Community discussions

MikroTik App
 
abatie
just joined
Topic Author
Posts: 23
Joined: Sat Feb 20, 2016 2:17 am

ipsec policy selection

Sat May 07, 2022 1:09 am

I'm missing something in the ipsec "proposal" selection as I both created one of my one and changed the encryption parameters to match in the default profile, yet according to the peer, it's still sending the original default parameters (aes-cbc instead of aes-256):

I'm trying to setup a tunnel from 172.20.1.0/24 to 10.64.99.0/24:

172.20.1.0/24 (lan if)<remote peer> (wan if) 69.59.192.19 <routers> 172.20.44.100 (wan if)<mikrotik>(lan if) 10.64.99.0/24

/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 \
nat-traversal=no
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=new_profile nat-traversal=\
no
/ip ipsec peer
add address=69.59.192.19/32 exchange-mode=ike2 local-address=172.20.44.100 name=remote-peer \
profile=new_profile

Mikrotik:
14:55:09 ipsec,error no proposal chosen
14:55:19 ipsec,error no proposal chosen
14:55:24 ipsec,error simultaneous rekey
14:55:29 ipsec,error no proposal chosen

Peer:
ike 0:Bend test:549: received create-child request
ike 0:Bend test:549: responder received CREATE_CHILD exchange
ike 0:Bend test:549: responder creating new child
ike 0:Bend test:549:1347: peer proposal:
ike 0:Bend test:549:1347: TSi_0 0:10.64.99.0-10.64.99.255:0
ike 0:Bend test:549:1347: TSr_0 0:69.59.192.19-69.59.192.19:0
ike 0:Bend test:549:Bend test:1347: comparing selectors
ike 0:Bend test:549:Bend test:1347: matched by rfc-rule-2
ike 0:Bend test:549:Bend test:1347: phase2 matched by subset
ike 0:Bend test:549:Bend test:1347: accepted proposal:
ike 0:Bend test:549:Bend test:1347: TSi_0 0:10.64.99.0-10.64.99.255:0
ike 0:Bend test:549:Bend test:1347: TSr_0 0:69.59.192.19-69.59.192.19:0
ike 0:Bend test:549:Bend test:1347: autokey
ike 0:Bend test:549:Bend test:1347: incoming child SA proposal:
ike 0:Bend test:549:Bend test:1347: proposal id = 1:
ike 0:Bend test:549:Bend test:1347: protocol = ESP:
ike 0:Bend test:549:Bend test:1347: encapsulation = TUNNEL
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Bend test:549:Bend test:1347: type=INTEGR, val=SHA
ike 0:Bend test:549:Bend test:1347: type=DH_GROUP, val=MODP1024
ike 0:Bend test:549:Bend test:1347: type=ESN, val=NO
ike 0:Bend test:549:Bend test:1347: my proposal:
ike 0:Bend test:549:Bend test:1347: proposal id = 1:
ike 0:Bend test:549:Bend test:1347: protocol = ESP:
ike 0:Bend test:549:Bend test:1347: encapsulation = TUNNEL
ike 0:Bend test:549:Bend test:1347: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Bend test:549:Bend test:1347: type=INTEGR, val=SHA256
ike 0:Bend test:549:Bend test:1347: type=DH_GROUP, val=MODP2048
ike 0:Bend test:549:Bend test:1347: type=ESN, val=NO
ike 0:Bend test:549:Bend test:1347: lifetime=28800
ike 0:Bend test:549:Bend test:1347: no proposal chosen
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: ipsec policy selection

Sat May 07, 2022 5:40 am

MT
type=ENCR, val=AES_CBC (key_len = 128)
type=ENCR, val=AES_CBC (key_len = 192)
type=ENCR, val=AES_CBC (key_len = 256)
type=INTEGR, val=SHA
type=DH_GROUP, val=MODP1024
Peer
 my proposal:
type=ENCR, val=AES_CBC (key_len = 256)
 type=INTEGR, val=SHA256
type=DH_GROUP, val=MODP2048
Check this article.
https://wiki.mikrotik.com/wiki/Manual:I ... load_(ESP)
also, check if the PH2 is set correctly.
/ip/ipsec/proposal
 
abatie
just joined
Topic Author
Posts: 23
Joined: Sat Feb 20, 2016 2:17 am

Re: ipsec policy selection

Wed May 11, 2022 7:30 pm

/ip ipsec proposal was the trick I missed, thanks!

Who is online

Users browsing this forum: Bing [Bot], coreshock, johnson73, loloski and 90 guests