Mon Jun 15, 2015 3:22 pm

I assume the other side is using Cisco gear due to the sintax.

If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up.

I think something has changed. there is a "succeeded" log entry. I suppose that is for phase 1.

How can I test (if phase 1 is ok) the phase 2 and the entire conection? I've tried (didn't know if this is the correct way) to ping 300.300.300.1 using source address 192.168.1.33.

Log entry is below, but remote peers is still the same:

ip ipsec remote-peers print 
 0 local-address=XXX.XXX.XXX.XXX remote-address=XXX.XXX.XXX.XXX state=message-1-sent side=initiator

09:12:45 system,info ipsec policy changed by admin
09:12:47 ipsec,debug 10.254.13.253[500] used as isakmp port (fd=18)
09:12:47 ipsec,debug 10.26.4.253[500] used as isakmp port (fd=19)
09:12:47 ipsec,debug 10.25.13.254[500] used as isakmp port (fd=20)
09:12:47 ipsec,debug 100.100.100.101[500] used as isakmp port (fd=21)
09:12:47 ipsec,debug 192.168.69.1[500] used as isakmp port (fd=22)
09:12:47 ipsec,debug 10.255.13.255[500] used as isakmp port (fd=23)
09:12:47 ipsec,debug 10.1.13.2[500] used as isakmp port (fd=24)
09:12:47 ipsec,debug 10.2.13.2[500] used as isakmp port (fd=25)
09:12:47 ipsec,debug 192.168.1.33[500] used as isakmp port (fd=26)
09:12:47 ipsec,debug 172.20.1.13[500] used as isakmp port (fd=27)
09:12:47 ipsec,debug,packet ===
09:12:47 system,info ipsec peer changed by admin
09:12:47 ipsec,debug initiate new phase 1 negotiation: 100.100.100.101[500]<=>200.200.200.200[500]
09:12:47 ipsec,debug begin Identity Protection mode.
09:12:47 ipsec,debug,packet new cookie:
09:12:47 ipsec,debug,packet ec976a92ad6fe18e
09:12:47 ipsec,debug,packet add payload of len 56, next type 13
09:12:47 ipsec,debug,packet add payload of len 16, next type 13
09:12:47 ipsec,debug,packet add payload of len 16, next type 0
09:12:47 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
09:12:47 ipsec,debug,packet sockname 100.100.100.101[500]
09:12:47 ipsec,debug,packet send packet from 100.100.100.101[500]
09:12:47 ipsec,debug,packet send packet to 200.200.200.200[500]
09:12:47 ipsec,debug,packet src4 100.100.100.101[500]
09:12:47 ipsec,debug,packet dst4 200.200.200.200[500]
09:12:47 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
09:12:47 ipsec,debug,packet ec976a92 ad6fe18e 00000000 00000000 01100200 00000000 00000080 0d00003c
09:12:47 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
09:12:47 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 80040002 0d000014 12f5f28c
09:12:47 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
09:12:47 ipsec,debug,packet resend phase1 packet ec976a92ad6fe18e:0000000000000000
09:12:47 ipsec,debug,packet ==========
09:12:47 ipsec,debug,packet 100 bytes message received from 200.200.200.200[500] to 100.100.100.101[500]
09:12:47 ipsec,debug,packet ec976a92 ad6fe18e 230e4c76 f7ae233e 0b100500 00000000 00000064 00000048
09:12:47 ipsec,debug,packet 00000001 0100000e 0d00003c 00000001 00000001 0000004c 00007fcf 08bb3b44
09:12:47 ipsec,debug,packet 01000000 00000000 00000000 00000000 2835d408 cf7f0000 02000000 00000000
09:12:47 ipsec,debug,packet e5c100c0
09:12:47 ipsec,debug,packet receive Information.
09:12:47 ipsec,debug,packet begin.
09:12:47 ipsec,debug,packet seen nptype=11(notify)
09:12:47 ipsec,debug,packet succeed.
09:12:47 ipsec,debug delete phase1 handle.
09:12:57 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
09:12:57 ipsec,debug,packet sockname 100.100.100.101[500]
09:12:57 ipsec,debug,packet send packet from 100.100.100.101[500]
09:12:57 ipsec,debug,packet send packet to 200.200.200.200[500]
09:12:57 ipsec,debug,packet src4 100.100.100.101[500]
09:12:57 ipsec,debug,packet dst4 200.200.200.200[500]
09:12:57 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
09:12:57 ipsec,debug,packet ec976a92 ad6fe18e 00000000 00000000 01100200 00000000 00000080 0d00003c
09:12:57 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
09:12:57 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 80040002 0d000014 12f5f28c
09:12:57 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
09:12:57 ipsec,debug,packet resend phase1 packet ec976a92ad6fe18e:0000000000000000
09:13:07 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
09:13:07 ipsec,debug,packet sockname 100.100.100.101[500]
09:13:07 ipsec,debug,packet send packet from 100.100.100.101[500]
09:13:07 ipsec,debug,packet send packet to 200.200.200.200[500]
09:13:07 ipsec,debug,packet src4 100.100.100.101[500]
09:13:07 ipsec,debug,packet dst4 200.200.200.200[500]
09:13:07 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
09:13:07 ipsec,debug,packet ec976a92 ad6fe18e 00000000 00000000 01100200 00000000 00000080 0d00003c
09:13:07 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
09:13:07 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 80040002 0d000014 12f5f28c
09:13:07 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
09:13:07 ipsec,debug,packet resend phase1 packet ec976a92ad6fe18e:0000000000000000
09:13:17 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
09:13:17 ipsec,debug,packet sockname 100.100.100.101[500]
09:13:17 ipsec,debug,packet send packet from 100.100.100.101[500]
09:13:17 ipsec,debug,packet send packet to 200.200.200.200[500]
09:13:17 ipsec,debug,packet src4 100.100.100.101[500]
09:13:17 ipsec,debug,packet dst4 200.200.200.200[500]
09:13:17 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
09:13:17 ipsec,debug,packet ec976a92 ad6fe18e 00000000 00000000 01100200 00000000 00000080 0d00003c
09:13:17 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
09:13:17 ipsec,debug,packet 00015180 80010007 800e0080 80030001 80020002 80040002 0d000014 12f5f28c
09:13:17 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
09:13:17 ipsec,debug,packet resend phase1 packet ec976a92ad6fe18e:0000000000000000
09:13:20 system,info ipsec peer changed by admin
09:13:22 ipsec,debug,packet an undead schedule has been deleted.
09:13:22 ipsec,debug unbind ::ffff:10.254.13.253
09:13:22 ipsec,debug unbind ::ffff:10.26.4.253
09:13:22 ipsec,debug unbind ::ffff:10.25.13.254
09:13:22 ipsec,debug unbind ::ffff:100.100.100.101
09:13:22 ipsec,debug unbind ::ffff:192.168.69.1
09:13:22 ipsec,debug unbind ::ffff:10.255.13.255
09:13:22 ipsec,debug unbind ::ffff:10.1.13.2
09:13:22 ipsec,debug unbind ::ffff:10.2.13.2
09:13:22 ipsec,debug unbind ::ffff:192.168.1.33
09:13:22 ipsec,debug unbind ::ffff:172.20.1.13
09:13:22 system,info ipsec policy changed by admin

shaoranrch · Mon Jun 15, 2015 7:42 pm

I assume the other side is using Cisco gear due to the sintax.

If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up.
I think something has changed. there is a "succeeded" log entry. I suppose that is for phase 1.

How can I test (if phase 1 is ok) the phase 2 and the entire conection? I've tried (didn't know if this is the correct way) to ping 300.300.300.1 using source address 192.168.1.33.

Log entry is below, but remote peers is still the same:
Code: Select all
ip ipsec remote-peers print 
 0 local-address=XXX.XXX.XXX.XXX remote-address=XXX.XXX.XXX.XXX state=message-1-sent side=initiator

What you should see by issuing "ip ipsec remote-peers print" is state=stablished, but yours is stuck on message-1-sent, which means it hasn't stablished the phase 1 SA yet.

Did you change the policies to match what i mentioned?

Authentication: sha1
Encryption: aes128 (aes128-cbc)

On PEER and PROPOSAL

LuizMeier · Mon Jun 15, 2015 9:51 pm

I assume the other side is using Cisco gear due to the sintax.

If that's the case, SHA is 128 and AES too, and this is what is preventing you from getting the tunnel up.
I think something has changed. there is a "succeeded" log entry. I suppose that is for phase 1.

How can I test (if phase 1 is ok) the phase 2 and the entire conection? I've tried (didn't know if this is the correct way) to ping 300.300.300.1 using source address 192.168.1.33.

Log entry is below, but remote peers is still the same:
Code: Select all
ip ipsec remote-peers print 
 0 local-address=XXX.XXX.XXX.XXX remote-address=XXX.XXX.XXX.XXX state=message-1-sent side=initiator
What you should see by issuing "ip ipsec remote-peers print" is state=stablished, but yours is stuck on message-1-sent, which means it hasn't stablished the phase 1 SA yet.

Did you change the policies to match what i mentioned?

Authentication: sha1
Encryption: aes128 (aes128-cbc)

On PEER and PROPOSAL

I did what you said, and still getting the same status.

 ip ipsec peer print
0  address=200.200.200.200/32 passive=no port=500 auth-method=pre-shared-key secret="X3Cv7m5dgUmoFOhk" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 
ip ipsec proposal print
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024

LuizMeier · Tue Jun 23, 2015 11:00 pm

Hello,

I've followed this tutorial and I believe that phase 1 is ok. How coul I test phase 2?

ip ipsec remote-peers print
0 local-address=X.X.X.X remote-address=Y.Y.Y.Y state=established side=initiator established=48m56

IPSec

IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Who is online