Community discussions

MikroTik App
 
LennartF
just joined
Topic Author
Posts: 1
Joined: Sun Oct 16, 2022 8:40 am

IPsec HW Accellerator Glitch when forwarding from WireGuard?

Sun Oct 16, 2022 9:20 am

Hi,

I set up IPsec tunneling between a RB750Gr3 (hEX) at Site-A and a VM running RouterOS 7.5 at Site-B. At both sites, there is a LAN subnet, but the router at Site-A also runs WireGuard for mobile clients. While pinging a mobile device from Site-A or pinging a LAN device at Site-A from a LAN device Site-B (and vice versa) works flawlessly, pinging a mobile device from Site-B (or vice versa) has a packet loss of more than 95%.

I began to troubleshoot the issue and found out, that the ICMP ping requests or replies from the mobile device (connected via WireGuard to Site-A) are forwarded as ESP packets from Site-A to Site-B, but there seems to be some error, as almost all of them are not further processed by Site-B, and instead the "State Protocol Errors" at Site-B rise accordingly. I spent a lot of time debugging and trying out different things, until I found out that choosing something different than 3DES or AES as the encryption algorithm (i.e. an encryption without hardware acceleration on the RB750Gr3) completely fixes the issue.

Has anyone else encountered this issue before? Unfortunately, I don't have another RB750Gr3 laying around to verify my findings.

Who is online

Users browsing this forum: AndyGs, Google [Bot], hatred, xristostsilis and 92 guests