Page 4 of 7

Re: v6.45beta [testing] is released!

Posted: Tue Apr 23, 2019 11:08 am
by kmansoft
Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
emils - just to be clear about the bug's scenario:

My IPSec endpoints (Mikrotik client / strongSwan server) are not behind NATs. But they do use IKEv2 on port 4500.

Thank you.

Re: v6.45beta [testing] is released!

Posted: Tue Apr 23, 2019 11:24 am
by emils
Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.

Re: v6.45beta [testing] is released!

Posted: Tue Apr 23, 2019 1:37 pm
by kmansoft
Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
I sent a bug report with supout on Friday, April 19, 2019 8:49 AM (Moscow time). Don't have the ticket # sorry.

Looks like you already managed - but if you still need something, hopefully you can find it, or you can contact me off forum.

Re: v6.45beta [testing] is released!

Posted: Thu Apr 25, 2019 4:49 pm
by DogHead
After upgrade to 6.45rc34 all ports in bridge disappeared. Cannot add them back as the system says they are still in a bridge. Will downgrade bac to rc31 which was working.

Re: v6.45beta [testing] is released!

Posted: Fri Apr 26, 2019 9:04 am
by emils
Version 6.45beta37 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta37 (2019-Apr-25 12:20):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
*) bridge - correctly add interface list as bridge port (introduced in v6.45beta34);
*) crs3xx - correctly handle switch reset (introduced in v6.45beta34);
*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
*) ipsec - general improvements in policy handling;
*) lte - allow setting empty APN;
*) supout - added IPv6 ND section to supout file;
*) tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only);

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Fri Apr 26, 2019 10:18 am
by kmansoft
Version 6.45beta37 has been released.

*) ike2 - fixed first child SA generation (introduced in v6.45beta34);
Confirming - appears fixed ( RB 4011, AC ^ 2 ).

Re: v6.45beta [testing] is released!

Posted: Fri Apr 26, 2019 2:50 pm
by extremej
can you add EAP-MSCHAPv2 to the authentication method list?

Re: v6.45beta [testing] is released!

Posted: Mon Apr 29, 2019 4:19 am
by branto
Is there any word on when DHCPv6 Snooping will be available?

Re: v6.45beta [testing] is released!

Posted: Fri May 03, 2019 8:20 am
by emils
can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.

Re: v6.45beta [testing] is released!

Posted: Fri May 03, 2019 12:27 pm
by msatter
can you add EAP-MSCHAPv2 to the authentication method list?
Yes, it is coming as well.
Does this means that Mikrotik can be removed from the not supported router list at NordVPN and is going to use ike2 to connect?

Re: v6.45beta [testing] is released!

Posted: Fri May 03, 2019 12:42 pm
by emils
Hopefully, yes.

Re: v6.45beta [testing] is released!

Posted: Thu May 09, 2019 2:06 pm
by emils
Version 6.45beta42 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta42 (2019-May-08 12:44):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap) as initiator (CLI only);
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
*) capsman - fixed interface-list usage in access list;
*) cloud - added "replace" parameter for backup "upload-file" command;
*) crs3xx - correctly handle switch reset (introduced in v6.45beta31);
*) defconf - added "custom-script" field that prints custom configuration installed by Netinstall;
*) defconf - automatically set "installation" parameter for outdoor devices;
*) dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration;
*) dhcpv4-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters (CLI only);
*) discovery - correctly create neighbors from VLAN tagged discovery messages;
*) discovery - show neighbors on actual mesh ports;
*) ethernet - increased loop warning threshold to 5 packets per second;
*) gps - make sure "direction" parameter is upper case;
*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;
*) hotspot - moved "title" HTML tag after "meta" tags;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods (CLI only);
*) rb921 - improved system stability ("/system routerboard upgrade" required);
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) tr069-client - improved error reporting with incorrect firware upgrade XML file;
*) w60g - do not show unused "dmg" parameter;
*) w60g - show running frequency under "monitor" command;
*) winbox - show "LCD" menu only on boards that have LCD screen;
*) wireless - fixed frequency duplication in the frequency selection menu;
*) wireless - improved 160MHz channel width stability on rb4011;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - set default SSID and supplicant-identity the same as router's identity;
*) wireless - updated "china" regulatory domain information;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Thu May 09, 2019 4:04 pm
by buset1974
when will you start to fix the problem with BGP and OSPF?

thx

Re: v6.45beta [testing] is released!

Posted: Thu May 09, 2019 5:01 pm
by Chupaka
the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)

Re: v6.45beta [testing] is released!

Posted: Thu May 09, 2019 5:54 pm
by osc86
After upgrading from beta31 to beta34-42, all IKEv2 PSK ipsec tunnels don't come up, getting Authentication failed in the logs (yes, psk is the same on both sides, hasn't been changed).
Downgrading to beta31 again resolves the issue.

16:50:20 ipsec notify: AUTHENTICATION_FAILED
16:50:20 ipsec,error got fatal error: AUTHENTICATION_FAILED

Re: v6.45beta [testing] is released!

Posted: Fri May 10, 2019 9:34 am
by emils
osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?

Re: v6.45beta [testing] is released!

Posted: Fri May 10, 2019 9:59 am
by buset1974
the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6

Re: v6.45beta [testing] is released!

Posted: Fri May 10, 2019 5:58 pm
by osc86
osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
Done. [Ticket#2019051022005463]

Re: v6.45beta [testing] is released!

Posted: Fri May 10, 2019 6:46 pm
by Chupaka
the problem with BGP and OSPF?
One problem with both protocols? Are you sure? :)
still waiting, hope can fix soon in v6
Waiting for what? A miracle?

Re: v6.45beta [testing] is released!

Posted: Fri May 10, 2019 10:05 pm
by anuser
Is there an ETA for a bugfix for 5 GHz problem mentioned on viewtopic.php?f=7&t=148263?

Re: v6.45beta [testing] is released!

Posted: Sat May 11, 2019 12:07 am
by Ulypka
I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.

Re: v6.45beta [testing] is released!

Posted: Sat May 11, 2019 3:56 pm
by mistry7
which is even more important for you?
maybe another fix LCD?
no, KidControl.......

Re: v6.45beta [testing] is released!

Posted: Sat May 11, 2019 6:46 pm
by anthonws
I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!

Re: v6.45beta [testing] is released!

Posted: Sat May 11, 2019 11:18 pm
by biatche
which is even more important for you?
maybe another fix LCD?
no, KidControl.......
I agree. KidControl needs major improvement, like the full removal of it.

Re: v6.45beta [testing] is released!

Posted: Sun May 12, 2019 8:37 pm
by kmansoft
With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 2:10 pm
by emils
Version 6.45beta45 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta45 (2019-May-13 09:22):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
----------------------

Changes in this release:

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
*) conntrack - significant stability and performance improvements;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) gps - fixed missing minus close to zero coordinates in dd format;
*) wireless - improved installation mode selection for wireless outdoor equipment;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 2:36 pm
by R1CH
conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 2:39 pm
by rzirzi
conntrack - significant stability and performance improvements;
Can you elaborate on what was changed here? The last time conntrack was changed with the loose TCP tracking option it introduced a regression, so I'd like to know exactly what changed and what to look out for.
YES, We would like to know what exactly was changed?!

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 3:04 pm
by emils
There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 4:04 pm
by anuser
There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
What do you consider as large? How many connections are we talking about? 1000, 10000, 100000, 1000000?

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 4:15 pm
by mrz
It does not depend on specific number. You can consider large as 10k+

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 5:26 pm
by buset1974
I'm waiting for 8 months when the bug 2018101022007579 will be fixed.
I started refusing from CCR wherever such an opportunity arises

And the funny thing is that in half a year, the support responded only once “Sorry, we will reconsider the priorities”
Your top router dies completely from two packages and you can reproduce it, which is even more important for you?
maybe another fix LCD?

even dlink's support is better.
A proper network admin likes watching graphs and stuff on an LCD :) Much more important than stability. Want stability, buy a Nintendo Switch. Nintendo is expert in stability updates! ahahaha

And Kids control in CCR is something very important! How would you control all of your employees?!?

Ahhh.... The joys of visiting this forum :) Priceless!
Mikrotik must be aware that the product they have is not only a CPE, but they also have another advanced product with different purposed than CPE such as CCR, a quick fix on the underlying problem should be a priority without having to wait for version 7 which is never clear.

Re: v6.45beta [testing] is released!

Posted: Mon May 13, 2019 9:00 pm
by marcbou
Had CHR 6.45beta42 and now beta45 running under ESXi VM as VPN gateway ipsec IKEv2 EAP username auth (via freeradius 3.0 on Debian Buster) with Let's Encrypt Signed certificate + fullchain.

Works with road warrior iOS, MacOS, and Windows 10 (where due to buggy VPN control panel it was necessary to add using PowerShell Add-VpnConnection -Name “vpn.domain.com" -ServerAddress "vpn.domain.com" -AuthenticationMethod "Eap" -EncryptionLevel "Maximum" -RememberCredential -TunnelType “Ikev2") .

Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.

Relevant config portions are:

# may/13/2019 13:29:01 by RouterOS 6.45beta45
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipip
add name=ipsec-vpn
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1w name=proposal_1
/ip ipsec peer
add exchange-mode=ike2 name=peer_vpn passive=yes profile=proposal_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,3des lifetime=2d pfs-group=none
/ip pool
add name=vpn-pool ranges=10.11.22.10-10.11.22.190
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=ipsec-modecfg-nosplit
/system logging action
set 0 memory-lines=5000
/ip address
add address=132.200.10.24/28 interface=ether1 network=132.200.10.16
add address=10.11.22.1/24 interface=ipsec-vpn network=10.11.22.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=rfc1918-private
add address=10.0.0.0/8 list=rfc1918-private
add address=172.16.0.0/12 list=rfc1918-private
add address=10.11.22.0/24 list=myvpn
add address=10.0.0.0/8 list=onnet
add address=192.168.0.0/16 list=onnet
add address=172.16.0.0/12 list=onnet
add address=132.200.10.0/24 list=onnet
/ip firewall nat
add action=src-nat chain=srcnat comment="My VPN public IP" dst-address-list=\
!onnet out-interface=ether1 src-address=10.11.22.0/24 \
src-address-list=rfc1918-private to-addresses=132.200.10.24
/ip ipsec identity
add auth-method=eap-radius certificate=\
vpn.domain.com.pem_0,fullchain.pem_0 generate-policy=port-strict \
mode-config=ipsec-modecfg-nosplit peer=peer_vpn
/ip ipsec policy
set 0 dst-address=10.11.22.0/24 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=132.200.10.17
/ip service
set www-ssl certificate=vpn.domain.com.pem_0 disabled=no port=443
/radius
add address=132.200.10.22 secret=\
blahblahblah
add address=132.200.10.17
/system logging
add action=remote topics=!async,!debug,!snmp,!dns
add action=echo disabled=yes topics=l2tp,ipsec,certificate
add disabled=yes topics=ipsec,!packet
/system package update
set channel=testing

Re: v6.45beta [testing] is released!

Posted: Tue May 14, 2019 1:10 am
by ckleea
With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server

Re: v6.45beta [testing] is released!

Posted: Tue May 14, 2019 7:36 am
by emils
Not working with Android clients (using https://play.google.com/store/apps/deta ... an.android .

Any tips towards getting Android working would be appreciated.

Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hopefully it will get fixed in the betas.
It would be better if you opened a new support ticket by sending an e-mail to support@mikrotik.com. Also please enable IPsec debug logs and generate a new supout.rif file each time the issue occurs (for example, an Android client failed to connect) and attach the file to the e-mail.

Re: v6.45beta [testing] is released!

Posted: Tue May 14, 2019 8:11 am
by anuser
With 6.45beta42 two Linux installs had trouble getting DHCP over Ethernet.

Sorry can't provide supout - already downgraded to 6.43.* stable, will stay on that.

The only "custom" DHCP setting I have is - lease time is 7 days.

No trouble with WiFi clients.

Router: AC^2.
Similar issues encountered in my linux clients. When the network service restarts in linux, no ip address is assigned by routerOS DHCP server
Have you already reported your findings to MikroTik support? (support@mikrotik.com)

Re: v6.45beta [testing] is released!

Posted: Tue May 14, 2019 1:58 pm
by mezzovide
*) conntrack - significant stability and performance improvements;
Is this have something to do with multiple IPsec peers sometimes getting stuck after reboot / after public IP changes?
Because i have problems with multiple WAN ipsec peers (same dst peer with different routes) with different local loopback addresses attached, sometimes one of the connection stuck (most probably when public ip changes, i have dynamic public ip. or after a reboot). disabling/enabling peer works, or manually kill connection on the conntrack also works.

Re: v6.45beta [testing] is released! IKEv2

Posted: Tue May 14, 2019 9:37 pm
by msatter
Now mschapv2 is supported I tried to connect with IKEv2 to a VPN provider. This provider does not supply a certificate so I match on FQDN which is *.pointtoserver.com (the "*." needs to be there)

ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 peer=PureIKEv2 remote-id=fqdn:*.pointtoserver.com username=purevpnxxxxxxxxxxx
I get the error in the log that the AUTH NOT MATCH, peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi: xxxxxxxxxxxxxxxxx:xxxxxxxxxxxxx, send notify: AUTHENTICICATION_FAILED

I have tested it in windows 10 and with the same name and password and I can connect through IKEv2.

Re: v6.45beta [testing] is released!

Posted: Wed May 15, 2019 9:45 am
by emils
msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.

Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?

Re: v6.45beta [testing] is released!

Posted: Wed May 15, 2019 11:20 am
by msatter
Thanks Emils. It is PureVPN and using PossitiveSSL (pointoserver.com / ptoserver.com) and that is the root certificate of Comodo which I tried.

I contacted support and they don't provide a certificate to connect as NordVPN is doing. I will a look at the current certificates in the windows store to see if can find the matching one.

Update: the certificate line
OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com

Update 2:
Beside the Comodo root cert I just tried the add Trust External CA Root, also to no avail.

Update 3
Found the PossitiveSSL CA 2 cert but that did also not work.

I searched on and it looks to me that in windows the needed certificate is included by Microsoft in its own certificate.

https://crt.sh/?caid=1455

Microsoft Trusted Root programme
https://docs.microsoft.com/en-us/securi ... quirements

Re: v6.45beta [testing] is released!

Posted: Wed May 15, 2019 5:17 pm
by mezzovide
mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?
Sure, I have some spare routers to do experiment with, will upgrade to beta tonight and see if it fixed my issues. Thanks.
Still need that to be fixed in production though, probably next year until 6.45 become long-term

Re: v6.45beta [testing] is released!

Posted: Wed May 15, 2019 11:26 pm
by msatter
I am a bit further and I needed two certificates to be in the certificates box.

https://blogger.davidmanouchehri.com/2017/09/

Now I get twice the error that the [b]peer's ID does not match certificate[/b] and the line above that reads in the log: unable to get certificate CRL(3) at depth:0 SubjectName:/OU=domain Control Validated/OU=positiveSSL Multi-Domain/CN=*.pointtoserver.com

When I look in the certificates the CRL line is blank.

Re: v6.45beta [testing] is released!

Posted: Thu May 16, 2019 10:48 am
by emils
Try setting the remote-id to ignore.

Re: v6.45beta [testing] is released!

Posted: Thu May 16, 2019 1:02 pm
by chubbs596
Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html

Re: v6.45beta [testing] is released!

Posted: Thu May 16, 2019 1:28 pm
by vecernik87
Since you can't run any sort of binary which could misuse this vulnerability on your RouterOS, this is not really concern.

Re: v6.45beta [testing] is released!

Posted: Thu May 16, 2019 2:40 pm
by nostromog
Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk


Re: v6.45beta [testing] is released!

Posted: Thu May 16, 2019 5:57 pm
by chubbs596
Hi Mikrotik

Are you aware if Router OS is patched for this threat?

https://www.tomsguide.com/us/zombieload ... 30082.html
I think an accurate answer would be that RouterOS running on a x86 is not itself vulnerable, but the vulnerability could be exploited in the unlatched host or another VM to disclose RouterOS information.

Sent from my Redmi Note 5 using Tapatalk
So only if it is CHR and the VM HOST is not patched could the CHR be expoilted?

Re: v6.45beta [testing] is released!

Posted: Fri May 17, 2019 8:51 am
by vecernik87
If we talk about bare metal, then RouterOS (x86) is vulnerable but there is practically no way to misuse the vulnerability because attacker can't run binary (and if attacker can run binary, it won't matter because your device is already compromised)

If we talk about VM, then RouterOS (CHR) vulnerability depends on its hypervisor which needs to be patched. Patching CHR wouldn't change anything because it does not control, how are processes assigned to cores.

In any case, nothing can be done from mikrotik's side

Re: v6.45beta [testing] is released!

Posted: Fri May 17, 2019 11:11 am
by msatter
Try setting the remote-id to ignore.
I tried that and it still complains that it can't get local certificate from configuration and it not a dealbreaker and it goes on till it processes payloads: NOTIFY and then I get the error that the notify is TS_UNACCEPTABLE and the next line it is a got error:TS_UNACCEPTABLE

In Ipsec Policy the Src. Addres stayed on 0.0.0.0/0 to I put in IPsec Peer, my external IP address.

Update: I have started again and I have now mangaged to have an established connection. I have to manually enter the TS_I which is not automatically matched/taken over by RouterOS.

In Ipsec Policy I have to manually add the source address: 10.4.33.22 for that specific IKEv2 connection.


Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src. Address match and the tunnel is made.
I can see the success when I get in the log get my IP and the two DNS IP addresses show and the tunnel is connected.

I hope that we also get a client in PPP for this because then we can run script to put the received IP into the NAT to make routing easy.

Update...again: so I finally discovered that I could use "template" to fix the TC_UNEXPECTED error and that works fine. The only problem is that the IP changes regular and that I have to adapt the SRC-NAT IP manually. I am route-marking the packets I want to through the IKEv2 connection (split horizon)

I could try to just put an IP address in or use my DNS to steady the changes.

Re: v6.45beta [testing] is released!

Posted: Sat May 18, 2019 9:25 pm
by josep
Very good news about EAP support in IKEv2, please, we need EAP-AKA and EAP-AKA', with this, all Mikrotik routers can be used as basic ePDG, for a non-3GPP Access Networks. Next steps are GTP-U Tunneling support, but with EAP-AKA is good starting.

More info:

https://www.gsma.com/newsroom/wp-conten ... 1-v7.0.pdf
http://www.3gpp.org/ftp//Specs/archive/ ... 02-f10.zip