Community discussions

MikroTik App
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Passive IPSec tunnel issue

Tue Feb 07, 2023 5:38 pm

Hello folks,

I have a weird issue with an IKEv2 tunnel set as passive.
The originator has no problem to establish the tunnel, and everything seems good, but there is absolutely no trafic.

The weird part is that if I ping a distant device just once, everything start to work normally.

I don't understand why, and it's quite unconvenient, so, does anyone have any idea about what I missed ?

Thanks,

Joris
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Re: Passive IPSec tunnel issue

Fri Feb 24, 2023 6:21 pm

Hello,

Nobody has any idea ?
I have now a second IKEv2 tunnel with the exact same issue...

Does anybody knows how I can trigger a ping when the tunnel goes up, it would be a workaround at least...

Thanks,

Joris
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Passive IPSec tunnel issue

Fri Feb 24, 2023 6:27 pm

If you want help from people on this user forum, please post your config and a brief description of the network topology. You may also mail Mikrotik customer support.
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Jan 03, 2019 5:26 pm

Re: Passive IPSec tunnel issue

Fri Feb 24, 2023 6:52 pm

Hello,

The topology is pretty standard, I have 2 WAN interfaces and one LAN.
First WAN is PPPoE, and is used for the problematic tunnel.
Second WAN is IP, and is used as a backup, but not for this tunnel.
There is multiple addresses on the LAN interface because the customer previously had multiple gateways, and it's what I usually do to avoid changes on other devices (most of the time, I don't have access to those).
There is also gre tunnels to another site, and a roadwarrior L2TP/IPSEC VPN.
Nothing really fancy or unusual for me...

Of course, here is my config :
/interface bridge
add admin-mac=2C:C8:1B:EE:30:FB arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface gre
add local-address=eee.fff.ggg.hhh name=gre-tunnel1 remote-address=\
    iii.jjj.kkk.lll
add allow-fast-path=no local-address=10.0.1.2 name=gre-tunnel2 \
    remote-address=mmm.nnn.ooo.ppp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip dhcp-server option
add code=66 name=TFTP_UNYC value="'https://xxxxxxxxxxxxxxxxx'"
/ip ipsec policy group
add name=MISTRAL
/ip ipsec profile
add dh-group=ecp256 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=1h name=mistral
/ip ipsec peer
add address=aaa.bbb.ccc.ddd/32 exchange-mode=ike2 local-address=eee.fff.ggg.hhh \
    name=MISTRAL passive=yes profile=mistral send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=15m name=\
    mistral pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.7.101-192.168.7.150
add name=dhcp-VPN ranges=192.168.7.151-192.168.7.155
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes name=PPPoE only-one=yes use-compression=no \
    use-encryption=no use-mpls=no use-upnp=yes
add change-tcp-mss=yes interface-list=LAN local-address=192.168.7.254 name=\
    VPN only-one=yes remote-address=dhcp-VPN
/interface pppoe-client
add allow=pap,chap disabled=no interface=ether1 name=vdsl-ether1 profile=\
    PPPoE user=ip22120998541@srvc
/routing table
add disabled=no fib name=WAN1
add disabled=no fib name=WAN2
/snmp community
set [ find default=yes ] name=Monitoring write-access=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vdsl-ether1 list=WAN
add interface=ether2 list=WAN
add interface=gre-tunnel1 list=LAN
add interface=gre-tunnel2 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.1.2/24 comment=VDSL interface=ether2 network=10.0.1.0
add address=192.168.7.254/24 interface=bridge network=192.168.7.0
add address=172.16.0.2/30 interface=gre-tunnel1 network=172.16.0.0
add address=172.16.0.6/30 interface=gre-tunnel2 network=172.16.0.4
add address=192.168.7.252/24 interface=bridge network=192.168.7.0
add address=192.168.0.254/24 interface=bridge network=192.168.0.0
add address=192.168.117.252/24 interface=bridge network=192.168.117.0
/ip dhcp-server network
add address=192.168.7.0/24 dhcp-option=TFTP_UNYC gateway=192.168.7.254
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=85.14.167.193 list=Unyc
add address=85.14.167.234 list=Unyc
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN \
    protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=gre
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Accept Webfig https connections from WAN" dst-port=8443 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept SNMP conections from Unyc" \
    dst-port=161,162 in-interface-list=WAN protocol=udp src-address-list=Unyc
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=related,new,untracked in-interface-list=LAN \
    new-connection-mark=lan-cnx passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=related,new,untracked in-interface=vdsl-ether1 \
    new-connection-mark=wan1-cnx passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=related,new,untracked in-interface=ether2 \
    new-connection-mark=wan2-cnx passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan1-cnx \
    dst-address-type=!local new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1-cnx \
    new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2-cnx \
    dst-address-type=!local new-routing-mark=WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2-cnx \
    new-routing-mark=WAN2 passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.63.63.0/24 src-address=\
    192.168.117.0/24
add action=accept chain=srcnat dst-address=192.168.117.0/24 src-address=\
    192.63.63.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add generate-policy=port-strict peer=MISTRAL policy-template-group=MISTRAL
/ip ipsec policy
add dst-address=192.63.63.0/24 group=MISTRAL proposal=mistral src-address=\
    192.168.117.0/24 template=yes
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.0.1.1 pref-src="" \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=vdsl-ether1 \
    pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=vdsl-ether1 \
    pref-src="" routing-table=WAN1 suppress-hw-offload=no
add blackhole disabled=no distance=2 dst-address=0.0.0.0/0 gateway="" \
    pref-src="" routing-table=WAN1 suppress-hw-offload=no
add blackhole disabled=no distance=2 dst-address=0.0.0.0/0 gateway="" \
    pref-src="" routing-table=WAN2 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.0.1.1 routing-table=WAN2 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=192.168.5.0/24 \
    gateway=172.16.0.1 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=192.168.5.0/24 \
    gateway=172.16.0.5 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=mmm.nnn.ooo.ppp/32 \
    gateway=10.0.1.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=iii.jjj.kkk.lll/32 gateway=vdsl-ether1 \
    routing-table=main suppress-hw-offload=no
/ip service
set www-ssl certificate=WebFig disabled=no port=8443
/ppp secret
add name=Vpn_Nomade_DSL profile=VPN service=l2tp
add name=Vpn_Nomade_DSL_2 profile=VPN service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes
/system ntp client servers
add address=fr.pool.ntp.org
Any help would be highly appreciated :)

Joris

Who is online

Users browsing this forum: Amazon [Bot], BinaryTB, raphaps, rplant and 74 guests