Community discussions

 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 11:08 am

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
emils - just to be clear about the bug's scenario:

My IPSec endpoints (Mikrotik client / strongSwan server) are not behind NATs. But they do use IKEv2 on port 4500.

Thank you.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 11:24 am

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Tue Apr 23, 2019 1:37 pm

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
I sent a bug report with supout on Friday, April 19, 2019 8:49 AM (Moscow time). Don't have the ticket # sorry.

Looks like you already managed - but if you still need something, hopefully you can find it, or you can contact me off forum.
 
User avatar
DogHead
Member Candidate
Member Candidate
Posts: 194
Joined: Thu Jan 03, 2008 9:36 pm
Location: Anywhere you want me to be

Re: v6.45beta [testing] is released!

Thu Apr 25, 2019 4:49 pm

After upgrade to 6.45rc34 all ports in bridge disappeared. Cannot add them back as the system says they are still in a bridge. Will downgrade bac to rc31 which was working.
WOOF BANG!
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 9:04 am

Version 6.45beta37 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta37 (2019-Apr-25 12:20):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
*) bridge - correctly add interface list as bridge port (introduced in v6.45beta34);
*) crs3xx - correctly handle switch reset (introduced in v6.45beta34);
*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
*) ipsec - general improvements in policy handling;
*) lte - allow setting empty APN;
*) supout - added IPv6 ND section to supout file;
*) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 10:18 am

Version 6.45beta37 has been released.

*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
Confirming - appears fixed ( RB 4011, AC ^ 2 ).
 
extremej
just joined
Posts: 1
Joined: Fri Apr 26, 2019 2:37 pm

Re: v6.45beta [testing] is released!

Fri Apr 26, 2019 2:50 pm

can you add EAP-MSCHAPv2 to the authentication method list?
 
branto
just joined
Posts: 8
Joined: Mon Aug 21, 2017 2:03 am

Re: v6.45beta [testing] is released!

Mon Apr 29, 2019 4:19 am

Is there any word on when DHCPv6 Snooping will be available?
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 03, 2019 8:20 am

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri May 03, 2019 12:27 pm

can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.
Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 03, 2019 12:42 pm

Hopefully, yes.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu May 09, 2019 2:06 pm

Version 6.45beta42 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta42 (2019-May-08 12:44):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) capsman - fixed interface-list usage in access list;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) crs3xx - correctly handle switch reset (introduced in v6.45beta31);
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - show neighbors on actual mesh ports;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) w60g - do not show unused "dmg" parameter;
*) w60g - show running frequency under "monitor" command;
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
buset1974
newbie
Posts: 47
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Thu May 09, 2019 4:04 pm

when will you start to fix the problem with BGP and OSPF?

thx
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8273
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Thu May 09, 2019 5:01 pm

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Thu May 09, 2019 5:54 pm

After upgrading from beta31 to beta34-42, all IKEv2 PSK ipsec tunnels don't come up, getting Authentication failed in the logs (yes, psk is the same on both sides, hasn't been changed).
Downgrading to beta31 again resolves the issue.

16:50:20 ipsec notify: AUTHENTICATION_FAILED
16:50:20 ipsec,error got fatal error: AUTHENTICATION_FAILED
CCR1009-7G-1C-1S+ ROS6.45.1
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Fri May 10, 2019 9:34 am

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
 
buset1974
newbie
Posts: 47
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Fri May 10, 2019 9:59 am

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6
 
User avatar
osc86
newbie
Posts: 43
Joined: Wed Aug 09, 2017 1:15 pm

Re: v6.45beta [testing] is released!

Fri May 10, 2019 5:58 pm

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
Done. [Ticket#2019051022005463]
CCR1009-7G-1C-1S+ ROS6.45.1
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8273
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v6.45beta [testing] is released!

Fri May 10, 2019 6:46 pm

the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6
Waiting for what? A miracle?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
anuser
Member
Member
Posts: 350
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Fri May 10, 2019 10:05 pm

Is there an ETA for a bugfix for 5 GHz problem mentioned on viewtopic.php?f=7&t=148263?
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Jan 09, 2013 8:26 am

Re: v6.45beta [testing] is released!

Sat May 11, 2019 12:07 am

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
 
mistry7
Forum Guru
Forum Guru
Posts: 1223
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: v6.45beta [testing] is released!

Sat May 11, 2019 3:56 pm

which is even more important for you?
maybe another fix LCD?
no, KidControl.......
 
User avatar
anthonws
just joined
Posts: 20
Joined: Sat Jan 09, 2016 6:46 pm

Re: v6.45beta [testing] is released!

Sat May 11, 2019 6:46 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!
 
biatche
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Oct 13, 2015 6:50 am

Re: v6.45beta [testing] is released!

Sat May 11, 2019 11:18 pm

which is even more important for you?
maybe another fix LCD?
no, KidControl.......
I agree. KidControl needs major improvement, like the full removal of it.
 
User avatar
kmansoft
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jan 22, 2019 5:00 pm

Re: v6.45beta [testing] is released!

Sun May 12, 2019 8:37 pm

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:10 pm

Version 6.45beta45 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta45 (2019-May-13 09:22):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
*) conntrack - significant stability and performance improvements;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) gps - fixed missing minus close to zero coordinates in dd format;
*) wireless - improved installation mode selection for wireless outdoor equipment;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 867
Joined: Sun Oct 01, 2006 11:44 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:36 pm

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
 
rzirzi
Member
Member
Posts: 375
Joined: Mon Oct 09, 2006 2:33 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 2:39 pm

conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
YES, We would like to know what exactly was changed?!
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 3:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
 
anuser
Member
Member
Posts: 350
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Mon May 13, 2019 4:04 pm

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
What do you consider as large? How many connections are we talking about? 1000, 10000, 100000, 1000000?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5886
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.45beta [testing] is released!

Mon May 13, 2019 4:15 pm

It does not depend on specific number. You can consider large as 10k+
 
buset1974
newbie
Posts: 47
Joined: Wed Sep 13, 2006 12:12 pm
Location: Jakarta

Re: v6.45beta [testing] is released!

Mon May 13, 2019 5:26 pm

I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!
Mikrotik must be aware that the product they have is not only a CPE, but they also have another advanced product with different purposed than CPE such as CCR, a quick fix on the underlying problem should be a priority without having to wait for version 7 which is never clear.
 
marcbou
just joined
Posts: 4
Joined: Tue Jul 03, 2018 11:19 am

Re: v6.45beta [testing] is released!

Mon May 13, 2019 9:00 pm

Had CHR 6.45beta42 and now beta45 running under ESXi VM as VPN gateway ipsec IKEv2 EAP username auth (via freeradius 3.0 on Debian Buster) with Let's Encrypt Signed certificate + fullchain.

Works with road warrior iOS, MacOS, and Windows 10 (where due to buggy VPN control panel it was necessary to add using PowerShell Add-VpnConnection -Name “vpn.domain.com" -ServerAddress "vpn.domain.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType “Ikev2") .

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.

Relevant config portions are:

# may/13/2019 13:29:01 by RouterOS 6.45beta45
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipip
add name=ipsec-vpn
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 name=peer_vpn passive=yes profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des lifetime=2d pfs-group=none
/ip pool
add name=vpn-pool ranges=10.11.22.10-10.11.22.190
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=ipsec-modecfg-nosplit
/system logging action
set 0 memory-lines=5000
/ip address
add address=132.200.10.24/28 interface=ether1 network=132.200.10.16
add address=10.11.22.1/24 interface=ipsec-vpn network=10.11.22.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=rfc1918-private
add address=10.0.0.0/8 list=rfc1918-private
add address=172.16.0.0/12 list=rfc1918-private
add address=10.11.22.0/24 list=myvpn
add address=10.0.0.0/8 list=onnet
add address=192.168.0.0/16 list=onnet
add address=172.16.0.0/12 list=onnet
add address=132.200.10.0/24 list=onnet
/ip firewall nat
add action=src-nat chain=srcnat comment="My VPN public IP" dst-address-list=\
!onnet out-interface=ether1 src-address=10.11.22.0/24 \
src-address-list=rfc1918-private to-addresses=132.200.10.24
/ip ipsec identity
add auth-method=eap-radius certificate=\
vpn.domain.com.pem_0,fullchain.pem_0 generate-policy=port-strict \
mode-config=ipsec-modecfg-nosplit peer=peer_vpn
/ip ipsec policy
set 0 dst-address=10.11.22.0/24 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=132.200.10.17
/ip service
set www-ssl certificate=vpn.domain.com.pem_0 disabled=no port=443
/radius
add address=132.200.10.22 secret=\
blahblahblah
add address=132.200.10.17
/system logging
add action=remote topics=!async,!debug,!snmp,!dns
add action=echo disabled=yes topics=l2tp,ipsec,certificate
add disabled=yes topics=ipsec,!packet
/system package update
set channel=testing
 
ckleea
newbie
Posts: 47
Joined: Sun Apr 21, 2013 12:19 pm

Re: v6.45beta [testing] is released!

Tue May 14, 2019 1:10 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Tue May 14, 2019 7:36 am

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.
It would be better if you opened a new support ticket by sending an e-mail to support@mikrotik.com. Also please enable IPsec debug logs and generate a new supout.rif file each time the issue occurs (for example, an Android client failed to connect) and attach the file to the e-mail.
 
anuser
Member
Member
Posts: 350
Joined: Sat Nov 29, 2014 7:27 pm

Re: v6.45beta [testing] is released!

Tue May 14, 2019 8:11 am

With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server
Have you already reported your findings to MikroTik support? (support@mikrotik.com)
 
mezzovide
just joined
Posts: 6
Joined: Tue Jun 11, 2013 8:02 am

Re: v6.45beta [testing] is released!

Tue May 14, 2019 1:58 pm

*) conntrack - significant stability and performance improvements;
Is this have something to do with multiple IPsec peers sometimes getting stuck after reboot / after public IP changes?
Because i have problems with multiple WAN ipsec peers (same dst peer with different routes) with different local loopback addresses attached, sometimes one of the connection stuck (most probably when public ip changes, i have dynamic public ip. or after a reboot). disabling/enabling peer works, or manually kill connection on the conntrack also works.
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released! IKEv2

Tue May 14, 2019 9:37 pm

Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there)

ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv2 remote-id=fqdn:*.pointtoserver.com username=purevpnxxxxxxxxxxx
I get the error in the log that the AUTH NOT MATCH, peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi: xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxx, send notify: AUTHENTICICATION_FAILED

I have tested it in windows 10 and with the same name and password and I can connect through IKEv2.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Wed May 15, 2019 9:45 am

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.

Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed May 15, 2019 11:20 am

Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried.

I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to see if can find the matching one.

Update: the certificate line
OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com

Update 2:
Beside the Comodo root cert I just tried the add Trust External CA Root, also to no avail.

Update 3
Found the PossitiveSSL CA 2 cert but that did also not work.

I searched on and it looks to me that in windows the needed certificate is included by Microsoft in its own certificate.

https://crt.sh/?caid=1455

Microsoft Trusted Root programme
https://docs.microsoft.com/en-us/securi ... quirements
Last edited by msatter on Wed May 15, 2019 7:56 pm, edited 2 times in total.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
mezzovide
just joined
Posts: 6
Joined: Tue Jun 11, 2013 8:02 am

Re: v6.45beta [testing] is released!

Wed May 15, 2019 5:17 pm

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
Sure, I have some spare routers to do experiment with, will upgrade to beta tonight and see if it fixed my issues. Thanks.
Still need that to be fixed in production though, probably next year until 6.45 become long-term
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Wed May 15, 2019 11:26 pm

I am a bit further and I needed two certificates to be in the certificates box.

https://blogger.davidmanouchehri.com/2017/09/

Now I get twice the error that the [b]peer's ID does not match certificate[/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 SubjectName:/OU=domain Control Validated/OU=positiveSSL Multi-Domain/CN=*.pointtoserver.com

When I look in the certificates the CRL line is blank.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 444
Joined: Thu Dec 11, 2014 8:53 am

Re: v6.45beta [testing] is released!

Thu May 16, 2019 10:48 am

Try setting the remote-id to ignore.
 
chubbs596
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Fri Dec 06, 2013 6:07 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 1:02 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 640
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Thu May 16, 2019 1:28 pm

Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.
 
nostromog
Member Candidate
Member Candidate
Posts: 122
Joined: Wed Jul 18, 2018 3:39 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 2:40 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk

 
chubbs596
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Fri Dec 06, 2013 6:07 pm

Re: v6.45beta [testing] is released!

Thu May 16, 2019 5:57 pm

Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk
So only if it is CHR and the VM HOST is not patched could the CHR be expoilted?
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 640
Joined: Fri Nov 10, 2017 8:19 am

Re: v6.45beta [testing] is released!

Fri May 17, 2019 8:51 am

If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised)

If we talk about VM, then RouterOS (CHR) vulnerability depends on its hypervisor which needs to be patched. Patching CHR wouldn't change anything because it does not control, how are processes assigned to cores.

In any case, nothing can be done from mikrotik's side
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: v6.45beta [testing] is released!

Fri May 17, 2019 11:11 am

Try setting the remote-id to ignore.
I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:TS_UNACCEPTABLE

In Ipsec Policy the Src. Addres stayed on 0.0.0.0/0 to I put in IPsec Peer, my external IP address.

Update: I have started again and I have now mangaged to have an established connection. I have to manually enter the TS_I which is not automatically matched/taken over by RouterOS.

In Ipsec Policy I have to manually add the source address: 10.4.33.22 for that specific IKEv2 connection.


Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.

I hope that we also get a client in PPP for this because then we can run script to put the received IP into the NAT to make routing easy.

Update...again: so I finally discovered that I could use "template" to fix the TC_UNEXPECTED error and that works fine. The only problem is that the IP changes regular and that I have to adapt the SRC-NAT IP manually. I am route-marking the packets I want to through the IKEv2 connection (split horizon)

I could try to just put an IP address in or use my DNS to steady the changes.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
josep
just joined
Posts: 1
Joined: Sat May 18, 2019 8:52 pm

Re: v6.45beta [testing] is released!

Sat May 18, 2019 9:25 pm

Very good news about EAP support in IKEv2, please, we need EAP-AKA and EAP-AKA', with this, all Mikrotik routers can be used as basic ePDG, for a non-3GPP Access Networks. Next steps are GTP-U Tunneling support, but with EAP-AKA is good starting.

More info:

https://www.gsma.com/newsroom/wp-conten ... 1-v7.0.pdf
http://www.3gpp.org/ftp//Specs/archive/ ... 02-f10.zip

Who is online

Users browsing this forum: No registered users and 4 guests