v6.38rc [release candidate] is released

hdmn · Fri Oct 14, 2016 11:48 pm

on my crs i cant reproduce this bug

probably a webfig-only bug? did you add it via winbox or shell?

patrick7 · Fri Oct 14, 2016 11:50 pm

Maybe it's only in webfig or winbox?

raffav · Fri Oct 14, 2016 11:52 pm

on my crs i cant reproduce this bug
probably a webfig-only bug? did you add it via winbox or shell?

winbox
will try over webfig and post back here, just a minute

EDIT
Via WEBFIG has the BUG

hdmn · Fri Oct 14, 2016 11:56 pm

on my crs i cant reproduce this bug
probably a webfig-only bug? did you add it via winbox or shell?
winbox
will try over webfig and post back here, just a minute

Tik-App (Android) works fine. So this seems to concern webfig only...

Zorro · Sat Oct 15, 2016 8:57 pm

conntrack limit defaults usually not concern even on border devices.
exceptions are CCR endpoints in installations/solutions where expected lot of PPS and/or DDoS attemps of many kind. or say rb850gx2, RB1200 users for example or other "border"/edge devices.
(rb3011 and below aren't fill that role much despite distracting price

contrary usually defaults may be quite over-estimated, especially in soho devices.
not surprised to had conntrack table defaults set in irrelevant to memory size in say ASUS, Zuxel or Alpha, Buffalo, ZTE -made SOHO devices and alikes, but having "default" conntrack table in say ERL(or DFL,DSR by Alpha with similar impact) firmware(taken directly from vyatta without changes)result to resources exhausting eventually and hang in result(sometimes in work, sometmies after re-boot), since (especially in long uptime and with serious traffic) it eventually wouldn't let devices breathe themselves. so for most of them - usually safe/sane was actually reduceing numbers 8x times or 4x atleast and do help a LOT.
thats where ROS shine because low footprint of it, lack/absence of irrelevant (for networking)portions of linux stack/distribution, both in terms of speed, resource consumption and attack surface reduction.
my point is: thats quite helpful/meaningful change. especially if you are run ISP company or mid-big sized company networker.
before that - you absolytely have no control of conntrack table in ROS(except timeouts values), sometimes desperately looking at 8Gb or 16Gb RAM installed on say CCR, with completely exhausted tables. now it fixes that for real world use/tweaking.

p.s. for SOHO devices i highly suggest - go opposite way and slightly decrease all numbers(including hash table) seriously in their config for stability.

ivicask · Mon Oct 17, 2016 3:51 pm

Hello support!
We are having a lot of problems here with Mikrotik Queues X Windows 10 Updates. When a customer have one PC downloading Windows 10 updates, his queue is 100% used, most of the time is impossible to do anything else, even open an web page.
So, I was reading about it and I could see the "fq_codel" is the best way to minimize this problem.
Windows 10 updates are now downloaded from servers using FAST TCP - https://en.wikipedia.org/wiki/FAST_TCP

More info about fq_codel
http://snapon.lab.bufferbloat.net/~d/Pr ... jan-28.pdf
http://forum.mikrotik.com/viewtopic.php?f=1&t=89221
http://forum.mikrotik.com/viewtopic.php?f=2&t=63594

few years ago, normis said this...
thanks for the suggestion, we are looking into it for v7. currently you can use SFQ, which is also very good
http://forum.mikrotik.com/viewtopic.php ... 21#p464269

Are there any news???
Thanks!

I had the same problem long time ago, i solved it when separated HTTP traffic into "browsing" and "downloads", so first 5mb are marked as regular web browsing and have higher priority in tree queue, and all above 5MB goes into this downloads queue which is than limited down and has lower priority.
Every day i have alot of computers downloading updates and other stuff and i can browse internet without any delays.And all that works with PCQ.

bajodel · Wed Oct 19, 2016 9:39 am

On RB951G with 6.38rc15 (using winbox 3.7) if you set wlan1 band to 2 Ghz-G/N the HT MCS tab disappears. It came back if you set band to bgn or only-n (not tested other combinations)

JorgeAmaral · Wed Oct 19, 2016 3:06 pm

Is it possible to setup port based vlan on CRS with hw RSTP?

I tried the scenario on the wiki ( http://wiki.mikrotik.com/wiki/Manual:CR ... AN_Routing ) and added each masterport vlan to different bridges and was expecting it to behave like "per vlan spanning tree" but... nothing happens.

notToNew · Thu Oct 20, 2016 12:37 pm

Intel(R) PRO/Wireless 3945ABG -cardsa can only connect in B/G-mode.
When AP is in B/G/N-mode, no connection is possible.

Borizo · Thu Oct 20, 2016 6:50 pm

I see one of developers had a chance to look DNS code portion:

Changes since 6.38rc10:
*) dns - improved static dns entry add speed when regexp is being used;

Is there any chance to add two small features please?
[Feature][DNS] Allow 0.0.0.0 as address for DNS records
[Feature][DNS] Apply the regexp entry after plain entries
They should not be consume much time and seems rather natural.

bryans2k · Sat Oct 22, 2016 9:36 am

I've been seeing weird DNS failures on the CCR DNS server. It doesn't seem to follow the DNS server priority when you have 4 DNS servers in the DNS Settings list and query from multiple subnets. For example my CCR has 3 ip's 10.0.0.9,10.1.0.2,10.1.1.2 on 3 different interfaces. If I query dns on 10.1.0.2 from 10.0.0.x it fails on the first DNS server in the list then succeed's on the second even though the first DNS server is fine. If I query dns on 10.0.0.9 from 10.0.0.x it works without a problem. If I reduce the DNS servers to just 2 in the DNS Settings list then it also works without a problem.

Wed Oct 26, 2016 12:48 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
!) snmp - added basic get and walk functionality "/tool snmp-[get|walk]";
*) chr - fixed "/interface print";
*) chr - fixed reboot;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - fixed kernel failure when fastpath traffic goes into loop;
*) fastpath - fixed rare crash;
*) interface - changed loopback interface mtu to 1500;
*) ipsec - added ability to specify static IP address at send-dns option (CLI only);
*) ipsec - send xauth password without trailing null;
*) led - fixed cAP 2nD stuck in dark mode all the time;
*) lte - fixed Pantech UML296 support;
*) package - show minimal supported RouterOS version under "/system resource" menu if it is specified;
*) profiler - added ability to monitor cpu usage per core;
*) resolver - ignore cache entries if specific server is used;
*) ssh - fixed lost "/ip ssh" settings on upgrade from version older than 5.15;
*) trafficgen - fixed potential crash when very big frame is generated;
*) vlan - allow to add multiple vlans which name starts with same number and has same length;
*) vlan - fixed CRS switch egress-vlan-tag export;
*) winbox - added led settings menu;
*) winbox - allow to run profiler from "/system resources" menu;
*) winbox - fixed missing switch menu for mmips devices;
*) winbox - properly show VHT basic and supported rates in CAPsMAN;
*) wireless - added CRL checking for eap-tls;
*) wireless - take in account channel width when returning supported channels;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Kindis · Wed Oct 26, 2016 12:56 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
*) chr - fixed "/interface print";
*) chr - fixed reboot;

Looks promising. Will test my CHR when I have access to it.

paulct · Wed Oct 26, 2016 2:24 pm

*) profiler - added ability to monitor cpu usage per core;

Nice

Gennadiy51 · Wed Oct 26, 2016 4:41 pm

I have two hAP lite. On both routers after update from v6.37.1 to v6.38rc19 and after each reboot I am see in Log "system, info, critical --- CPU overclocked", but in system, resources all O.K.

[Guess_Who-2@MikroTik] /log> print
15:29:59 system,info installed dhcp-6.38rc19
15:29:59 system,info installed security-6.38rc19
15:29:59 system,info installed wireless@-6.38rc19
15:30:01 system,info router rebooted
15:30:02 system,info,critical cpu overclocked
15:30:08 interface,info ether1-WAN link up (speed 100M, full duplex)
15:30:12 pppoe,ppp,info Arax_Internet: initializing...
15:30:12 pppoe,ppp,info Arax_Internet: connecting...

[Guess_Who-2@MikroTik] > system resource print
uptime: 1h57m25s
version: 6.38rc19 (testing)
build-time: Oct/24/2016 11:19:32
free-memory: 7.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 3%
free-hdd-space: 7.6MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 180
write-sect-total: 77897
bad-blocks: 0%
architecture-name: smips
board-name: hAP lite
platform: MikroTik

At v6.37.1 in Log no such message.

Kindis · Wed Oct 26, 2016 4:41 pm

What's new in 6.38rc19 (2016-Oct-24 11:19):

Changes since 6.38rc15:
*) chr - fixed "/interface print";
*) chr - fixed reboot;
Looks promising. Will test my CHR when I have access to it.

Nope this does not solve my issues with my CHR. Still dies when updated. My guess this is related to me using syntecic networkcards insted of legacy.

Wed Oct 26, 2016 6:04 pm

I have two hAP lite. On both routers after update from v6.37.1 to v6.38rc19 and after each reboot I am see in Log "system, info, critical --- CPU overclocked", but in system, resources all O.K.

[Guess_Who-2@MikroTik] /log> print
15:29:59 system,info installed dhcp-6.38rc19
15:29:59 system,info installed security-6.38rc19
15:29:59 system,info installed wireless@-6.38rc19
15:30:01 system,info router rebooted
15:30:02 system,info,critical cpu overclocked
15:30:08 interface,info ether1-WAN link up (speed 100M, full duplex)
15:30:12 pppoe,ppp,info Arax_Internet: initializing...
15:30:12 pppoe,ppp,info Arax_Internet: connecting...

[Guess_Who-2@MikroTik] > system resource print
uptime: 1h57m25s
version: 6.38rc19 (testing)
build-time: Oct/24/2016 11:19:32
free-memory: 7.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 3%
free-hdd-space: 7.6MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 180
write-sect-total: 77897
bad-blocks: 0%
architecture-name: smips
board-name: hAP lite
platform: MikroTik

At v6.37.1 in Log no such message.

Do not worry about this warning, this is for us to track down wrong default CPU and memory frequencies.

drees · Wed Oct 26, 2016 6:11 pm

The 2nd to last line before rebooting after upgrading from rc15 was:

system, error, critical System rebooted because of kernel failure

Everything seems fine post reboot. Is that normal? RB951G

Thu Nov 03, 2016 4:56 pm

Version 6.38rc24 has been released.

Changes since previous rc:

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
!) tr069-client - initial implementation (as separate package);
*) arm - improved watchdog reliability;
*) bonding - added "forced-mac-address" option (cli only);
*) bonding - fixed 802.3ad load balancing over routed VLANs with fastpath enabled;
*) bonding - fixed mac address selection after upgrade;
*) bridge - fixed rare crash on bridge port removal;
*) certificates - fixed trust chain update on local certificate revocation in programs using ssl;
*) crs - added comment ability in more switch menus;
*) crs - fixed port mirroring halt after L2MTU change;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - improved connection tracking timeout updates;
*) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22;
*) firewall - improved "time" option (ranges like 22h-10h now are acceptable);
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count" (cli only);
*) ipsec - non passive peers will also establish SAs from policy without waiting for the first packet;
*) ipv6 - increased default max-neighbor-entries value to 8192, same as ipv4;
*) log - fixed "System rebooted because of kernel failure" message to show after 1st crash reboot;
*) mmips - fixed traffic accounting in "/interface" menu;
*) mmips - improved watchdog reliability;
*) profiler - added ability to monitor cpu usage per core;
*) ssl - fixed potential memory leak ( when using dude for example);
*) queue - fixed rare crash on statistic gathering in "/queue tree";
*) queue - improved "time" option (ranges like 22h-10h are now usable);
*) wireless - added CRL checking for eap-tls;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

nescafe2002 · Thu Nov 03, 2016 5:31 pm

Updated RB750Gr3 to 6.38rc24.

My policies with sa-src-address=0.0.0.0 are failing.

ipsec, error x.x.x.x parsing packet failed, possible cause: wrong password

After setting correct WAN address as sa-src-address, remote connections are up again:

/ip ipsec policy> set [f] sa-src-address=x.x.x.x

Thu Nov 03, 2016 6:04 pm

what is your setup? tunnel or transport mode?

problem confirmed in tunnel mode. Thanks.

Thu Nov 03, 2016 6:43 pm

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);

Yay! I can't believe I will be able to throw a couple of good-old-but-no-longer-supported ASA5505 boxes away soon!
Just need to wait until the version gets stable.

cutedrummerboy · Thu Nov 03, 2016 8:15 pm

aha, tr069 client. lots of room for experiments.

Kindis · Thu Nov 03, 2016 8:45 pm

Any expected date when problems with CHR on Hyper-V will be fixed? No hurry from my side as 6.36.3 is super stable but would like to know if there is any planned eta on that?
[Ticket#2016100322001305]

cutedrummerboy · Thu Nov 03, 2016 8:46 pm

after installing tr069 client how to work with it??

cutedrummerboy · Fri Nov 04, 2016 6:47 am

nevermind, I found it. currently it is only console based implementation.

ditonet · Fri Nov 04, 2016 11:02 am

Hi,
Download link for Dude server 6.38rc24 for CHR is broken

Regards,

janisk · Fri Nov 04, 2016 1:59 pm

dude links for rc24 are fixed. Also, that is the same package made fo x86.

pe1chl · Fri Nov 04, 2016 9:09 pm

Updated CHR install from rc19 to rc24, on reboot it logs:

system error critical open /dev/panics failed

huntah · Sat Nov 05, 2016 11:06 am

strods wrote:
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);

Does this mean multiple L2TP/IPSEC users behind same Public IP?

Sat Nov 05, 2016 11:17 am

Does this mean multiple L2TP/IPSEC users behind same Public IP?

In theory yes..

Hopefully some examples appear on the wiki soon.

Sat Nov 05, 2016 11:43 am

!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
Does this mean multiple L2TP/IPSEC users behind same Public IP?

Yes.

Hopefully some examples appear on the wiki soon.

I don't think extra examples are needed. It should just work, provided NAT-T is enabled in the ipsec peer configuration.

pe1chl · Sat Nov 05, 2016 12:35 pm

I don't think extra examples are needed. It should just work, provided NAT-T is enabled in the ipsec peer configuration.

I hope it can handle double-NAT... in the current version I even need to relax the policy generation (from port-strict to port-override)
or else it is not able to handle certain clients that are behind two levels of NAT. And that is unfortunately quite common, e.g.
a MikroTik router with Huawei E3372 stick (which has its built-in NAT) on a mobile provider that uses carrier-grade NAT.
In this setup the policy is wrongly generated, the port number does not always correctly match on the different levels.

Hopefully someone can report on this, I have seen other people reporting the same problem and fixing it the same way.
(not using the auto-generated peer definition by setting the "ipsec secret" on the L2TP server, but manual IPsec peer
definition with relaxed port matching)

danxx26 · Sun Nov 06, 2016 3:40 am

Today I attempted to upgrade to 6.38rc24 and things did not go well. After reboot I noticed my wireless was gone. I was able to get inside the RB2011 with Winbox and noticed there are is no wireless menu. The interfaces tab confirms no wireless interfaces. I went into the package menu and noticed that the only package is the main 6.38rc24 all other packages are gone and the main package says "disabled". I attempted to download the "extra" packages and copied them over with winbox and reboot. Still no wireless & in packages the ones I uploaded do not show. I see them in files but that's it. Any help would be greatly appreciated.

Thank you

Daniel

Sun Nov 06, 2016 11:02 am

Which version have you upgraded from ?

Chupaka · Sun Nov 06, 2016 10:36 pm

And what's in Log after reboot with package uploaded?

Mon Nov 07, 2016 11:45 am

Version 6.38rc25 has been released.

Changes since previous version:
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
*) discovery - added LLDP support;
*) routerboot - show log message if router CPU/RAM is overclocked;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Mon Nov 07, 2016 12:19 pm

Version highlight - this release includes significant fix for large scale tunnel implementations (and any other implementations which uses dynamic simple queues).
It was observed that tunnel disconnect process causes a CPU spike. In some cases for significant amount of time, during this spike, throughput of device decreases, latency increases and in worst case scenario causes other tunnels to disconnect, resulting in avalanche like effect.
Problem was narrowed down to queue removal process, which causes hash table update for whole simple queue set. To fix this we adjusted the way hashing algorithm works.
Please, test this, so that we can add it to next current and/or bugfix versions as soon as possible.

raffav · Mon Nov 07, 2016 12:45 pm

Version 6.38rc has been released.

Changes since previous version:
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
*) discovery - added LLDP support;
*) routerboot - show log message if router CPU/RAM is overclocked;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

@strods
maybe you forgout to put the new RC version on the change log ?,
*) ipsec - added ph2 accounting for each policy "/ip ipsec policy ph2-count" (cli only); cant find where it that

Mon Nov 07, 2016 1:04 pm

Post includes only changes since previous rc version release. Full changelog:
http://www.mikrotik.com/download

raffav · Mon Nov 07, 2016 1:13 pm

@strods
that i know
i was talking about this

Version 6.38rcXXhas been released.

but never mind, it not important , was only a observation

alexjhart · Mon Nov 07, 2016 6:32 pm

*) discovery - added LLDP support;

I thought LLDP was already added?

efaden · Tue Nov 08, 2016 2:23 am

MikroTik....

!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);

How do we use this?

Chupaka · Tue Nov 08, 2016 2:34 am

How do we use this?

http://forum.mikrotik.com/viewtopic.php ... 52#p566652

efaden · Tue Nov 08, 2016 2:48 am

Thanks

Tue Nov 08, 2016 8:24 am

*) discovery - added LLDP support;
I thought LLDP was already added?

AFAIK this is RC changelog, there is no point to add new line for every fix/update for features that was introduced in this RC, when released in current it will still be just one changelog entry about feature introduction. So those entries that have fixes/updates, just pops up again in RC, i have noticed this since the new era of changlogs, for me it makes sense.

alexjhart · Tue Nov 08, 2016 8:29 am

*) discovery - added LLDP support;
I thought LLDP was already added?
AFAIK this is RC changelog, there is no point to add new line for every fix/update for features that was introduced in this RC, when released in current it will still be just one changelog entry about feature introduction. So those entries that have fixes/updates, just pops up again in RC, i have noticed this since the new era of changlogs, for me it makes sense.

I can understand summarizing in final release notes, but nice in rc changelog to know if fixes or updates were made relating to that line item, right?

Tue Nov 08, 2016 9:07 am

I can understand summarizing in final release notes, but nice in rc changelog to know if fixes or updates were made relating to that line item, right?

Changelog line is moved to latest RC, so there are fixes or updates

. One can argue, that it would be nice to know what exactly are those changes, but i think it is one step too far, just knowing that something is changed is enough for me.

markom · Tue Nov 08, 2016 3:38 pm

snmp - added basic get and walk functionality "/tool snmp-[get|walk]";

desired bold command part is missing.
tool snmp-walk community=public address=10.10.10.10 file=device.txt
I would like to see option to put in file snmpwalk command.

alexjhart · Tue Nov 08, 2016 7:02 pm

I upgraded from rc7 to rc24 on x86. My road warrior L2TP IPsec VPN stopped working (both OS X and Android clients). I upgraded to rc25, still didn't work. Downgraded back to rc7 works again.

rc24/25:
08:46:31 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[10584]
08:46:31 ipsec,debug searching for policy
08:46:31 ipsec,debug can't match selector to any template, skipping: 2.2.2.2:1701 ipproto:17 <=> 1.1.1.1:10584 ipproto:17
08:46:31 ipsec,debug failed to proposal from policy
08:46:31 ipsec,debug failed to get proposal for responder.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.

rc7:
08:49:48 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[23165]
08:49:48 ipsec,debug no policy found, try to generate the policy : 172.31.99.154/32[51455] 2.2.2.2/32[1701] proto=udp dir=in port_override=0
08:49:48 ipsec,debug Adjusting my encmode UDP-Transport->Transport
08:49:48 ipsec,debug Adjusting peer's encmode UDP-Transport(4)->Transport(2)
08:49:48 ipsec,debug pfkey GETSPI succeeded: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:48 ipsec,debug sent phase2 packet 2.2.2.2[4500]<=>1.1.1.1[23165] de330e033113ec3d:14443609588c73ae:0000b502
08:49:49 ipsec IPsec-SA established: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:49 ipsec IPsec-SA established: ESP/Transport 2.2.2.2[4500]->1.1.1.1[23165] spi=215287899(0xcd5085b)

Tue Nov 08, 2016 7:10 pm

Send supout to support from rc25

alexjhart · Tue Nov 08, 2016 7:25 pm

Send supout to support from rc25

Sent

alexjhart · Tue Nov 08, 2016 8:18 pm

I upgraded from rc7 to rc24 on x86. My road warrior L2TP IPsec VPN stopped working (both OS X and Android clients). I upgraded to rc25, still didn't work. Downgraded back to rc7 works again.

rc24/25:
08:46:31 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[10584]
08:46:31 ipsec,debug searching for policy
08:46:31 ipsec,debug can't match selector to any template, skipping: 2.2.2.2:1701 ipproto:17 <=> 1.1.1.1:10584 ipproto:17
08:46:31 ipsec,debug failed to proposal from policy
08:46:31 ipsec,debug failed to get proposal for responder.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.
08:46:31 ipsec,error 1.1.1.1 failed to pre-process ph2 packet.

rc7:
08:49:48 ipsec,debug respond new phase 2 negotiation: 2.2.2.2[4500]<=>1.1.1.1[23165]
08:49:48 ipsec,debug no policy found, try to generate the policy : 172.31.99.154/32[51455] 2.2.2.2/32[1701] proto=udp dir=in port_override=0
08:49:48 ipsec,debug Adjusting my encmode UDP-Transport->Transport
08:49:48 ipsec,debug Adjusting peer's encmode UDP-Transport(4)->Transport(2)
08:49:48 ipsec,debug pfkey GETSPI succeeded: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:48 ipsec,debug sent phase2 packet 2.2.2.2[4500]<=>1.1.1.1[23165] de330e033113ec3d:14443609588c73ae:0000b502
08:49:49 ipsec IPsec-SA established: ESP/Transport 1.1.1.1[23165]->2.2.2.2[4500] spi=152113860(0x91112c4)
08:49:49 ipsec IPsec-SA established: ESP/Transport 2.2.2.2[4500]->1.1.1.1[23165] spi=215287899(0xcd5085b)

This also affects point to point VPN with 2 Mikrotiks.

Support says this should be fixed in next rc. Thanks Maris

raffav · Tue Nov 08, 2016 9:26 pm

Hi, had to go back to RC19, for some reason internet navigation was getting problematic , and webpage not loaded very well,
this happens only on office, maybe RC 24-25 changes something that my network didn't worked as supposed to work.
i couldn't reproduce this behavior at home, our in a lab.

Zorro · Wed Nov 09, 2016 1:39 pm

*) discovery - added LLDP support;
I thought LLDP was already added?

LLDP itself, yes.
but not in neighboorhood/discovery.
eg, its now implemented ~ completely, basically.
i guess folks that cried about LLDP necessity - become bit happier now(party time, huh ?

.

boldsuck · Wed Nov 09, 2016 9:39 pm

This was working fine until 6.37 then I upgraded it to the first v6.38rc and all IPv6 addresses are gone.
(interface address, that address in the firewall, and default route)
They now show like ::/0

Same here:
RouterOS v6.38rc25 (testing) on RB2011UAS (mips)

ISSUES:
IPv6 addresses are not shown correctly (only ::/0, ::, or blank in DHCP_Client).
It's a webfig-only bug here. In Tik App and CLI IPv6 addresses are shown correctly.
IPv6 is normaly working.

pe1chl · Wed Nov 09, 2016 10:47 pm

The issue has been confirmed by MikroTik and will be fixed. It only occurs in WebFig so you can still configure and check using commandline.
The reason why my IPv6 was down was because of a configuration error.
I put a static address on an ethernet interface but forgot the /64 mask. In previous versions the default was /64 and now it is /128.
This was the real reason why my IPv6 was down. However, I was misled during debugging because of the display problem in WebFig.

Fri Nov 11, 2016 4:10 pm

Version 6.38rc29 has been released.

Changes since 6.38rc25:

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation which will allow multiple peers behind the same NAT (cli only);
!) tr069-client - initial implementation (as separate package);
*) bridge - fixed filter Ingress Priority option (broken in v6.38rc16);
*) ccr - added AHCI driver for Samsung XP941 128GB AHCI M.2;
*) crs226 - fixed sfp-sfpplus1 link re-negotiation (broken in 6.37rc28/v6.37.1);
*) certificates - allow import multiple certs with the same key;
*) certificates - if no name provided create certificate name automatically from certificate fields;
*) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address;
*) discovery - added LLDP support;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ethernet - added "k" and "M" unit support to Ethernet Bandwidth setting;
*) firewall - new faster "connection-limit" option implementation;
*) ipsec - don't generate unnecessary ah+esp policies;
*) ipsec - fixed generated policy lookup with ah+esp proposal;
*) traffic-flow - fixed flow sequence counter and length;
*) webfig - fixed smaller than /24 ip address configuration (broken in v6.38rc3);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

irico · Fri Nov 11, 2016 7:32 pm

When update from 6.38rc25 to 6.38rc29, ipsec peer exchange mode changes from ike2 to unknown

With 6.38rc29, IKEv2 only works with sha1 or md5 proposal auth algorithm. I have not been able to use "sha256" or "sha512"

benoga · Fri Nov 11, 2016 8:00 pm

I have the same Problem. L2TP from Android can't connect with Auth. Algorithmus sha265 to the Mikrotik 6.38rc29.

craigreilly · Sat Nov 12, 2016 12:03 am

How do I go about setting up L2TP with ipSEC now that we can have multiple peers behind same NAT.
√ I see it is via CLI only. I really need to get this going since Apple dropped support for PPTP.

efaden · Sat Nov 12, 2016 3:19 pm

Having a weird issue on my CRS. Running > rc10 seems to crash randomly and just stop passing all traffic (including responding to anything itself) requiring a reboot. I sent supouts. I think it is somewhere in IPSec. I wind up with 100s of SAs that keep expiring.... for a single ipsec tunnel....

-Eric

cgaspar · Sat Nov 12, 2016 3:36 pm

Hello, I've updated The Dude to 6.38rc29 version and the e-mail notification is not working. Any changes with the variables at all?

{ Body: Service [Probe.Name] on [Device.Name] is now [Service.Status] ([Service.ProblemDescription]) }

ThomasLevering · Mon Nov 14, 2016 8:53 am

with 6.38rc29 L2TP/IPsec is not working. Windows7/Windows10/iPhone/Mac
with 6.37.1 only one connection per IP
RB750Gr3

6.37.1 QuickSet src-address was Wrong
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
src-address=0.89.168.192-255.89.168.192

huntermic · Mon Nov 14, 2016 10:04 am

Same issue here, since last two RC's my L2TP/IPSEC is dead

Mon Nov 14, 2016 3:58 pm

Version 6.38rc30 has been released.

Changes since previous version:
*) dns - do not resolve incorrect addresses after changes made in static dns entries;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed timeout option on address lists with domain name;
*) system - reboot device on critical program crash;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

ErfanDL · Mon Nov 14, 2016 4:25 pm

Version 6.38rc30 has been released.

Changes since previous version:
*) dns - do not resolve incorrect addresses after changes made in static dns entries;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed timeout option on address lists with domain name;
*) system - reboot device on critical program crash;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Hi strods
please add 3G modem D-Link DWM 157 H/W Ver D1 in new routeros release candidate

last night I send an email to support@mikrotik.com with supout.rif file attachment for support D-Link DWM 157 H/W Ver D1 but there is no answer

Mon Nov 14, 2016 4:52 pm

ErfanDL - We usually reply within 3 working days. Did it work in 6.37 version? If it did not, then please do not write such posts in rc related topics. Write to support - that is the correct and fastest way.

ErfanDL · Mon Nov 14, 2016 6:09 pm

ErfanDL - We usually reply within 3 working days. Did it work in 6.37 version? If it did not, then please do not write such posts in rc related topics. Write to support - that is the correct and fastest way.

thanks for reply.
yes I test it in 6.37 - 6.37.1 and latest RC 6.38 but did not worked.

thanks

Rushmore · Mon Nov 14, 2016 11:53 pm

6.38rc30 broke synthetic NIC on chr under Hyper-V... again! Hangs on /interface print, then after prints: info failed: std failure: timeout (13)

Kindis · Tue Nov 15, 2016 8:17 am

6.38rc30 broke synthetic NIC on chr under Hyper-V... again! Hangs on /interface print, then after prints: info failed: std failure: timeout (13)

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
Windows 10 (not tested but i guess server 2016 also) work with same configuration. Wating for MT to verify that they can reproduce the error as they only tested on Windows 10.

Rushmore · Tue Nov 15, 2016 9:18 am

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.

6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.

Kindis · Tue Nov 15, 2016 1:54 pm

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.

My guess is you only use syntetic Network adapters? Strage as I have this issues even if I download a brand new VHDX ans start with that. If I remove the Network adapters and replace with Legacy Network Adapters this works.
I have tested rc29 but could not get that to boot either. Are you using 2012 R2?
What brand of network adapters are you using?

Kindis · Tue Nov 15, 2016 2:12 pm

I have had this issue since 6.37 release. This affects Hyper-V running 2012 R2 och older Hyper-V versions.
6.38rc29 works fine in my environment except live migration issue and auto-negotiation failure. 6.38rc30 hangs again, as before.

Downloaded a new VHDX built on rc29. Built a new machine and tried to start it. Started but maintains the same issue as all other build for me.

Rushmore · Tue Nov 15, 2016 2:28 pm

Kindis
I did update via /system/packages from 6.36.3.

Kindis · Tue Nov 15, 2016 3:03 pm

Kindis
I did update via /system/packages from 6.36.3.

Have done this with several rc releases but got tiered of upgrading my router. Thats why I'm testing new VHDX files from now on.
Tested to update a new 6.36.3 to rc30. Same issue.
Good thing is that 6.36.3 is running very well

Rushmore · Tue Nov 15, 2016 3:35 pm

Kindis
I'm using Hyper-V checkpoints for testing RC builds.
Shutdown CHR --> create checkpoint --> turn on CHR --> update to fresh build.
If something went wrong, just apply checkpoint and delete whole checkpoint tree. Got stable version again

Kindis · Tue Nov 15, 2016 4:22 pm

Kindis
I'm using Hyper-V checkpoints for testing RC builds.
Shutdown CHR --> create checkpoint --> turn on CHR --> update to fresh build.
If something went wrong, just apply checkpoint and delete whole checkpoint tree. Got stable version again

I do the same but without turning it off. As the checkpoint covers the memory the recovery back is instant. NTP client updates the clock within a few seconds 
As this is my main router and firewall at home I have a very strong SLA during none office hours

. The family using all types of streaming and me messing with the router does not make them happy 
Testing rc build with new VHDX file do not affect the uptime. Works very well also as I can experiment a lot more.
Otherwise checkpoint builds are the best thing since sliced bread for the router. Don’t have to worry about rollback at all + I export the router via script every night and send it to the NAS. So I have an exported copy backup. Not just the config but the entire router. 

Tue Nov 15, 2016 4:39 pm

6.38rc31 has been released.

Changes since previous version:
!) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
*) bgp - do not match all prefixes tagged with community 0:0 by routing filters;
*) certificate - fixed crash when crl is removed while it is being fetched;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) log - ignore email topic if action is email;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

JavierTF · Tue Nov 15, 2016 6:02 pm

Hello

I know this has already been suggested in some other topic, but I think this is a best place to do it.

   1) It would be interesting if you could add to CAPSMAN the option to set a frequency range in the 'channels' section instead of setting a single frequency, so that automatic channel selection could be enabled but limited only to that range

   This would help in high-density CAP's environments, where it would not be necessary to set the channel for each CAP manually if you want to limit it's range.

  2) Why in CAPs of 5Ghz with transmission power fixed to 30 dbm and automatic channel selection enabled, CAPSMAN always selects the lowest channel, limiting the transmit power of the CAP to 17dbm? The right way would be that if the power has been fixed, automatic channel selection will automatically limit the range of channels to be used to those that support that power (or at least prioritize these when selecting the channel to use)

Thanks a lot

huntermic · Wed Nov 16, 2016 11:16 am

Please fix the L2TP/IPSEC functionality before the final release

strzinek · Wed Nov 16, 2016 1:49 pm

Having problem with SMB on 6.38 rc versions (tried on rc29,30,31) on CHR x86 under VMWare vSphere when using linux client. I have second disc mounted on /disk1.
My ROS smb configuration:

/ip smb
set allow-guests=no comment="SMB share" domain=work enabled=yes \
    interfaces=ether1
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/disk1 max-sessions=6 name="backup\$"
/ip smb users
add name=backuper password=password

How to reproduce:
1. Connect from windows machine (tested with Win 8.1 and 10), enter username and password - connection succeeds and I am able to see and copy files with Windows explorer.
2. Connect from another machine with linux (tested on CentOS 5 and 7 both with cifs mount), connection time-outs and also existing connection on first machine gets lost. On linux mount command fails with message "mount error 112 = Host is down" when run first and then "mount error 111 = Connection refused"

Log on ROS says nothing. When I use only windows clients, it works ok.

alexjhart · Wed Nov 16, 2016 8:02 pm

Please fix the L2TP/IPSEC functionality before the final release

I agree it needs to be fixed before final release. Make sure to send support supout. I am still working through some issues with them that were introduced in this rc. Works in rc7, but hasn't in rc25-31 (haven't tested rc8-24).

biatche · Thu Nov 17, 2016 5:09 am

would ikev2 be considered stable by the time we reach 6.38 final?

Thu Nov 17, 2016 9:40 am

would ikev2 be considered stable by the time we reach 6.38 final?

ikev2 will be considered stable when RouterOS 6.38 or higher is in the "bugfix" release chain.

nescafe2002 · Thu Nov 17, 2016 3:08 pm

Updated RB750Gr3 to 6.38rc24.

My ipsec tunnels with sa-src-address=0.0.0.0 are failing.
ipsec, error x.x.x.x parsing packet failed, possible cause: wrong password

After setting correct WAN address as sa-src-address, remote connections are up again:
/ip ipsec policy> set [f] sa-src-address=x.x.x.x

After upgrade to 6.38rc31, this also applies to the peers.
Error: parsing packet failed, possible cause: wrong password

Problematic config (tunnel down):

/ip ipsec peer
add address=222.222.222.222/32 enc-algorithm=aes-128 exchange-mode=aggressive local-address=:: my-id=fqdn:router.home.local nat-traversal=no

Better config (tunnel up):

/ip ipsec peer
add address=222.222.222.222/32 enc-algorithm=aes-128 exchange-mode=aggressive local-address=111.111.111.111 my-id=fqdn:router.home.local nat-traversal=no

Edit:
Unsetting the local-address seems to be working as well.. But I don't know how to achieve that from cli (only in winbox).

Edit2:
Unsetting works for a limited period. local-address is reset to :: after a while.

msatter · Mon Nov 21, 2016 9:35 am

I can't get my Layer 7 filters working again on 6.38rc (on the latest version and before). Can someone check if their Layer 7 filters are still working.

I am have a hEX RB750Gr3 as router.

Update: found the problem and I thought the connection state would be NEW and that was not the case....my head banged a few times on the keyboard in that time.

Update 2: I had in /ip settings "Allow Fast Path disabled to be sure all packages went through. After enabling it again the Layer 7 stopped working.

Luckily is the RB750Gr3 fast enough to work without Fast Path and break a sweat.

ThomasLevering · Mon Nov 21, 2016 12:53 pm

6.38rc29 RB750Gr3
Disable/Enable PPPoE Connection crashed my config. -> No Interfaces in Winbox/CLI

I had to Restore from the Backup

cgabriel · Mon Nov 21, 2016 1:37 pm

I had problems with auto generated certificates with CAPsMAN and local radio.
I simply prepared a board (wAP ac) with CAPsMAN and also enabling local radio for CAPsMAN.
There are some log errors related to issued certificate, which remains unsigned (?). It work shortly on the current session, but after a router restart the client is rejected.
Reverted to 6.37.1 and it works as expected; there is still a certificate error (failed to import CAP CA), I interpret this as normal because the generated certificate is already there...

Gabriel

noyo · Mon Nov 21, 2016 7:10 pm

What's new in 6.37.2 ? Changelog is empty.

alexjhart · Mon Nov 21, 2016 7:13 pm

What's new in 6.37.2 ? Changelog is empty.

From download page:

What's new in 6.37.2 (2016-Nov-08 13:15):

Important note!!!
Dude doesn't work in this version, it will be fixed in soon to be released v6.37.3

Changes since 6.37.1:

!) ethernet - optimized packet processing on low load when irq re-balance is not necessary;
!) fastpath - let one packet per second through slow path to properly update connection timeouts;
!) queues - significantly improved hashing algorithm in dynamic simple queue setups (fixes CPU load spikes on queue removal);
*) arm - improved watchdog reliability;
*) bonding - fixed 802.3ad load balancing over routed VLANs with fastpath enabled;
*) bonding - fixed mac address selection after upgrade;
*) crs - fixed port mirroring halt after L2MTU change;
*) dhcp - do not allow to create dhcp-server on slave interface;
*) ethernet - fixed interface speed reporting for x86 in log after reboot or if "disable-running-check=yes";
*) ethernet - fixed potential loopprotect crash;
*) export - fixed "/interface ethernet switch export" on some boards;
*) export - fixed CRS switch egress-vlan-tag export;
*) fastpath - fixed kernel failure when fastpath traffic goes into loop;
*) fastpath - improved connection tracking timeout updates;
*) firewall - do not allow to increase/decrease ttl and hop-limit by 0;
*) firewall - fixed "connection-state" value disappearance in rules that were created before v6.22;
*) firewall - fixed compact export (introduced in 6.37rc14);
*) firewall - improved "time" option (ranges like 22h-10h now are acceptable);
*) hotspot - fixed nat rule dst-port by making it visible again for Walled Garden ip return rules;
*) ipsec - changed logging topic from error to debug for ph2 transform mismatch messages;
*) ipv6 - increased default max-neighbor-entries value to 8192, same as ipv4;
*) mmips - improved watchdog reliability;
*) package - show minimal supported RouterOS version under "/system resource" menu if it is specified;
*) queue - fixed rare crash on statistic gathering in "/queue tree";
*) queue - improved "time" option (ranges like 22h-10h are now usable);
*) rb2011 - fixed crash on l2mtu changes;
*) sms - fixed crash after modem has failed to start;
*) ssl - fixed potential memory leak ( when using dude for example);
*) torch - fixed aggregate statistics appearance;
*) traffic-flow - fixed dst-port reporting if connection is not maintained by connection tracking;
*) userman - fixed memory leak on user limitation calculations;
*) winbox - added led settings menu;
*) winbox - fixed missing switch menu for mmips devices;

noyo · Mon Nov 21, 2016 7:17 pm

What's new in 6.37.2 ? Changelog is empty.
From download page:

What's new in 6.37.2 (2016-Nov-08 13:15):

Important note!!!
Dude doesn't work in this version, it will be fixed in soon to be released v6.37.3

I saw it.
For me, it do not say anything.

ErfanDL · Mon Nov 21, 2016 7:19 pm

6.37.2 just releasing for make dude bugy?

Please post 6.37.2 changelogs

Sent from my C6833 using Tapatalk

alexjhart · Mon Nov 21, 2016 7:25 pm

6.37.2 just releasing for make dude bugy?

I think it was released early to fix important issues. Hopefully 6.38rc either isn't affected or will also have another release soon

linkwave · Mon Nov 21, 2016 7:31 pm

It seems that is now supported the new cpu architecture MMIPS, fo the (future?) RB750Gr3.

The MMIPS package wasn't present with the 6.37.1 version.

pe1chl · Mon Nov 21, 2016 8:38 pm

It seems that is now supported the new cpu architecture MMIPS, fo the (future?) RB750Gr3.

The MMIPS package wasn't present with the 6.37.1 version.

My (current) RB750Gr3 is running 6.37.1 (MMIPS).
It came with an earlier version, I am not sure exactly which but it was in the 6.36 series.
Anyway, this thread is not for discussing 6.37 versions.

celeritynetworks · Tue Nov 22, 2016 2:07 am

Email notifiers are broken (for us) in 6.38rc30 and 31. RouterOS log shows:

"Nov/21/2016 16:56:34 system,e-mail,error Error sending e-mail <Service [Probe.Name] on [Device.Name] is now [Service.Status]>: error connecting to server"

When I send a test email from within Winbox in RouterOS, it works successfully, but not from within the Dude (either via Dude client or via Dude/Notifications menu).

I even changed the notification entry to remove the variables and just have words - same error.

Chupaka · Tue Nov 22, 2016 1:47 pm

6.37.2 just releasing for make dude bugy?
Please post 6.37.2 changelogs

Changes since 6.37.1:

this means, 'Changes in 6.37.2 compared to 6.37.1'

ErfanDL · Tue Nov 22, 2016 2:05 pm

6.37.2 just releasing for make dude bugy?
Please post 6.37.2 changelogs

Changes since 6.37.1:
this means, 'Changes in 6.37.2 compared to 6.37.1'

So 6.37.2 is real version of 6.37.1

Chupaka · Tue Nov 22, 2016 2:14 pm

this means, 'Changes in 6.37.2 compared to 6.37.1'
So 6.37.2 is real version of 6.37.1

no, this means what I said, but not 'Changes since 6.37' or 'Changes since 6.36.4' or 'Changes since 6.38rcXX' or some other version

Tue Nov 22, 2016 2:14 pm

No!

6.37.1 and 6.37.2 have separate changelogs. Please read carefully.

raffav · Tue Nov 22, 2016 2:24 pm

Hello i think maybe is better talk about 6.37.1/6.37.2 on the 6.37.x Topic

Tue Nov 22, 2016 3:28 pm

Version 6.38rc34 has been released.

Changes since 6.38rc31:
!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes" (cli only);
!) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
!) ipsec - added support unique policy generation (cli only);
!) tr069-client - initial implementation (as separate package);
*) bonding - added "forced-mac-address" option;
*) certificates - added support for PKCS#12 export;
*) chr - fixed crash on "/interface print" (introduced in 6.36.4);
*) chr - fixed crash on "/system shutdown" and "/system shutdown";
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - new faster "connection-limit" option implementation;
*) ospf - fixed route crash caused by memory corruption when there are multiple active interfaces;
*) smb - fixed crash on connect (introduced in 6.38rc1);
*) tile - fixed rare kernel failure when IPv6 neighbor discovery packet is received;
*) traceroute - fixed crash when too many sessions are active;
*) winbox - recognize properly tcp in traffic-generator packet-template header type;
*) winbox - show HT MCS tab if 2GHz-G/N band is used;
*) wireless - added CRL checking for eap-tls;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

MartijnVdS · Tue Nov 22, 2016 4:52 pm

*) certificates - added support for PKCS#12 export;

This will make deployment so much easier! Thanks

Kindis · Tue Nov 22, 2016 7:26 pm

Version 6.38rc34 has been released.

Changes since 6.38rc31:
*) chr - fixed crash on "/interface print" (introduced in 6.36.4);
*) chr - fixed crash on "/system shutdown" and "/system shutdown";

I think this may have solved my issues with my CHR in Hyper-V.

I can boot a fresh copy now without issues. Will try to upgrade my CHR asap to verify.

Kindis · Tue Nov 22, 2016 8:29 pm

Version 6.38rc34 has been released.

Changes since 6.38rc31:
*) chr - fixed crash on "/interface print" (introduced in 6.36.4);
*) chr - fixed crash on "/system shutdown" and "/system shutdown";
I think this may have solved my issues with my CHR in Hyper-V.
I can boot a fresh copy now without issues. Will try to upgrade my CHR asap to verify.

Yepp this have solved my issues with CHR on Hyper-V (2012 R2). Upgrade went just fine from 6.36.3 and tested several reboots without any hickup.
So good work Mikrotik

Wed Nov 23, 2016 2:44 pm

Version 6.38rc35 has been released.

Changes since previous version:
*) disk - fixed issue when disk was renamed after reboot on devices with flash disks;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ospf - fixed route crash caused by memory corruption when there are multiple active interfaces;
*) tunnel - allow to force mtu value when actual-mtu is already the same;
*) tunnel - fixed transmit packets occasionally not going through fastpath;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

hechz · Thu Nov 24, 2016 5:01 am

Hi All,

I've just updated to rc35 and would like to report that the ipsec multi session behind a single NAT seems a bit buggy. While both sessions work for a few moments, as soon as traffic is passed, the session that connected first eventually becomes unuseable. I'm new to Mikrotik reporting, so if you'd like me to collect client side, and server side pcaps or anything, let me know.

/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority \
    change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
    !insert-queue-before !local-address name=default on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address remote-ipv6-prefix-pool=none !session-timeout \
    use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-upnp=default !wins-server

/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority \
    change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
    !insert-queue-before !local-address name=default on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address remote-ipv6-prefix-pool=none !session-timeout \
    use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-upnp=default !wins-server
add address-list="" bridge=bridge-local !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes dns-server=\
    192.168.88.2,192.168.88.20 !idle-timeout !incoming-filter \
    !insert-queue-before local-address=192.168.99.1 name=\
    L2TP-IPSec-VPN-Mobile on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=\
    vpnClients !session-timeout use-compression=no use-encryption=required \
    use-ipv6=yes use-mpls=no use-upnp=yes wins-server=\
    192.168.88.20,192.168.88.5
/interface l2tp-server server
set allow-fast-path=no authentication=mschap2 default-profile=\
    L2TP-IPSec-VPN-Mobile enabled=yes keepalive-timeout=30 max-mru=1460 \
    max-mtu=1460 max-sessions=unlimited mrru=disabled use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=1_vpn.photosphere.net_bundle.crt_0 cipher=aes256 \
    default-profile=L2TP-IPSec-VPN-Mobile enabled=yes keepalive-timeout=60 \
    mac-address=x:x:x:x:x:x max-mtu=1500 mode=ip netmask=24 port=1194 \
    require-client-certificate=no
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Mobile Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=default proposal-check=obey \
    send-initial-contact=yes
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Laptop Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=pdn-vpn proposal-check=obey \
    send-initial-contact=yes
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Mobile Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=default proposal-check=obey \
    send-initial-contact=yes
add address=0.0.0.0/0 auth-method=pre-shared-key comment=\
    "L2TP/IPSEC Dial-in Laptop Clients" dh-group=modp1024 disabled=no \
    dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
    exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 \
    lifetime=1d local-address=:: mode-config=pdn-vpn-split nat-traversal=yes \
    passive=no policy-template-group=pdn-vpn proposal-check=obey \
    send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default level=require proposal=\
    L2TP-VPN-IPsec protocol=all src-address=0.0.0.0/0 template=yes
add disabled=no dst-address=0.0.0.0/0 group=pdn-vpn level=require proposal=\
    "L2TP/IPSEC Dial-in Laptop Clients" protocol=all src-address=0.0.0.0/0 \
    template=yes
add action=encrypt comment=MARS-PDN<->ADMS-DUB disabled=yes dst-address=\
    0.0.0.0/0 dst-port=any ipsec-protocols=esp level=require priority=0 \
    proposal="L2TP/IPSEC Dial-in Laptop Clients" protocol=all sa-dst-address=\
    185.58.18.243 sa-src-address=x.x.x.x src-address=0.0.0.0/0 src-port=\
    any tunnel=yes

Thu Nov 24, 2016 11:51 am

Version 6.38rc36 has been released.

Changes since 6.38rc35:
!) tr069-client - initial implementation (as separate package);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) file - fixed file manager crash when file transfer gets cancelled;
*) mipsbe - improved memory allocation on devices with nand when file transfer and tcp traffic processing is on progress;
*) ppp - significantly improved shutdown speed on servers with many active tunnels;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

alexspils · Thu Nov 24, 2016 3:01 pm

bug:
Reset TR-069 data? [y/N]:
y
/pckg/tr069-client/home/TR069-reset.sh: 3: pkill: not found
done

barracuda · Thu Nov 24, 2016 10:20 pm

I have a problem with latest 6.38rc build when I try to update Mikrotik hAP lite (RB941-2nD).When the upgrade is finish and router reboot I can't connect to the router anymore.
No wireles signal and no neighbors mac address.The only way is netinstall.Does anyone have the same problems because I never before have the same problem?

Gennadiy51 · Thu Nov 24, 2016 10:49 pm

I have a problem with latest 6.38rc build when I try to update Mikrotik hAP lite (RB941-2nD).When the upgrade is finish and router reboot I can't connect to the router anymore.
No wireles signal and no neighbors mac address.The only way is netinstall.Does anyone have the same problems because I never before have the same problem?

+1 with two RouterBoards hAP lite (RB941-2nD) on v6.38rc35. On v6.38rc36 all OK.

pyjamasam · Fri Nov 25, 2016 3:54 am

Attempting to upgrade a CHR install of 6.38rc31 to 6.38rc36 results in the following log entries:

licence does not permit to upgrade routeros-x86-6.38rc36
licence does not permit to upgrade dude-6.38rc36
open /dev/panics failed

I have the dude package installed as well (this is my dude test install).
This is a system running a P1 level licence as its a test system.

Next Renewal is listed as November 25th 2016, Deadline is listed as November 18th 2016.
Limited upgrades is checked.

I just tried renewing the licence and there was no change to the next renewal date or the deadline date.

So the upgrade seams to be limited by my licence, though looking at the dates shown in the licence dialog it would seem to me that things are still ok...

Just curious for some clarification to my understanding, or if this is a bug.

chris.

bajodel · Fri Nov 25, 2016 12:35 pm

Version 6.38rc36 has been released.
Changes since 6.38rc35:
.. [CUT]..
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

CRS125-24G-1S upgraded from 6.38rc34 (or 6.38rc35) to 6.38rc36 went in 'dead state' (probable kernel panic, I had no possibility to check with console cable). After manually power cycling two times it came back alive correctly on 6.38rc36 and now seems to work normally. Probably this is an isolated/local issue but maybe someone has the same problem and go directly to netinstall; try to power cycle the device a couple of time before netinstall.

No problem noticed instead on upgrading a hEX (gr3) and a hAP lite (lab devices). Conversely, from rc34 on, the new hEX (gr3) seems has definitely more stable ethernet interfaces ..they sometimes were flapping in a strange way > links down counters increasing without notices in log , Gbit links flapping and going 100M after half dozen negotiation tries (linked to CRS125)

Fri Nov 25, 2016 1:28 pm

bug:
Reset TR-069 data? [y/N]:
y
/pckg/tr069-client/home/TR069-reset.sh: 3: pkill: not found
done

Fix included in next built, but in general, this command should not be used. We will remove it. It was meant to completely reset the TR069 program, if it is completely crashed. Not needed in normal use.

horza · Fri Nov 25, 2016 1:55 pm

After upgrading to rc36 from the previous rc, my RB2011UAS-2HnD went to 100% CPU usage. It used to be under 15%.
It doesn't crash, just runs at 100%. Routing is noticeably slow, so it's not a CPU usage reading error, but a real 100% usage.

I haven't seen this problem with any of the previous RCs (I upgrade this router as soon as there's an RC update).
I'm not seeing any problems on x86_64, so I'm guessing it might be related to the latest memory allocation update for mipsbe

Here's a screenshot: https://dl.horza.org/routeros/routeros- ... -usage.png

Update: I've rebooted it and it's fine now. Will keep monitoring.

Fri Nov 25, 2016 2:51 pm

Version 6.38rc37 has been released.

Changes since 6.38rc36:
!) tr069-client - initial implementation (as separate package);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) firewall - fixed filter rule "limit" parameter by making it visible again;
*) hAP lite - fixed bootup (broken in v6.38rc35);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

nescafe2002 · Fri Nov 25, 2016 3:51 pm

After upgrading to rc36 from the previous rc, my RB2011UAS-2HnD went to 100% CPU usage.

Please report to support; i've had similar issue with RB2011 which could not be reproduced.

In my case the router spiked to 100% cpu after upgrade from 6.38rc25 to 6.38rc31 with a certificate bundle present.

Ticket#2016110822001251

BorislavTP · Fri Nov 25, 2016 4:06 pm

Hello,
I have installed this version as I already want to connect Vodafone K4201-Z LTE USB Modem in RB2011UAS-IN router.
I have tried to configure it, but without any success.
Could someone help me?
Thank you in advance.

irico · Fri Nov 25, 2016 4:26 pm

IPSEC IKEv2 not working in latest RCs.
In version 6.38rc31 was working fine. Updated to 6.38rc35 IPsec cannot establish tunnel. Update to 6.38rc37 same problem.

This is a test environment.

R1:
Logs:

Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug 268 bytes message received from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 00000000 00000000 29202208 00000000 0000010c 28000008
Nov/25/2016 14:08:39 ipsec,debug,packet 00004000 2200001c 2f303127 c4ca221f 0a3f66de 303a3904 ce77e2d8 14c1b8e9
Nov/25/2016 14:08:39 ipsec,debug,packet 21000088 00020000 be28d5e3 63b9b4f1 0270204c 3a25fe10 ce529482 d2a42f81
Nov/25/2016 14:08:39 ipsec,debug,packet 4bd1caf9 1dbecd12 6afcbf51 71b11f3b 02152329 6e15a0e2 c9d743f9 893b2835
Nov/25/2016 14:08:39 ipsec,debug,packet 250741df ad128056 b3d4c9e1 4d38d551 8a5993e5 75eb4eec cae195d3 7c36470c
Nov/25/2016 14:08:39 ipsec,debug,packet 7c27a5ea 40fe6f87 0add9e36 839bf114 42ba3794 470df073 0b24263f ec96e130
Nov/25/2016 14:08:39 ipsec,debug,packet b4e8c55e 7412a936 00000044 00000040 01010006 0300000c 0100000c 800e0100
Nov/25/2016 14:08:39 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 01000003 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002
Nov/25/2016 14:08:39 ipsec,debug ike2 request exchange: SA_INIT id: 0
Nov/25/2016 14:08:39 ipsec,debug ike2 respond
Nov/25/2016 14:08:39 ipsec,debug payload seen: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug payload seen: NONCE
Nov/25/2016 14:08:39 ipsec,debug payload seen: KE
Nov/25/2016 14:08:39 ipsec,debug payload seen: SA
Nov/25/2016 14:08:39 ipsec,debug processing payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug processing payload: SA
Nov/25/2016 14:08:39 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug matched proposal:
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug processing payload: KE
Nov/25/2016 14:08:39 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:08:39 ipsec,debug ea813706 7c9cb1c4 b6cdaf4c 73158754 df387020 4d154f95 7bbd26e7 4c14159e
Nov/25/2016 14:08:39 ipsec,debug ac2a98eb 6fbc5eb0 6c78b12b a784e89b d7f59b31 9b9f8bcb b6cd9b84 4a1d6e1e
Nov/25/2016 14:08:39 ipsec,debug 707023d1 45d7b35f 78b6c342 f967894d 784ea3ea 7d9ced9d ceb909f8 67e1c99a
Nov/25/2016 14:08:39 ipsec,debug fe2bdd3d 80bfb5a2 f69f8f1a 6d0fa025 08571c3c 0d197aa9 72fc6f96 7b674e68
Nov/25/2016 14:08:39 ipsec,debug adding payload: SA
Nov/25/2016 14:08:39 ipsec,debug => (size 0x30)
Nov/25/2016 14:08:39 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005
Nov/25/2016 14:08:39 ipsec,debug 03000008 03000003 00000008 04000002
Nov/25/2016 14:08:39 ipsec,debug adding payload: KE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x88)
Nov/25/2016 14:08:39 ipsec,debug 00000088 00020000 414aaee4 22891380 c2743b6e f2441419 d8bcf44b c88ce7f0
Nov/25/2016 14:08:39 ipsec,debug 09481773 cff0e6ca f69867bc 724fab65 d8aea6a7 88e5febe 05c2079e 9b319632
Nov/25/2016 14:08:39 ipsec,debug 4ca94d42 63a8811f 4a21e1d9 cdeb9d31 b9176be7 c390ceee 057db503 d81f9055
Nov/25/2016 14:08:39 ipsec,debug 4164b805 0e5afa77 e9ed3f91 9e047fee 64e2acc1 c9f28a5b b8e63853 15b1ca07
Nov/25/2016 14:08:39 ipsec,debug 63a442df b4d8da49
Nov/25/2016 14:08:39 ipsec,debug adding payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x1c)
Nov/25/2016 14:08:39 ipsec,debug 0000001c 8b24f42f aada2a63 b1d521de 55c5e635 450f145c 1e79b6cc
Nov/25/2016 14:08:39 ipsec,debug adding payload: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug => (size 0x8)
Nov/25/2016 14:08:39 ipsec,debug 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug sending 248 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet src4 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet 1 times of 248 bytes message will be sent to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 b26151ae a98a503f 21202220 00000000 000000f8 22000030
Nov/25/2016 14:08:39 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 414aaee4 22891380 c2743b6e
Nov/25/2016 14:08:39 ipsec,debug,packet f2441419 d8bcf44b c88ce7f0 09481773 cff0e6ca f69867bc 724fab65 d8aea6a7
Nov/25/2016 14:08:39 ipsec,debug,packet 88e5febe 05c2079e 9b319632 4ca94d42 63a8811f 4a21e1d9 cdeb9d31 b9176be7
Nov/25/2016 14:08:39 ipsec,debug,packet c390ceee 057db503 d81f9055 4164b805 0e5afa77 e9ed3f91 9e047fee 64e2acc1
Nov/25/2016 14:08:39 ipsec,debug,packet c9f28a5b b8e63853 15b1ca07 63a442df b4d8da49 2900001c 8b24f42f aada2a63
Nov/25/2016 14:08:39 ipsec,debug,packet b1d521de 55c5e635 450f145c 1e79b6cc 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug e4140415 f6c44305 b00e772f 2466e965 bd5a5c9f f88cc90f a8e2e020 f978fffb
Nov/25/2016 14:08:39 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 42bcaf55 017ee579 f0cf1406 ae2804f2 2053defe 36bac9b5 8c047b64 8c8b26c1
Nov/25/2016 14:08:39 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 5b6ba7eb 373defbd 5833af59 d361276d 0540c19f 32e71f1c b9e26b21 435e2a06
Nov/25/2016 14:08:39 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug a094c725 7da338e8 ce4c92fd e9121181 8545e8fd 5a669f98 cd3d06ac 5fad4592
Nov/25/2016 14:08:39 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 3394c436 817ff745 0222fd60 ef8fe617 afb60465 56be2644 237d496e c63274ff
Nov/25/2016 14:08:39 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 22038ce2 fe68beaa db466833 42d47dd7 79cf05ea e761d595 f5f8b33b 57790d5f
Nov/25/2016 14:08:39 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 495a755b 48b30049 bf76c375 b1e01717 69f17677 1f995bf9 4ab7ab04 e89fe417
Nov/25/2016 14:08:39 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 83695fe0 bf978030 63483518 38c7b456 1546dfbc 17f56c56 c31ba125 2035315f
Nov/25/2016 14:08:39 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug new ph1 responder connection established
Nov/25/2016 14:08:39 ipsec,info new ike2 responder connection: 10.0.0.1[4500]<->10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug child negitiation timeout in state 0
Nov/25/2016 14:09:09 ipsec,info killing connection: 10.0.0.1[4500]<->10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug 260 bytes message received from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 00000000 00000000 28202208 00000000 00000104 2200001c
Nov/25/2016 14:09:09 ipsec,debug,packet e9fcdb31 8ef511b8 4e5cf796 a155c900 8f4bbc9d 0e584fde 21000088 00020000
Nov/25/2016 14:09:09 ipsec,debug,packet 3535e12f bb56e239 39d369f0 e6766003 afdfa3f2 c71523d1 919bf021 02226348
Nov/25/2016 14:09:09 ipsec,debug,packet c18f9279 ef1d1c31 0a94b87a 9ad02c67 2034e9c8 8c9605e6 14af48f7 e215c8fd
Nov/25/2016 14:09:09 ipsec,debug,packet 2626d63e 32a5f288 8cc3897d 6cdf73e2 6bb9bed6 b5e161a7 2d7d5d15 d5d48abd
Nov/25/2016 14:09:09 ipsec,debug,packet 946cf3bd 2b5ee323 ca76cc4c 9c8fb360 f3d226ad 2d68cee9 f9852e1a e044d755
Nov/25/2016 14:09:09 ipsec,debug,packet 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:09:09 ipsec,debug,packet 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:09:09 ipsec,debug,packet 04000002
Nov/25/2016 14:09:09 ipsec,debug ike2 request exchange: SA_INIT id: 0
Nov/25/2016 14:09:09 ipsec,debug ike2 respond
Nov/25/2016 14:09:09 ipsec,debug payload seen: NONCE
Nov/25/2016 14:09:09 ipsec,debug payload seen: KE
Nov/25/2016 14:09:09 ipsec,debug payload seen: SA
Nov/25/2016 14:09:09 ipsec,debug processing payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug processing payload: SA
Nov/25/2016 14:09:09 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug matched proposal:
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug processing payload: KE
Nov/25/2016 14:09:09 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:09:09 ipsec,debug 9afb5527 4cafbb2e d54bceb4 8f6c0456 2622a823 febd9a56 27d12929 e0b10668
Nov/25/2016 14:09:09 ipsec,debug d0b9e0fa 149f33c6 9e27a0c0 27370b9f 5628f91c 485c6969 039a3dfd 210e72f2
Nov/25/2016 14:09:09 ipsec,debug 156393e0 da565391 bf7a93ea 17eed1a3 e0cb643c f57638a8 b6034a6c 726c60a3
Nov/25/2016 14:09:09 ipsec,debug 97cb47d5 2376dfbc e6b11b4e 9b42ca8b 2e7b1b3c 11f44b05 79d2e373 ef1e10c9
Nov/25/2016 14:09:09 ipsec,debug adding payload: SA
Nov/25/2016 14:09:09 ipsec,debug => (size 0x30)
Nov/25/2016 14:09:09 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005
Nov/25/2016 14:09:09 ipsec,debug 03000008 03000003 00000008 04000002
Nov/25/2016 14:09:09 ipsec,debug adding payload: KE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x88)
Nov/25/2016 14:09:09 ipsec,debug 00000088 00020000 81d9a1a9 70eaef1f f42a0eb5 8040e55e 7733abf4 5ff4370c
Nov/25/2016 14:09:09 ipsec,debug c1554259 afef4c14 4eef9d9b 40ff484c 81418660 a56d311c a0c4e99a 5d52365e
Nov/25/2016 14:09:09 ipsec,debug f99e3492 efad4281 d441f7a9 4032ce8a 1b69f2f8 30a6573d cada7ada 9cedc372
Nov/25/2016 14:09:09 ipsec,debug 85dc22e9 519b2ede a5c000ee c932ca6e 8110e8c0 9fbe3edb e19d4a0d 52b861c3
Nov/25/2016 14:09:09 ipsec,debug e5f7b8b4 eb3215d2
Nov/25/2016 14:09:09 ipsec,debug adding payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x1c)
Nov/25/2016 14:09:09 ipsec,debug 0000001c 649ccbf5 fc6dedcb ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug sending 240 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet src4 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 1 times of 240 bytes message will be sent to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 2867bb59 b21566a3 21202220 00000000 000000f0 22000030
Nov/25/2016 14:09:09 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:09:09 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 81d9a1a9 70eaef1f f42a0eb5
Nov/25/2016 14:09:09 ipsec,debug,packet 8040e55e 7733abf4 5ff4370c c1554259 afef4c14 4eef9d9b 40ff484c 81418660
Nov/25/2016 14:09:09 ipsec,debug,packet a56d311c a0c4e99a 5d52365e f99e3492 efad4281 d441f7a9 4032ce8a 1b69f2f8
Nov/25/2016 14:09:09 ipsec,debug,packet 30a6573d cada7ada 9cedc372 85dc22e9 519b2ede a5c000ee c932ca6e 8110e8c0
Nov/25/2016 14:09:09 ipsec,debug,packet 9fbe3edb e19d4a0d 52b861c3 e5f7b8b4 eb3215d2 0000001c 649ccbf5 fc6dedcb
Nov/25/2016 14:09:09 ipsec,debug,packet ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 6fa0aa32 750b1ef1 8eb224c6 dd61cf88 6d387e37 3156c620 0a747f71 87ff6603
Nov/25/2016 14:09:09 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug d7d2ed58 f4df921d 752a7a7a 843c19ee c3f739bd 13f4b887 d4efc8fd 2be5fb07
Nov/25/2016 14:09:09 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug b14d5740 de4f8e9d 3ca9e169 e11f01a7 6ed882a3 58c2aede 50edf2de 3d9cefcf
Nov/25/2016 14:09:09 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 089c8f67 f8f6355a 82e3307b c0f71b52 c5af09fd 4ec0f978 4cfd8b83 aed91574
Nov/25/2016 14:09:09 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 5830aa26 cd8feaec c13e1e82 db08986e c74f66fa d9028500 9e6b7e09 96913fa7
Nov/25/2016 14:09:09 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 908529fd 65bd352b 27077fba 1ff189a5 420f46cf 22e65764 ab1454ec c39c215d
Nov/25/2016 14:09:09 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 4a8407ff f9d596ae d280d852 f640c3fe e5dd4dda 09113595 fe702fa7 b98f1b4f
Nov/25/2016 14:09:09 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 108fd66f cce6c2f8 f1219c9a c1da7f0e 3fe9cba0 b8002026 42cbdd90 41ab0b61
Nov/25/2016 14:09:09 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:09:09 ipsec,debug none payloads found!
Nov/25/2016 14:09:09 ipsec,debug new ph1 responder connection established
Nov/25/2016 14:09:09 ipsec,info new ike2 responder connection: 10.0.0.1[4500]<->10.1.0.1[500]
Nov/25/2016 14:09:29 ipsec,info killing connection: 10.0.0.1[4500]<->10.1.0.1[500]

IPsec export:

# nov/25/2016 14:22:17 by RouterOS 6.38rc37
# software id = 
#
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=VPN pfs-group=none
/ip ipsec peer
add address=10.1.0.1/32 disabled=yes dpd-interval=disable-dpd enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha256 \
    nat-traversal=no passive=yes secret=TEST
/ip ipsec policy
add dst-address=192.168.170.0/24 proposal=VPN sa-dst-address=10.1.0.1 sa-src-address=10.0.0.1 src-address=192.168.160.0/24 tunnel=yes

R2:
Logs:

Nov/25/2016 14:08:39 ipsec,debug ike2 initialize send for: 10.0.0.1
Nov/25/2016 14:08:39 ipsec,debug adding payload: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug => (size 0x8)
Nov/25/2016 14:08:39 ipsec,debug 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug adding payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x1c)
Nov/25/2016 14:08:39 ipsec,debug 0000001c 2f303127 c4ca221f 0a3f66de 303a3904 ce77e2d8 14c1b8e9
Nov/25/2016 14:08:39 ipsec,debug adding payload: KE
Nov/25/2016 14:08:39 ipsec,debug => (size 0x88)
Nov/25/2016 14:08:39 ipsec,debug 00000088 00020000 be28d5e3 63b9b4f1 0270204c 3a25fe10 ce529482 d2a42f81
Nov/25/2016 14:08:39 ipsec,debug 4bd1caf9 1dbecd12 6afcbf51 71b11f3b 02152329 6e15a0e2 c9d743f9 893b2835
Nov/25/2016 14:08:39 ipsec,debug 250741df ad128056 b3d4c9e1 4d38d551 8a5993e5 75eb4eec cae195d3 7c36470c
Nov/25/2016 14:08:39 ipsec,debug 7c27a5ea 40fe6f87 0add9e36 839bf114 42ba3794 470df073 0b24263f ec96e130
Nov/25/2016 14:08:39 ipsec,debug b4e8c55e 7412a936
Nov/25/2016 14:08:39 ipsec,debug adding payload: SA
Nov/25/2016 14:08:39 ipsec,debug => (size 0x44)
Nov/25/2016 14:08:39 ipsec,debug 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:08:39 ipsec,debug 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:08:39 ipsec,debug 04000002
Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug sending 268 bytes from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet sockname 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet from 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet send packet to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet src4 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet dst4 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet 1 times of 268 bytes message will be sent to 10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 00000000 00000000 29202208 00000000 0000010c 28000008
Nov/25/2016 14:08:39 ipsec,debug,packet 00004000 2200001c 2f303127 c4ca221f 0a3f66de 303a3904 ce77e2d8 14c1b8e9
Nov/25/2016 14:08:39 ipsec,debug,packet 21000088 00020000 be28d5e3 63b9b4f1 0270204c 3a25fe10 ce529482 d2a42f81
Nov/25/2016 14:08:39 ipsec,debug,packet 4bd1caf9 1dbecd12 6afcbf51 71b11f3b 02152329 6e15a0e2 c9d743f9 893b2835
Nov/25/2016 14:08:39 ipsec,debug,packet 250741df ad128056 b3d4c9e1 4d38d551 8a5993e5 75eb4eec cae195d3 7c36470c
Nov/25/2016 14:08:39 ipsec,debug,packet 7c27a5ea 40fe6f87 0add9e36 839bf114 42ba3794 470df073 0b24263f ec96e130
Nov/25/2016 14:08:39 ipsec,debug,packet b4e8c55e 7412a936 00000044 00000040 01010006 0300000c 0100000c 800e0100
Nov/25/2016 14:08:39 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 01000003 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002
Nov/25/2016 14:08:39 ipsec,debug ==========
Nov/25/2016 14:08:39 ipsec,debug 248 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 b26151ae a98a503f 21202220 00000000 000000f8 22000030
Nov/25/2016 14:08:39 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:08:39 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 414aaee4 22891380 c2743b6e
Nov/25/2016 14:08:39 ipsec,debug,packet f2441419 d8bcf44b c88ce7f0 09481773 cff0e6ca f69867bc 724fab65 d8aea6a7
Nov/25/2016 14:08:39 ipsec,debug,packet 88e5febe 05c2079e 9b319632 4ca94d42 63a8811f 4a21e1d9 cdeb9d31 b9176be7
Nov/25/2016 14:08:39 ipsec,debug,packet c390ceee 057db503 d81f9055 4164b805 0e5afa77 e9ed3f91 9e047fee 64e2acc1
Nov/25/2016 14:08:39 ipsec,debug,packet c9f28a5b b8e63853 15b1ca07 63a442df b4d8da49 2900001c 8b24f42f aada2a63
Nov/25/2016 14:08:39 ipsec,debug,packet b1d521de 55c5e635 450f145c 1e79b6cc 00000008 00004000
Nov/25/2016 14:08:39 ipsec,debug ike2 answer exchange: SA_INIT id: 0
Nov/25/2016 14:08:39 ipsec,debug ike2 initialize recv
Nov/25/2016 14:08:39 ipsec,debug payload seen: SA
Nov/25/2016 14:08:39 ipsec,debug payload seen: KE
Nov/25/2016 14:08:39 ipsec,debug payload seen: NONCE
Nov/25/2016 14:08:39 ipsec,debug payload seen: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug processing payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug processing payload: SA
Nov/25/2016 14:08:39 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug matched proposal:
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   dh: modp1024
Nov/25/2016 14:08:39 ipsec,debug processing payload: KE
Nov/25/2016 14:08:39 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:08:39 ipsec,debug ea813706 7c9cb1c4 b6cdaf4c 73158754 df387020 4d154f95 7bbd26e7 4c14159e
Nov/25/2016 14:08:39 ipsec,debug ac2a98eb 6fbc5eb0 6c78b12b a784e89b d7f59b31 9b9f8bcb b6cd9b84 4a1d6e1e
Nov/25/2016 14:08:39 ipsec,debug 707023d1 45d7b35f 78b6c342 f967894d 784ea3ea 7d9ced9d ceb909f8 67e1c99a
Nov/25/2016 14:08:39 ipsec,debug fe2bdd3d 80bfb5a2 f69f8f1a 6d0fa025 08571c3c 0d197aa9 72fc6f96 7b674e68
Nov/25/2016 14:08:39 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug e4140415 f6c44305 b00e772f 2466e965 bd5a5c9f f88cc90f a8e2e020 f978fffb
Nov/25/2016 14:08:39 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 42bcaf55 017ee579 f0cf1406 ae2804f2 2053defe 36bac9b5 8c047b64 8c8b26c1
Nov/25/2016 14:08:39 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 5b6ba7eb 373defbd 5833af59 d361276d 0540c19f 32e71f1c b9e26b21 435e2a06
Nov/25/2016 14:08:39 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug a094c725 7da338e8 ce4c92fd e9121181 8545e8fd 5a669f98 cd3d06ac 5fad4592
Nov/25/2016 14:08:39 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 3394c436 817ff745 0222fd60 ef8fe617 afb60465 56be2644 237d496e c63274ff
Nov/25/2016 14:08:39 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 22038ce2 fe68beaa db466833 42d47dd7 79cf05ea e761d595 f5f8b33b 57790d5f
Nov/25/2016 14:08:39 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 495a755b 48b30049 bf76c375 b1e01717 69f17677 1f995bf9 4ab7ab04 e89fe417
Nov/25/2016 14:08:39 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 83695fe0 bf978030 63483518 38c7b456 1546dfbc 17f56c56 c31ba125 2035315f
Nov/25/2016 14:08:39 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:08:39 ipsec,debug new ph1 initiator connection established
Nov/25/2016 14:08:39 ipsec,info new ike2 initiator connection: 10.1.0.1[4500]<->10.0.0.1[500]
Nov/25/2016 14:08:39 ipsec,debug init child for policy: 192.168.170.0/24/24:0 <=> 192.168.160.0/24/24:0 ipproto:255
Nov/25/2016 14:08:39 ipsec,debug GETSPI sent: 10.0.0.1->10.1.0.1
Nov/25/2016 14:08:39 ipsec,debug ikev2 got spi 0xb7705da
Nov/25/2016 14:08:39 ipsec,debug init child continue
Nov/25/2016 14:08:39 ipsec,debug offering proto: 3
Nov/25/2016 14:08:39 ipsec,debug  proposal #1
Nov/25/2016 14:08:39 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:08:39 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:08:39 ipsec,debug   auth: sha512
Nov/25/2016 14:08:39 ipsec,debug   auth: sha256
Nov/25/2016 14:08:39 ipsec,debug   auth: sha1
Nov/25/2016 14:08:39 ipsec,debug   auth: md5
Nov/25/2016 14:08:39 ipsec,debug   esn: off
Nov/25/2016 14:08:39 ipsec,debug initiator selector: 192.168.170.0/24/24 ipproto:0
Nov/25/2016 14:08:39 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:08:39 ipsec,debug responder selector: 192.168.160.0/24/24 ipproto:0
Nov/25/2016 14:08:39 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:08:39 ipsec,debug my ID (ADDR): 10.1.0.1
Nov/25/2016 14:08:39 ipsec,debug processing payload: NONCE
Nov/25/2016 14:08:39 ipsec,debug => auth nonce (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 8b24f42f aada2a63 b1d521de 55c5e635 450f145c 1e79b6cc
Nov/25/2016 14:08:39 ipsec,debug => SK_p (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 495a755b 48b30049 bf76c375 b1e01717 69f17677 1f995bf9 4ab7ab04 e89fe417
Nov/25/2016 14:08:39 ipsec,debug => idhash (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 210cb837 b8674af3 9816ad00 6507ff08 52ed8dac 178c368a 5ec94589 a8fcc964
Nov/25/2016 14:08:39 ipsec,debug => my auth (size 0x20)
Nov/25/2016 14:08:39 ipsec,debug 6b080158 8bbdd7ce 600b89dc 2bc0a967 a8bb4183 16d4c066 9bd42eb3 54a29d5b
Nov/25/2016 14:08:39 ipsec,debug adding payload: ID_I
Nov/25/2016 14:08:39 ipsec,debug => (size 0xc)
Nov/25/2016 14:08:39 ipsec,debug 0000000c 01000000 0a010001
Nov/25/2016 14:08:39 ipsec,debug adding payload: AUTH
Nov/25/2016 14:08:39 ipsec,debug => (size 0x28)
Nov/25/2016 14:08:39 ipsec,debug 00000028 02000000 6b080158 8bbdd7ce 600b89dc 2bc0a967 a8bb4183 16d4c066
Nov/25/2016 14:08:39 ipsec,debug 9bd42eb3 54a29d5b
Nov/25/2016 14:08:39 ipsec,debug adding payload: SA
Nov/25/2016 14:08:39 ipsec,debug => (size 0x58)
Nov/25/2016 14:08:39 ipsec,debug 00000058 00000054 01030408 0b7705da 0300000c 0100000c 800e0100 0300000c
Nov/25/2016 14:08:39 ipsec,debug 0100000c 800e0080 03000008 01000003 03000008 03000004 03000008 03000003
Nov/25/2016 14:08:39 ipsec,debug 03000008 03000002 03000008 03000001 00000008 05000000
Nov/25/2016 14:08:39 ipsec,debug adding payload: TS_I
Nov/25/2016 14:08:39 ipsec,debug => (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:08:39 ipsec,debug adding payload: TS_R
Nov/25/2016 14:08:39 ipsec,debug => (size 0x18)
Nov/25/2016 14:08:39 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:08:39 ipsec,debug,packet => outgoing plain packet (size 0x200)
Nov/25/2016 14:08:39 ipsec,debug,packet e58e1a2e bdaa3dc0 b26151ae a98a503f 23202308 00000001 00000000 2700000c
Nov/25/2016 14:08:39 ipsec,debug,packet 01000000 0a010001 21000028 02000000 6b080158 8bbdd7ce 600b89dc 2bc0a967
Nov/25/2016 14:08:39 ipsec,debug,packet a8bb4183 16d4c066 9bd42eb3 54a29d5b 2c000058 00000054 01030408 0b7705da
Nov/25/2016 14:08:39 ipsec,debug,packet 0300000c 0100000c 800e0100 0300000c 0100000c 800e0080 03000008 01000003
Nov/25/2016 14:08:39 ipsec,debug,packet 03000008 03000004 03000008 03000003 03000008 03000002 03000008 03000001
Nov/25/2016 14:08:39 ipsec,debug,packet 00000008 05000000 2d000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:08:39 ipsec,debug,packet 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff dbf5102c 496786a6
Nov/25/2016 14:08:39 ipsec,debug,packet b7c9dcf0 051b324a 637d98b4 d1ef0e2e 3f516478 8da3bad2 eb05203c 597796b6
Nov/25/2016 14:08:39 ipsec,debug,packet 
Nov/25/2016 14:08:39 ipsec,debug,packet c7d9ec00 152b425a 738da8c4 e1ff1e3e 4f617488 9db3cae2 fb15304c 6987a6c6
Nov/25/2016 14:08:39 ipsec,debug,packet d7e9fc10 253b526a 839db8d4 f10f2e4e 5f718498 adc3daf2 0b25405c 7997b6d6
Nov/25/2016 14:08:39 ipsec,debug,packet e7f90c20 354b627a 93adc8e4 011f3e5e 6f8194a8 bdd3ea02 1b35506c 89a7c6e6
Nov/25/2016 14:08:39 ipsec,debug,packet f7091c30 455b728a a3bdd8f4 112f4e6e 7f91a4b8 cde3fa12 2b45607c 99b7d6f6
Nov/25/2016 14:08:39 ipsec,debug,packet 07192c40 556b829a b3cde804 213f5e7e 8fa1b4c8 ddf30a22 3b55708c a9c7e606
Nov/25/2016 14:08:39 ipsec,debug,packet 17293c50 657b92aa c3ddf814 314f6e8e 9fb1c4d8 ed031a32 4b65809c b9d7f616
Nov/25/2016 14:08:39 ipsec,debug,packet 27394c60 758ba2ba d3ed0824 415f7e9e afc1d4e8 fd132a42 5b7590ac c9e70626
Nov/25/2016 14:08:39 ipsec,debug,packet 37495c70 859bb2ca e3fd1834 516f8eae bfd1e4f8 0d233a52 6b85a0bc d9f71636
Nov/25/2016 14:08:39 ipsec,debug adding payload: ENC
Nov/25/2016 14:08:39 ipsec,debug => (first 0x100 of 0x154)
Nov/25/2016 14:08:39 ipsec,debug 23000154 8716500b 1b9c3166 219dddfc 7bc4e2ac 81be62c3 6ff2529b 93f7350f
Nov/25/2016 14:08:39 ipsec,debug 842c8e51 f636b245 2859d1ac 1cf432e7 8bbcd520 a6bdd963 7e65b952 cba1cbbe
Nov/25/2016 14:08:39 ipsec,debug 25c21978 80e6d469 01a025d2 3e713b18 d9f3e9da 84e211f5 f3224ff2 5b50c32c
Nov/25/2016 14:08:39 ipsec,debug 5140dda4 47c96401 79066910 e9e0331b d3fb1edd 555c5e94 147a5662 e86d2560
Nov/25/2016 14:08:39 ipsec,debug 7d062cdc a9f43c03 29635238 8e91f410 58af94d5 6eddebf8 fb067e2a d61679e1
Nov/25/2016 14:08:39 ipsec,debug 540fb62f 04cde8de bb8de40b 39ccc1fa 4a7226bd 91578454 0bd5f5af d393c41d
Nov/25/2016 14:08:39 ipsec,debug c4c6545e 687f9ce0 3a079396 aa4e6ebf 7900b5f7 7e3c593d 41374cc4 3a42c60a
Nov/25/2016 14:08:39 ipsec,debug 9c86e189 7566385f ef610851 aa60afca 52e441ab 0cbcb744 6f830417 cd11bac7
Nov/25/2016 14:08:39 ipsec,debug unknown socket
Nov/25/2016 14:08:44 ipsec,debug retransmit
Nov/25/2016 14:08:44 ipsec,debug unknown socket
Nov/25/2016 14:08:49 ipsec,debug retransmit
Nov/25/2016 14:08:49 ipsec,debug unknown socket
Nov/25/2016 14:08:54 ipsec,debug retransmit
Nov/25/2016 14:08:54 ipsec,debug unknown socket
Nov/25/2016 14:08:59 ipsec,debug retransmit
Nov/25/2016 14:08:59 ipsec,debug unknown socket
Nov/25/2016 14:09:04 ipsec,debug retransmit
Nov/25/2016 14:09:04 ipsec,info killing connection: 10.1.0.1[4500]<->10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug ike2 initialize send for: 10.0.0.1
Nov/25/2016 14:09:09 ipsec,debug adding payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x1c)
Nov/25/2016 14:09:09 ipsec,debug 0000001c e9fcdb31 8ef511b8 4e5cf796 a155c900 8f4bbc9d 0e584fde
Nov/25/2016 14:09:09 ipsec,debug adding payload: KE
Nov/25/2016 14:09:09 ipsec,debug => (size 0x88)
Nov/25/2016 14:09:09 ipsec,debug 00000088 00020000 3535e12f bb56e239 39d369f0 e6766003 afdfa3f2 c71523d1
Nov/25/2016 14:09:09 ipsec,debug 919bf021 02226348 c18f9279 ef1d1c31 0a94b87a 9ad02c67 2034e9c8 8c9605e6
Nov/25/2016 14:09:09 ipsec,debug 14af48f7 e215c8fd 2626d63e 32a5f288 8cc3897d 6cdf73e2 6bb9bed6 b5e161a7
Nov/25/2016 14:09:09 ipsec,debug 2d7d5d15 d5d48abd 946cf3bd 2b5ee323 ca76cc4c 9c8fb360 f3d226ad 2d68cee9
Nov/25/2016 14:09:09 ipsec,debug f9852e1a e044d755
Nov/25/2016 14:09:09 ipsec,debug adding payload: SA
Nov/25/2016 14:09:09 ipsec,debug => (size 0x44)
Nov/25/2016 14:09:09 ipsec,debug 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:09:09 ipsec,debug 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:09:09 ipsec,debug 04000002
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug sending 260 bytes from 10.1.0.1[500] to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet sockname 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet from 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet send packet to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet src4 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet dst4 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 1 times of 260 bytes message will be sent to 10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 00000000 00000000 28202208 00000000 00000104 2200001c
Nov/25/2016 14:09:09 ipsec,debug,packet e9fcdb31 8ef511b8 4e5cf796 a155c900 8f4bbc9d 0e584fde 21000088 00020000
Nov/25/2016 14:09:09 ipsec,debug,packet 3535e12f bb56e239 39d369f0 e6766003 afdfa3f2 c71523d1 919bf021 02226348
Nov/25/2016 14:09:09 ipsec,debug,packet c18f9279 ef1d1c31 0a94b87a 9ad02c67 2034e9c8 8c9605e6 14af48f7 e215c8fd
Nov/25/2016 14:09:09 ipsec,debug,packet 2626d63e 32a5f288 8cc3897d 6cdf73e2 6bb9bed6 b5e161a7 2d7d5d15 d5d48abd
Nov/25/2016 14:09:09 ipsec,debug,packet 946cf3bd 2b5ee323 ca76cc4c 9c8fb360 f3d226ad 2d68cee9 f9852e1a e044d755
Nov/25/2016 14:09:09 ipsec,debug,packet 00000044 00000040 01010006 0300000c 0100000c 800e0100 0300000c 0100000c
Nov/25/2016 14:09:09 ipsec,debug,packet 800e0080 03000008 01000003 03000008 02000005 03000008 03000003 00000008
Nov/25/2016 14:09:09 ipsec,debug,packet 04000002
Nov/25/2016 14:09:09 ipsec,debug ==========
Nov/25/2016 14:09:09 ipsec,debug 240 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 2867bb59 b21566a3 21202220 00000000 000000f0 22000030
Nov/25/2016 14:09:09 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Nov/25/2016 14:09:09 ipsec,debug,packet 03000003 00000008 04000002 28000088 00020000 81d9a1a9 70eaef1f f42a0eb5
Nov/25/2016 14:09:09 ipsec,debug,packet 8040e55e 7733abf4 5ff4370c c1554259 afef4c14 4eef9d9b 40ff484c 81418660
Nov/25/2016 14:09:09 ipsec,debug,packet a56d311c a0c4e99a 5d52365e f99e3492 efad4281 d441f7a9 4032ce8a 1b69f2f8
Nov/25/2016 14:09:09 ipsec,debug,packet 30a6573d cada7ada 9cedc372 85dc22e9 519b2ede a5c000ee c932ca6e 8110e8c0
Nov/25/2016 14:09:09 ipsec,debug,packet 9fbe3edb e19d4a0d 52b861c3 e5f7b8b4 eb3215d2 0000001c 649ccbf5 fc6dedcb
Nov/25/2016 14:09:09 ipsec,debug,packet ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug ike2 answer exchange: SA_INIT id: 0
Nov/25/2016 14:09:09 ipsec,debug ike2 initialize recv
Nov/25/2016 14:09:09 ipsec,debug payload seen: SA
Nov/25/2016 14:09:09 ipsec,debug payload seen: KE
Nov/25/2016 14:09:09 ipsec,debug payload seen: NONCE
Nov/25/2016 14:09:09 ipsec,debug processing payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug processing payload: SA
Nov/25/2016 14:09:09 ipsec,debug IKE Protocol: IKE
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug matched proposal:
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   prf: hmac-sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   dh: modp1024
Nov/25/2016 14:09:09 ipsec,debug processing payload: KE
Nov/25/2016 14:09:09 ipsec,debug => shared secret (size 0x80)
Nov/25/2016 14:09:09 ipsec,debug 9afb5527 4cafbb2e d54bceb4 8f6c0456 2622a823 febd9a56 27d12929 e0b10668
Nov/25/2016 14:09:09 ipsec,debug d0b9e0fa 149f33c6 9e27a0c0 27370b9f 5628f91c 485c6969 039a3dfd 210e72f2
Nov/25/2016 14:09:09 ipsec,debug 156393e0 da565391 bf7a93ea 17eed1a3 e0cb643c f57638a8 b6034a6c 726c60a3
Nov/25/2016 14:09:09 ipsec,debug 97cb47d5 2376dfbc e6b11b4e 9b42ca8b 2e7b1b3c 11f44b05 79d2e373 ef1e10c9
Nov/25/2016 14:09:09 ipsec,debug => skeyseed (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 6fa0aa32 750b1ef1 8eb224c6 dd61cf88 6d387e37 3156c620 0a747f71 87ff6603
Nov/25/2016 14:09:09 ipsec,debug => keymat (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug d7d2ed58 f4df921d 752a7a7a 843c19ee c3f739bd 13f4b887 d4efc8fd 2be5fb07
Nov/25/2016 14:09:09 ipsec,debug => SK_ai (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug b14d5740 de4f8e9d 3ca9e169 e11f01a7 6ed882a3 58c2aede 50edf2de 3d9cefcf
Nov/25/2016 14:09:09 ipsec,debug => SK_ar (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 089c8f67 f8f6355a 82e3307b c0f71b52 c5af09fd 4ec0f978 4cfd8b83 aed91574
Nov/25/2016 14:09:09 ipsec,debug => SK_ei (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 5830aa26 cd8feaec c13e1e82 db08986e c74f66fa d9028500 9e6b7e09 96913fa7
Nov/25/2016 14:09:09 ipsec,debug => SK_er (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 908529fd 65bd352b 27077fba 1ff189a5 420f46cf 22e65764 ab1454ec c39c215d
Nov/25/2016 14:09:09 ipsec,debug => SK_pi (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 4a8407ff f9d596ae d280d852 f640c3fe e5dd4dda 09113595 fe702fa7 b98f1b4f
Nov/25/2016 14:09:09 ipsec,debug => SK_pr (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 108fd66f cce6c2f8 f1219c9a c1da7f0e 3fe9cba0 b8002026 42cbdd90 41ab0b61
Nov/25/2016 14:09:09 ipsec,debug processing payloads: NOTIFY
Nov/25/2016 14:09:09 ipsec,debug none payloads found!
Nov/25/2016 14:09:09 ipsec,debug new ph1 initiator connection established
Nov/25/2016 14:09:09 ipsec,info new ike2 initiator connection: 10.1.0.1[4500]<->10.0.0.1[500]
Nov/25/2016 14:09:09 ipsec,debug init child for policy: 192.168.170.0/24/24:0 <=> 192.168.160.0/24/24:0 ipproto:255
Nov/25/2016 14:09:09 ipsec,debug GETSPI sent: 10.0.0.1->10.1.0.1
Nov/25/2016 14:09:09 ipsec,debug ikev2 got spi 0x1bdbd32
Nov/25/2016 14:09:09 ipsec,debug init child continue
Nov/25/2016 14:09:09 ipsec,debug offering proto: 3
Nov/25/2016 14:09:09 ipsec,debug  proposal #1
Nov/25/2016 14:09:09 ipsec,debug   enc: aes256-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: aes128-cbc
Nov/25/2016 14:09:09 ipsec,debug   enc: 3des-cbc
Nov/25/2016 14:09:09 ipsec,debug   auth: sha512
Nov/25/2016 14:09:09 ipsec,debug   auth: sha256
Nov/25/2016 14:09:09 ipsec,debug   auth: sha1
Nov/25/2016 14:09:09 ipsec,debug   auth: md5
Nov/25/2016 14:09:09 ipsec,debug   esn: off
Nov/25/2016 14:09:09 ipsec,debug initiator selector: 192.168.170.0/24/24 ipproto:0
Nov/25/2016 14:09:09 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:09:09 ipsec,debug responder selector: 192.168.160.0/24/24 ipproto:0
Nov/25/2016 14:09:09 ipsec,debug => selector created (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:09:09 ipsec,debug my ID (ADDR): 10.1.0.1
Nov/25/2016 14:09:09 ipsec,debug processing payload: NONCE
Nov/25/2016 14:09:09 ipsec,debug => auth nonce (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 649ccbf5 fc6dedcb ab685964 6981c266 640942fa 1e48d13a
Nov/25/2016 14:09:09 ipsec,debug => SK_p (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug 4a8407ff f9d596ae d280d852 f640c3fe e5dd4dda 09113595 fe702fa7 b98f1b4f
Nov/25/2016 14:09:09 ipsec,debug => idhash (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug cbb46cdb 333a3830 8a1918a0 eebe09c0 51d9a97c 84486288 85088b75 5284b9c3
Nov/25/2016 14:09:09 ipsec,debug => my auth (size 0x20)
Nov/25/2016 14:09:09 ipsec,debug d8ba1466 584647a5 e4167ec2 8015b2e7 5a3ee807 2121d4d7 e1deb6f7 83676146
Nov/25/2016 14:09:09 ipsec,debug adding payload: ID_I
Nov/25/2016 14:09:09 ipsec,debug => (size 0xc)
Nov/25/2016 14:09:09 ipsec,debug 0000000c 01000000 0a010001
Nov/25/2016 14:09:09 ipsec,debug adding payload: AUTH
Nov/25/2016 14:09:09 ipsec,debug => (size 0x28)
Nov/25/2016 14:09:09 ipsec,debug 00000028 02000000 d8ba1466 584647a5 e4167ec2 8015b2e7 5a3ee807 2121d4d7
Nov/25/2016 14:09:09 ipsec,debug e1deb6f7 83676146
Nov/25/2016 14:09:09 ipsec,debug adding payload: SA
Nov/25/2016 14:09:09 ipsec,debug => (size 0x58)
Nov/25/2016 14:09:09 ipsec,debug 00000058 00000054 01030408 01bdbd32 0300000c 0100000c 800e0100 0300000c
Nov/25/2016 14:09:09 ipsec,debug 0100000c 800e0080 03000008 01000003 03000008 03000004 03000008 03000003
Nov/25/2016 14:09:09 ipsec,debug 03000008 03000002 03000008 03000001 00000008 05000000
Nov/25/2016 14:09:09 ipsec,debug adding payload: TS_I
Nov/25/2016 14:09:09 ipsec,debug => (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:09:09 ipsec,debug adding payload: TS_R
Nov/25/2016 14:09:09 ipsec,debug => (size 0x18)
Nov/25/2016 14:09:09 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff
Nov/25/2016 14:09:09 ipsec,debug,packet => outgoing plain packet (size 0x200)
Nov/25/2016 14:09:09 ipsec,debug,packet 08533b26 8e569ae1 2867bb59 b21566a3 23202308 00000001 00000000 2700000c
Nov/25/2016 14:09:09 ipsec,debug,packet 01000000 0a010001 21000028 02000000 d8ba1466 584647a5 e4167ec2 8015b2e7
Nov/25/2016 14:09:09 ipsec,debug,packet 5a3ee807 2121d4d7 e1deb6f7 83676146 2c000058 00000054 01030408 01bdbd32
Nov/25/2016 14:09:09 ipsec,debug,packet 0300000c 0100000c 800e0100 0300000c 0100000c 800e0080 03000008 01000003
Nov/25/2016 14:09:09 ipsec,debug,packet 03000008 03000004 03000008 03000003 03000008 03000002 03000008 03000001
Nov/25/2016 14:09:09 ipsec,debug,packet 00000008 05000000 2d000018 01000000 07000010 0000ffff c0a8aa00 c0a8aaff
Nov/25/2016 14:09:09 ipsec,debug,packet 00000018 01000000 07000010 0000ffff c0a8a000 c0a8a0ff 859fbad6 f3113050
Nov/25/2016 14:09:09 ipsec,debug,packet 6173869a afc5dcf4 0d27425e 7b99b8d8 e9fb0e22 374d647c 95afcae6 03214060
Nov/25/2016 14:09:09 ipsec,debug,packet 
Nov/25/2016 14:09:09 ipsec,debug,packet 718396aa bfd5ec04 1d37526e 8ba9c8e8 f90b1e32 475d748c a5bfdaf6 13315070
Nov/25/2016 14:09:09 ipsec,debug,packet 8193a6ba cfe5fc14 2d47627e 9bb9d8f8 091b2e42 576d849c b5cfea06 23416080
Nov/25/2016 14:09:09 ipsec,debug,packet 91a3b6ca dff50c24 3d57728e abc9e808 192b3e52 677d94ac c5dffa16 33517090
Nov/25/2016 14:09:09 ipsec,debug,packet a1b3c6da ef051c34 4d67829e bbd9f818 293b4e62 778da4bc d5ef0a26 436180a0
Nov/25/2016 14:09:09 ipsec,debug,packet b1c3d6ea ff152c44 5d7792ae cbe90828 394b5e72 879db4cc e5ff1a36 537190b0
Nov/25/2016 14:09:09 ipsec,debug,packet c1d3e6fa 0f253c54 6d87a2be dbf91838 495b6e82 97adc4dc f50f2a46 6381a0c0
Nov/25/2016 14:09:09 ipsec,debug,packet d1e3f60a 1f354c64 7d97b2ce eb092848 596b7e92 a7bdd4ec 051f3a56 7391b0d0
Nov/25/2016 14:09:09 ipsec,debug,packet e1f3061a 2f455c74 8da7c2de fb193858 697b8ea2 b7cde4fc 152f4a66 83a1c0e0
Nov/25/2016 14:09:09 ipsec,debug adding payload: ENC
Nov/25/2016 14:09:09 ipsec,debug => (first 0x100 of 0x134)
Nov/25/2016 14:09:09 ipsec,debug 23000134 e0412176 e401d02c fc492bf1 50ce4f78 205394f5 9842d44f d1bbb9a8
Nov/25/2016 14:09:09 ipsec,debug 5c448d6d d8e3a74e bd0cd642 9431d62c 9f0257ba c4d60b70 eee1e367 9c275630
Nov/25/2016 14:09:09 ipsec,debug eef2455a 801acd6f b6bd5e03 d1c7fcc9 f728be73 35f8aae3 8071ee82 8d86e708
Nov/25/2016 14:09:09 ipsec,debug 915245e3 4c8bf018 742e3383 6067ff61 eb3e4134 320ac273 e81eb7a0 9a188078
Nov/25/2016 14:09:09 ipsec,debug 9c0f22fb 4a8ebfbe 16fa42c6 66ebe0d6 ee33e38b e67c620c 9dd0a4aa ae3d5485
Nov/25/2016 14:09:09 ipsec,debug c1ad6ea5 a33a00dd ad7ada68 5dd515aa d60888ec 4a4942b3 928cc526 4a8216e9
Nov/25/2016 14:09:09 ipsec,debug fcf13c1f b4635757 7ad1b56b bffbb916 beb79170 e382692d 18b54be4 aaf29355
Nov/25/2016 14:09:09 ipsec,debug 946d7338 c3d72725 e93c697e 32442f7f 3fc4983c 9bb3e593 7984fb50 b2d93355
Nov/25/2016 14:09:09 ipsec,debug unknown socket
Nov/25/2016 14:09:14 ipsec,debug retransmit
Nov/25/2016 14:09:14 ipsec,debug unknown socket
Nov/25/2016 14:09:19 ipsec,debug retransmit
Nov/25/2016 14:09:19 ipsec,debug unknown socket
Nov/25/2016 14:09:24 ipsec,debug retransmit
Nov/25/2016 14:09:24 ipsec,debug unknown socket
Nov/25/2016 14:09:26 ipsec,info killing connection: 10.1.0.1[4500]<->10.0.0.1[500]

IPsec export:

# nov/25/2016 14:23:12 by RouterOS 6.38rc37
# software id = 
#
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=VPN pfs-group=none
/ip ipsec peer
add address=10.0.0.1/32 disabled=yes dpd-interval=disable-dpd enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=
    nat-traversal=no secret=TEST
/ip ipsec policy
add dst-address=192.168.160.0/24 proposal=VPN sa-dst-address=10.0.0.1 sa-src-address=10.1.0.1 src-address=192.168.170.0/24 tunnel=y

alexjhart · Fri Nov 25, 2016 7:37 pm

For folks having trouble with IPsec in latest RCs, change your peer generate policy from port-strict to port-override. Support says they are working on a fix for this, but that was enough to get it working for me.

huntermic · Fri Nov 25, 2016 7:47 pm

For folks having trouble with IPsec in latest RCs, change your peer generate policy from port-strict to port-override. Support says they are working on a fix for this, but that was enough to get it working for me.

Thanks, this works for me!

barracuda · Fri Nov 25, 2016 8:24 pm

I have a problem with latest 6.38rc build when I try to update Mikrotik hAP lite (RB941-2nD).When the upgrade is finish and router reboot I can't connect to the router anymore.
No wireles signal and no neighbors mac address.The only way is netinstall.Does anyone have the same problems because I never before have the same problem?

Today I upgrade to Version 6.38rc37 and the problem gone..

Thank you to fix bootup bug!

nescafe2002 · Sat Nov 26, 2016 5:13 pm

hEX RB750Gr3 got in a bootloop after upgrade from 6.37.2 to 6.38rc37 via system package update install. Netinstall to 6.38rc37 fixed it.

colanderman · Sun Nov 27, 2016 8:09 am

At the risk of straying off-topic…

We are having a lot of problems here with Mikrotik Queues X Windows 10 Updates. When a customer have one PC downloading Windows 10 updates, his queue is 100% used, most of the time is impossible to do anything else, even open an web page.

I have fought this problem in my home network for a long time. This is Windows's fault; it opens hundreds of TCP connections to flout TCP link sharing. I solved it with the following:

add action=reject chain=forward comment="limit MS BITS" connection-bytes=0-1500 connection-limit=8,0 content=\
    "User-Agent: Microsoft BITS" dst-port=80 out-interface=ether1-gateway protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment="limit Windows Update" connection-bytes=0-1500 connection-limit=8,0 content=\
    "User-Agent: Microsoft-Delivery-Optimization" dst-port=80 out-interface=ether1-gateway protocol=tcp reject-with=\
    tcp-reset

colanderman · Sun Nov 27, 2016 8:27 am

*) bridge - fixed filter Ingress Priority option (broken in v6.38rc16);

I haven't been able to get bridge filtering on Ingress Priority to work since at least 6.25 (e.g. while ingress-priority=!0 matches packets in IP firewall, it matches nothing in bridge firewall; and new-priority=from-ingress does nothing; see ticket #2016042566000016). Is this fix for a different problem than what I've described?

Borizo · Wed Nov 30, 2016 1:39 am

Cannot enter into settings of Virtual wireless adapter through WinBox: WinBox silently closes.

Chupaka · Wed Nov 30, 2016 1:52 am

Huh... Needed to shape one link and noticed that I cannot set max-limit more than 4,295G:

[admin@TestPlace] > /queue simple add max-limit=?

MaxLimit ::= UploadMaxLimit/DownloadMaxLimit
  UploadMaxLimit,DownloadMaxLimit ::= 0..4294967295    (integer number)


[admin@TestPlace] > /queue simple add max-limit=4295M/0
value of upload-max-limit out of range (0..4294967295)
[admin@TestPlace] > /queue simple add max-limit=4294M/0
[admin@TestPlace] >

Please fix this limitation of limit

savage · Wed Nov 30, 2016 6:55 am

Huh... Needed to shape one link and noticed that I cannot set max-limit more than 4,295G:

[admin@TestPlace] > /queue simple add max-limit=?

MaxLimit ::= UploadMaxLimit/DownloadMaxLimit
  UploadMaxLimit,DownloadMaxLimit ::= 0..4294967295    (integer number)


[admin@TestPlace] > /queue simple add max-limit=4295M/0
value of upload-max-limit out of range (0..4294967295)
[admin@TestPlace] > /queue simple add max-limit=4294M/0
[admin@TestPlace] >

Please fix this limitation of limit

Has long since been an issue. I reported it a few years ago already I think

There's quite a few places where 32 bit counters are still very much active and enforced

toto99303 · Wed Nov 30, 2016 2:52 pm

v6.38rc37 and I'm still having trouble with L2TP/IPSec VPN. Policy is "port override" and I'm getting "...failed to pre-process ph2 packet." Anyone with the same issue?

ThomasLevering · Wed Nov 30, 2016 3:41 pm

v6.38rc37 RB750Gr3
L2TP/IPSec is working with port override (I need to open the Port 1701 in Firewall) (Windows, iPhone)
IPSec from iPhone ist not working, previous Version OK
IKEv2 wait for Stable Version...
One CPU Core is 100%

Thu Dec 01, 2016 10:36 am

Version 6.38rc38 has been released.
Changes since previous rc:
!) tr069-client - initial implementation (as separate package);
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) fastpath - fixed x86 bridge fast-path status shown as active even if it is manually disabled;
*) firewall - added sctp/dccp/udp-lite support for "src-port", "dst-port", "port" and "to-ports" firewall options;
*) lcd - improved performance, causes less cpu load;
*) rb3011 - fixed lcd and health (broken in v6.38rc35);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

hubber · Thu Dec 01, 2016 1:27 pm

How do we use this?
http://forum.mikrotik.com/viewtopic.php ... 52#p566652

Hello.
I have not worked on version 6.38.24 and 6.38.38

what am I doing wrong?

/interface bridge
add arp=proxy-arp name=bridge1
/ip ipsec policy group
add name=group1
/ip pool
add name=l2tpUSERS ranges=192.168.100.129-192.168.100.140
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.100.3 name=outsideEncryption only-one=yes remote-address=l2tpUSERS use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
/interface l2tp-server server
set authentication=mschap2 default-profile=outsideEncryption enabled=yes ipsec-secret=***** use-ipsec=yes
/ip firewall filter
add action=accept chain=input comment=estebl connection-state=established,related in-interface=ether1
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=********

mducharme · Thu Dec 01, 2016 9:42 pm

Version 6.38rc38 has been released.
Changes since previous rc:
!) tr069-client - initial implementation (as separate package);

Great, is there any info as to what has changed in the tr-069 client in this new RC? Is it just bug fixes, or are there new features? It would be nice to get a little bit more info in the changelog between rc's in regards to what changes were made.

alexjhart · Thu Dec 01, 2016 9:48 pm

How do we use this?
http://forum.mikrotik.com/viewtopic.php ... 52#p566652
Hello.
I have not worked on version 6.38.24 and 6.38.38

what am I doing wrong?

/interface bridge
add arp=proxy-arp name=bridge1
/ip ipsec policy group
add name=group1
/ip pool
add name=l2tpUSERS ranges=192.168.100.129-192.168.100.140
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.100.3 name=outsideEncryption only-one=yes remote-address=l2tpUSERS use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
/interface l2tp-server server
set authentication=mschap2 default-profile=outsideEncryption enabled=yes ipsec-secret=***** use-ipsec=yes
/ip firewall filter
add action=accept chain=input comment=estebl connection-state=established,related in-interface=ether1
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=********

Currently, this won't work. You will need to do this:
/interface l2tp-server server set use-ipsec=no

Otherwise, your connection won't use your custom /ip ipsec peer entry with port-override, rather it will use a dynamic entry that uses port-strict. I believe Mikrotik is working to fix this per my ticket with them.

Fri Dec 02, 2016 12:07 pm

Version 6.38rc40 has been released!
Changes since previous version:
*) certificate - remove invalid CRLs after upgrade; (broken since v6.38rc32);
*) export - updated default values to clean up export compact;
*) firewall - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) firewall - fixed dynamic raw rule behaviour;
*) ike1 - fixed natted transport mode port-strict policy generation;
*) ipsec - fixed camellia crypto algorithm module loading;
*) ipsec - load ipv6 related modules only when ipv6 package is enabled;
*) ipsec - various additional work in IKEv2 support;
*) lte - added support for novatel USB620L;
*) queue - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

arnis128 · Fri Dec 02, 2016 2:27 pm

Hello!
I think - something is broken LTE connection to LMT mobile network after upgrade from 6.37.3 to 6.38.rc40. Last version, where it works fine, was 6.38.rc24 (or 25) - if i remember correct.
Routerboard - 922UAGS-5HPacD
modem - HUAWEI Mobile, vendor = 0x12d1, device = 0x1573
Symptoms - router gets its ip address from mobile operator, as usual, but no traffic flows to any reachable public host. After downgrade back to 6.37.3 everything works well.

Support files will be sent.
Thanks, Arnis.

irghost · Fri Dec 02, 2016 3:48 pm

 system,error,critical failed to enable panics driver

X86 vmware

jondavy · Sat Dec 03, 2016 4:33 am

How can I see how many sectors on the nand have already been written and if there are bad blocks on the Cloud Core Router?

nicecloud · Sat Dec 03, 2016 10:52 am

Version 6.38rc40 has been released!
Changes since previous version:
*) certificate - remove invalid CRLs after upgrade; (broken since v6.38rc32);
*) export - updated default values to clean up export compact;
*) firewall - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) firewall - fixed dynamic raw rule behaviour;
*) ike1 - fixed natted transport mode port-strict policy generation;
*) ipsec - fixed camellia crypto algorithm module loading;
*) ipsec - load ipv6 related modules only when ipv6 package is enabled;
*) ipsec - various additional work in IKEv2 support;
*) lte - added support for novatel USB620L;
*) queue - fixed "time" option by recognizing weekday properly (broken in 6.37.2);
*) rb750Gr3 - fixed ipsec with 3des+md5 to work on this board;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

It doesn't work against Azure since version rc29 on my RB751G-2HnD

maxkrok · Sat Dec 03, 2016 12:45 pm

Dude 6.38rc40 again adding custom files on 750gr3 MMIPS is not possible AT ALL.... Please repair...

nescafe2002 · Sun Dec 04, 2016 3:45 pm

I have added routes for all ipsec tunnels to a bogus interface for local outgoing data to ipsec, especially for netwatch to work.

6.38rc40 seems to require explicit /ip route pref-src address to be set to correctly ping these ipsec tunnelled hosts.

Config:

/ip address
add address=192.168.88.1/24 interface=ether2-lan network=192.168.88.0
/tool netwatch
add host=10.0.0.254 interval=30s

This worked correctly before rc40:

/ip route
add comment=netwatch distance=50 dst-address=10.0.0.0/24 gateway=ether2-lan

In rc40 I need to add pref-src:

/ip route
add comment=netwatch distance=50 dst-address=10.0.0.0/24 gateway=ether2-lan \
    pref-src=192.168.88.1

Sun Dec 04, 2016 5:47 pm

6.38rc40 seems to require explicit /ip route pref-src address to be set to correctly ping these ipsec tunnelled hosts.

I think a better solution would be to explicitly specify a correct local-address in your IPsec peer configuration instead of (or in addition to) specifying pref-src in the route.

PS. If you read through this whole thread you will see that this behavior is constantly changing from one rc to another.

nescafe2002 · Sun Dec 04, 2016 5:55 pm

I have set specific local-address in /ip ipsec peer and specific sa-src-address in /ip ipsec policy.

This routing issue is a new issue (for me) in rc40.

(Not really an issue but more of an observation)

Mon Dec 05, 2016 3:28 pm

Version 6.38rc41 has been released.
Changes since previous version:
*) bridge - ignore dynamic switch ports when selecting bridge MAC address (introduced in v6.38rc7);
*) dns - added max-concurrent-queries and max-concurrent-tcp-sessions settings (CLI only);
*) firewall - fixed rule activation if "time" option is used and no other active rules are present;
*) ipsec - various additional work in IKEv2 support;
*) ppp - fixed packet size calculation when MRRU is set (was 2 bytes bigger than MTU allows);
*) ppp - significantly improved tunnel termination process on servers with many active tunnels;
*) ssh - added routing-table setting (CLI only);
*) x86 - fixed "system,error,critical failed to enable panics driver" (introduced in v6.38rc30);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

Mon Dec 05, 2016 8:11 pm

*) ssh - added routing-table setting (CLI only);

Thanks for adding this!

maznu · Mon Dec 05, 2016 10:37 pm

*) ipsec - various additional work in IKEv2 support;

I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast!

My question is whether or not it is possible to create an IKEv2 configuration on RouterOS which will support iOS road-warriors using username/password authentication. I'm guessing that is EAP and XAuth (with RADIUS), but haven't found the correct incantation of commands to get it to work. I'm left staring at ipsec debugging logs which say "EAP neeeds certificate if EAP-only is not used" and "reply notify: AUTHENTICATION_FAILED" (no RADIUS packet is emitted?). I'm also puzzled by what auth settings iOS is using in some of its proposals that the debug logs show "auth: unknown".

Any clues would be gratefully received — we've got several end users who would love to test this :-)

NBspeedworks · Tue Dec 06, 2016 2:40 am

Dude client error

Error 10061 Connect failed because the target machine actively refused it.

Re started router
re installed the dude on a win 10 machine

Any other Ideas ?

Tue Dec 06, 2016 9:18 am

Version 6.38rc43 has been released.
Changes since previous version:
*) dhcp - fixed issue when dhcp-client was still possible on interfaces with "slave" flag and using slave interface MAC address;
*) firewall - significantly improved large firewall rule set import performance;
*) time - updated time zones;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

hubber · Tue Dec 06, 2016 2:09 pm

How do we use this?
http://forum.mikrotik.com/viewtopic.php ... 52#p566652
Hello.
I have not worked on version 6.38.24 and 6.38.38

what am I doing wrong?

/interface bridge
add arp=proxy-arp name=bridge1
/ip ipsec policy group
add name=group1
/ip pool
add name=l2tpUSERS ranges=192.168.100.129-192.168.100.140
/ppp profile
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.100.3 name=outsideEncryption only-one=yes remote-address=l2tpUSERS use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
/interface l2tp-server server
set authentication=mschap2 default-profile=outsideEncryption enabled=yes ipsec-secret=***** use-ipsec=yes
/ip firewall filter
add action=accept chain=input comment=estebl connection-state=established,related in-interface=ether1
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=********
Currently, this won't work. You will need to do this:
/interface l2tp-server server set use-ipsec=no

Otherwise, your connection won't use your custom /ip ipsec peer entry with port-override, rather it will use a dynamic entry that uses port-strict. I believe Mikrotik is working to fix this per my ticket with them.

/interface l2tp-server server set use-ipsec=no
i'm do this.
But second client behind the same NAT don't connect.
error 638

in log -
ipsec-sa established: ESP/transport *.*.*.*[4500]->*.*.*.*[4500] spi=0x91d071a2
purged ISAKMP-SA *.*.*.*<=>*.*.*.* spi=*******

someone's work?
on what version rc?

Tue Dec 06, 2016 3:07 pm

L2TP/ipsec is not going to work behind the same NAT, but Ikev2 and ikev1 in tunnel mode will.

Wed Dec 07, 2016 11:45 am

Version 6.38rc44 has been released.
Changes since previous version:
*) crs - added comment ability in more switch menus;
*) dns - added "max-concurrent-queries" and "max-concurrent-tcp-sessions" settings;
*) ipsec - split "mode-config" "send-dns" argument;
*) ipsec - various additional work in IKEv1/IKEv2 support;
*) routerboot - show log message if router CPU/RAM is overclocked;
*) tr069-client - various additional work;
*) traceroute - fixed memory leak;
*) users - added minimal required permission set for full user group;
*) webfig - fixed preview of values bigger than 2 billion and lower than 4 billion (introduced in v6.38rc);
*) webfig - show ipv6 addresses correctly;
*) winbox - added "Complete" flag to arp table;
*) winbox - added "untracked" option to firewall "connection-state" setting;
*) winbox - added Dude icon to Dude menu;
*) winbox - allow to enable/disable traffic flow targets;
*) winbox - fixed default values for interface "loop-protect-disable-time" & "loop-protect-send-interval";
*) winbox - fixed missing "ipv6/settings" menu;
*) winbox - fixed typo in "propagate-ttl" setting;
*) winbox - make cert signing include provided ca-crl-host;
*) winbox - show proper ipv6 connection timeout;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

drees · Wed Dec 07, 2016 12:21 pm

*) routerboot - show log message if router CPU/RAM is overclocked;

I just updated to rc44 and the first message after router rebooted is "memory overclocked". This is on a 951G-2HnD.

[admin@MikroTik-router] > /system routerboard settings print
                   ;;; Warning: memory overclocked
           init-delay: 0s
          boot-device: nand-if-fail-then-ethernet
        cpu-frequency: 600MHz
        boot-protocol: bootp
  force-backup-booter: no
          silent-boot: no

nescafe2002 · Wed Dec 07, 2016 2:41 pm

Just had an unexpected reboot on 6.38rc40. Timeline:

winbox with ip firewall rules and interfaces open but not active
30 seconds before crash: <sstp-user>: terminating... - terminated by remote peer
on crash (from another RB): ether2-lan link down
after crash: system,error,critical router was rebooted without proper shutdown

There is no auto supout, perhaps auto supout is stored in RAM and gone on reboot?

Wed Dec 07, 2016 3:00 pm

drees - Do not worry if you have not overclocked it manually. We are still fixing these false messages.
nescafe2002 - Reboot without proper shutdown is not caused by software. It could be powering or hardware issue. In most cases kernel failure, out of memory or watchdog reboots ar caused by software, power outage and without proper shutdown is caused by hardware or wires, etc.

blingblouw · Wed Dec 07, 2016 5:53 pm

Could you elaborate on the TR-069 additional work? Can we add/modify PPPoE now?

mducharme · Thu Dec 08, 2016 3:49 am

Could you elaborate on the TR-069 additional work? Can we add/modify PPPoE now?

I am wondering the same, has PPPoE support been added?

pe1chl · Thu Dec 08, 2016 11:24 am

Could you elaborate on the TR-069 additional work? Can we add/modify PPPoE now?

Hopefully, work on security.
As you can see in the security news, TR-069 has become a major nightmare.

Suggestions:
- use a low TTL on responses from the TR-069 software so attackers "on the wide internet" cannot reach the TR-069 service.
- have a list of allowed source addresses for TR-069 similar to SNMP.
- quality programming that rules out any buffer overflows from the start.

Thu Dec 08, 2016 1:56 pm

Version 6.38rc45 has been released.
Changes since previous version:
*) certificates - fixed pkcs12 export crash;
*) ipsec - fixed peer configuration my-id IPv4 address endianness;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) winbox - added new ipsec feature (IKEv1/IKEv2/etc.) support (introduced in v6.38rc);
*) winbox - fixed crash when legacy Winbox version was used;
*) winbox - fixed icons in disabled state (introduced in v6.38rc44);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

raffav · Thu Dec 08, 2016 2:34 pm

Version 6.38rc45 has been released.
Changes since previous version:
*) certificates - fixed pkcs12 export crash;
*) ipsec - fixed peer configuration my-id IPv4 address endianness;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) winbox - added new ipsec feature (IKEv1/IKEv2/etc.) support (introduced in v6.38rc);
*) winbox - fixed crash when legacy Winbox version was used;
*) winbox - fixed icons in disabled state (introduced in v6.38rc44);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

lol, very nice the news tabs on peer and policy now is more clear
good work

rzirzi · Thu Dec 08, 2016 5:59 pm

MikroTik RouterOS version 6.38 will be THE BEST VERSION EVER!?

23q · Thu Dec 08, 2016 9:39 pm

not timeout

Nissarin · Thu Dec 08, 2016 10:15 pm

*) winbox - fixed icons in disabled state (introduced in v6.38rc44);

I see no change on my system (linux/wine), when I tried removing current winbox config/cache I noticed there were no files for rc45 and it seems winbox (re)creates "6.38rc44-763096560" instead.

On another note, I've been testing local-proxy-arp and it seems it still sends icmp redirects, it would be nice if it was disabled automatically on interface running it.

Chupaka · Thu Dec 08, 2016 11:51 pm

not timeout

timeout in Terminal is on the right on 'Creation time'. make the window wider or use 'print detail'

23q · Fri Dec 09, 2016 12:06 pm

not timeout
timeout in Terminal is on the right on 'Creation time'. make the window wider or use 'print detail'

ip firewall address-list print file=22222
timeout miss

alfonzz · Fri Dec 09, 2016 12:27 pm

"winbox - fixed crash when legacy Winbox version was used"
realy? from dude rc45 "tool>winbox>loaded" but if i doubleclick to wlan then winbox crash - no message, nothing

Fri Dec 09, 2016 12:31 pm

alfonzz - Is 6.38rc45 installed on router to which you connect?

alfonzz · Fri Dec 09, 2016 12:59 pm

alfonzz - Is 6.38rc45 installed on router to which you connect?

no, there is 6.37.3 but until 6.37.2 it works... i know that i may downgrade...

ExibiTT · Fri Dec 09, 2016 2:49 pm

Hi!
v6.38rc10, v6.38rc45:
In the DUDE when I create a new notification with the following parameters:
Type - execute on server
Command - /interface disable vlan5
press test - OK (vlan off on mikrotik).
But if command: /tool fetch url="https://api.telegram.org/bot30(...)4/se ... xt=Service [Probe.Name] on [Device.Name] is now [Service.Status]" keep-result=no
Nothing happens and do not appear in the log entry.

!!!
the command should look like this:

:execute {/tool fetch url="https://api.telegram.org/bot30(...)4/sendMessage\?chat_id=-1(...)2&text=Service [Probe.Name] on [Device.Name] is now [Service.Status]" keep-result=no}

Fri Dec 09, 2016 4:36 pm

6.38rc46 has been released.
Changes since previous version:
*) dhcp-server - fixed when wizard was unable to create pool >dhcp_pool99;
*) ipsec - allow empty policy SA dst-address in tunnel mode;
*) ipsec - always listen to port TCP/4500 (fixes some IKEv2 setups without NAT-T);
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) vrrp - do not show unrelated log warning messages about version mismatch;
*) webfig - added extra protection against XSS exploits;
*) webfig - show properly interface last-link-up/down times;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

pe1chl · Fri Dec 09, 2016 5:03 pm

Any chance that support for WPA2-EAP with username/password/anonymous_id can be added in station(client) mode?
It has been requested in several threads on the forum, and I think it is on the "nice to have" list, but still not present.
It is working on the access point, with password validation via RADIUS, and Ubiquiti stations can connect to it,
but now that the MikroTik LHG5 is such an attractive option for users we really miss this capability in station mode.
(we need to give all the users the common WPA2-PSK key instead of having separate user/password per user)

w32pamela · Fri Dec 09, 2016 8:18 pm

v6.38rc46, Groove 52Hpn factory default configuration; Scan window in webfig page cannot be used to make connection to a WPA/WPA2 AP. "Default" security profile mode remains at "none" when wifi password entered and Connect button clicked.

I'm not sure when this began but it has been the case in the last few rc versions I've tried. Winbox works fine.

Zorro · Sat Dec 10, 2016 1:13 am

would also like to have "anti-bruteforce" feats in Wireless package (eg in WPA2/CCM within/inside)with blocking on L1/L2 levels,eg like made PSD for generic traffic on L3.
and then in future - same against bruteforcing to winbox, webfig and telnet, API interfaces.

Chupaka · Sat Dec 10, 2016 7:33 pm

ip firewall address-list print file=22222
timeout miss

confirming (seems like 'print file=' uses narrow terminal). that's why I asked you to do some other actions which definitely work (yes, I tested it first

)

patrick7 · Sun Dec 11, 2016 7:24 pm

Please also fix "use-dns=yes" in IPv6 traceroute. Overdue for a long time now (both reverse and forward)

Mon Dec 12, 2016 12:10 pm

Version 6.38rc47 has been released.
Changes since previous version:
*) bridge - require admin-mac to be specified if auto-mac is disabled;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) ipsec - ensure generated policy refers to valid proposal;
*) ipsec - always listen to port IPv6 UDP/4500;
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) metarouter - fixed startup process (introduced in 6.37.2);
*) profiler - make profiler work on mmips devices;
*) snmp - fixed rare crash when incorrectly formatted packet was received;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

janisk · Mon Dec 12, 2016 12:23 pm

ip firewall address-list print file=22222
timeout miss
confirming (seems like 'print file=' uses narrow terminal). that's why I asked you to do some other actions which definitely work (yes, I tested it first )

print file=

will always be narrow. That is the limitation of the console in RouterOS. It is not going to change soon.

edit: even if you log into the console with wider login-parameters set - print to file will not get these values.

Drakh · Tue Dec 13, 2016 2:58 am

About metarouter on MIPSBE:
When booting a child ROS or OpenWRT, the host networking process CPU usage goes high; for example, if I do a bandwidth test to the host router (let's say 10Mb both ways) with all child VMs off CPU usage is around 0-2% (normal behaviour) whereas if I do the same bandwidth test with any VM booted ( it doesn't matter if there is a virtual network attached to the VM) the networking process CPU usage goes to 50-60% and network connectivity becomes unstable.
There is a direct relation between running a child ROS or OpenWRT and huge network degradation on the host router when there is some network traffic, I tested on hEX lite and RB2011UiAS.
Let me know if that expected and ditch metarouter altogether, I can understand some overhead if It were traffic to the child OS because of some translation but traffic to the host shouldn't be affected.

Tue Dec 13, 2016 10:23 am

Version 6.38rc48 has been released.
Changes since previous version:
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) profile - added ability to monitor cpu usage per core;
*) profile - added "bfd" and "remote-access" processes;
*) profile - make profile work on mmips devices;
*) profile - properly classify "wireless" processes;
*) winbox - allow to specify interface for leds with "interface-speed" trigger;
*) winbox - do not allow to set "loop-protect-send-interval" to 0s;
*) winbox - do not show ph2-state on policy templates;
*) winbox - moved ipsec peer "exchange-mode" to General tab;
*) winbox - show all related HT tab settings in 2GHz-g/n mode;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

janisk · Tue Dec 13, 2016 10:42 am

About metarouter on MIPSBE:
.

BTest causes very high load on the CPU, if you are running it on the same router you are checking the load in. Also, CPU load is not working very precisely if you have a virtual guest

MartijnVdS · Tue Dec 13, 2016 11:51 am

Version 6.38rc38 has been released.

I assume this is a typo, and it's actually rc48? Or did the number go down?

HarBenly · Tue Dec 13, 2016 12:24 pm

Woah! LLDD support added. Thanks1

pe1chl · Tue Dec 13, 2016 12:38 pm

Although I do not see it mentioned in release notes, IPv6 configuration is finally working again in WebFig!!
Hooray!

Tue Dec 13, 2016 12:52 pm

MartijnVdS - Yes, sorry about that. It was a typo;
pe1chl - Fixed in 6.38rc44 - http://forum.mikrotik.com/viewtopic.php ... 50#p571674

pe1chl · Tue Dec 13, 2016 2:29 pm

pe1chl - Fixed in 6.38rc44

Ah I overlooked that and this time updated from rc41 to rc48 - releases are coming out quick these days

Thanks!

Nissarin · Tue Dec 13, 2016 6:31 pm

*) profile - added ability to monitor cpu usage per core;

IMHO it would be better to change current drop down list with standard filter, at least it would make much more sense on CCRs, where I would be able to tell how specific task (like firewall) is spread among the cores.

expert · Wed Dec 14, 2016 3:06 pm

Does it solve the following Metarouter issue? http://forum.mikrotik.com/viewtopic.php?f=15&t=115422

Wed Dec 14, 2016 5:13 pm

expert - Yes, it should.

didomir · Wed Dec 14, 2016 6:01 pm

L2TP/ipsec is not going to work behind the same NAT, but Ikev2 and ikev1 in tunnel mode will.

Is that issue related with some underlying technology (Kernel , IP stack) ?
AFAIK, Cisco/Juniper/CP hasn’t got similar issues.

When is planned a fix ?

Wed Dec 14, 2016 6:05 pm

Since every vendor is already switching to ikev2, there is no practical benefit to invest development time for old l2tp/ipsec setups.

parham · Wed Dec 14, 2016 7:43 pm

Since every vendor is already switching to ikev2, there is no practical benefit to invest development time for old l2tp/ipsec setups.

I have just managed to stablished 3x l2tp over ipse behind a IP address to my vpn server router, thanks guys

request time out was because I disconnected the vpn.

parham · Wed Dec 14, 2016 7:51 pm

This is a SpeedTest.net run over 3x device over L2TP+IPSec

CPU was increased by %24

drees · Thu Dec 15, 2016 10:04 am

I had my 951G-2HnD running v6.38rc44 with two 941-2nDs running in station bridge mode.

Under moderate wireless traffic, I would occasionally get brief WiFi disconnects - the bridges would report "no beacons received".

On the AP 951G-2HnD, it would report a management protection error, but after disabling management protection the connection would still briefly disconnect.

Flashing 6.37.3 to the AP and have had no disconnects in a few days now when they were occurring at least daily.

Anyone else seeing this and/or have any suggestions?

notToNew · Thu Dec 15, 2016 10:08 am

On the AP 951G-2HnD, it would report a management protection error, but after disabling management protection the connection would still brief disconnects.

I ssee the same on 6.36.4, so i wonder why 6.37.3 is working... didn' test this version.
So please report if you find a solution!

Thu Dec 15, 2016 10:54 am

Version 6.38rc49 has been released.
Changes since previous version:
*) bridge - show bridge port name in port monitor;
*) capsman - added "group-key-update" parameter;
*) capsman - use correct source address in reply to unicast discovery requests;
*) discovery - fixed crash on sending LLDP packet over IPv6 (introduced in 6.38rc3);
*) graphing - fixed queue graphs showing up in web interface if aggregate name size >57840 symbols;
*) ipsec - fixed IPv6 remote prefix;
*) ipsec - fixed larval SA state update;
*) ipsec - optimized logging under ipsec topic;
*) ipsec - show SA "enc-key-size";
*) ipsec - various additional work on IKEv1/IKEv2 support;
*) trafficgen - fixed compact export when "header-stack" includes tcp;
*) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID by changing it to router identity;
*) wireless - use vlan ID 0 in RADIUS message to disable vlan tagging;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

notToNew · Thu Dec 15, 2016 10:57 am

Version 6.38rc49 has been released.
*) wireless - fixed upgrade from older wireless packages when AP interface had empty SSID;

How? Ist it now allowed again?

Thu Dec 15, 2016 2:05 pm

notToNew - We edited changelog entry. Now it is more precise.

bajodel · Thu Dec 15, 2016 8:44 pm

Version 6.38rc49 has been released.
..
*) capsman - added "group-key-update" parameter;
...

finally! ..great news!

Zorro · Sat Dec 17, 2016 5:41 am

as for TR-069 - we're struggled more than 3 years with some DOCSIS and EPON and VDSL vendors with hardwired TR-69/64 and its a NIGHTMARE !!!
its not only partially-implemented, hardwired and extremely insecure(and to some extend cannot be shielded at all, because of implementation. and failure in approach to), but totally %@!@ to use. one of vendors did showl mild interests in improvements(but at say 12x-16x slower rates than NECESSARY even from "purely security viewpoint"), rest was simply not giving !@$ about, so we're finally give up and ditched it ~ALL.
separate TR-69 package may be viable palliative to those who cannot live w/o it w/o compromising rest of customers a lot.
as for LT2P traversabiliy as generic NAT-T didn't take off (and carrier grade nat with hole punching lack some things) and Port Control Protocol didn't matured yet, perhas(some say otherwise) not much options.
since early ROS6 versions - MT remove SSTP feats, but generally its good(yet with Huge latency)option to user-cases where traversability was Major priority.
personally i would like PCP support in ROS too.
https://tools.ietf.org/html/rfc6887
(not sure about NAT-T, but plenty of "legacy" projects still use it and will in future, perhaps).

moep · Sat Dec 17, 2016 11:40 pm

IPsec with xAuth seems to be broken with v6.38rc49 as responder and v6.37.3 as initiator
CCR is responder and several other routerboards (RB3011, RB750Gr3, RB951G, hAPac lite, etc.) are initators.

When I upgrade the CCR to the RC the initators cannot log on anymore with "xauth login failed for xyz"
Furthermore, when I downgraqde back to v6.37 the IPsec configuration on the initiators is "gone" and the CPU is at 100% (one core if more than one) until the IPsec process is (seems to be) forcefully terminated.

I tried to change the xauth passwords, but this did not work. I even upgraded an initiator (RB3011) to v6.38rc49, this did not work either.
After downgrading the responder to v6.37.3 an leaving the remote side at v6.38rc49 the connection worked again

It seems that the xauth user DB on responder side gets broken with the upgrade.

Off-Topic: I have another thread regading dual WAN IPIP over IPsec single connection TCP performance. Will this get any better with v6.38?
UPDATE to Off-Topic: does not seem to get better (with RC)
UPDATE2 to Off-Topic: Speed problem seems to be related to the provider of WAN2, if is directly connect a notebook to wan2 (thus diconnecting the router) and testing single stream tcp to btest server, the speed value is exactly the same
UPDATE3 to Off-Topic: the problem ist not provider related. When I connect a RB1100AH to WAN2 exclusivly and make a btest. I can get 25Mbit/s upstream. now I have no idea anymore

UPDATE:
there seems to be a bug in xauth password length
If I crop the password in xauth DB on responder side to max. 31 characters, the connection is okay. it is irrelevant if the password of initiator side is longer
UPDATE2:
uploaded supout.rif