Community discussions

MikroTik App
 
elaouby
just joined
Topic Author
Posts: 6
Joined: Tue Apr 18, 2023 9:10 am

Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Tue Apr 18, 2023 9:13 am

Hey everyone,

I've tried setting up protonvpn (& nordvpn) to work on my newly purchased hap ac3 running os7.8, with no success. I've followed the guides online but no dice. As far as I can tell, the tunnels aren't event connecting for some reason. I confirmed that the chosen server works through the mobile app

Below is a copy of my ipsec configuration as well as it's log

Please let me know if you have any suggestions on how to fix this or a workaround

#Configuration
/certificate import file-name=protonvpn.der name=ProtonVPN passphrase=""
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=ProtonVPN pfs-group=none
/ip ipsec policy group add name=ProtonVPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
/ip ipsec mode-config add connection-mark=vpn name=ProtonVPN responder=no src-address-list=vpn
/ip ipsec peer add address=nl-free-112.protonvpn.net exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec identity add auth-method=eap certificate=ProtonVPN eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN peer=ProtonVPN policy-template-group=ProtonVPN username=xxxx password=xxxx



#Log
Apr/18/2023 07:12:33 ipsec adding payload: SA
Apr/18/2023 07:12:33 ipsec,debug => (size 0x40)
Apr/18/2023 07:12:33 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0100 03000008 02000005
Apr/18/2023 07:12:33 ipsec,debug 03000008 0300000c 03000008 04000010 03000008 0400000e 00000008 04000002
Apr/18/2023 07:12:33 ipsec adding payload: KE
Apr/18/2023 07:12:33 ipsec,debug => (first 0x100 of 0x208)
Apr/18/2023 07:12:33 ipsec,debug 00000208 00100000 7c6d10a5 51cc6b0a f5e97487 a93c99e4 d6566f4f b358484e
Apr/18/2023 07:12:33 ipsec,debug 3a742eae 6fbb199b beaa53b0 3f4eb1da 0846c944 41324ae8 a293ba0e 517b35ba
Apr/18/2023 07:12:33 ipsec,debug 9c285b51 10e1ff19 5c23a1da 16ded7ee 1049e3e3 50caec4d 7a90583f b8f9598f
Apr/18/2023 07:12:33 ipsec,debug a88b3edc 7c0308dc ade781dc 942cf206 dffda075 77971ed5 51993277 51fec7bd
Apr/18/2023 07:12:33 ipsec,debug 9079294b f5e5f0b3 ab283318 de906add 189b295d 6dc60da7 4724888d e7907c6a
Apr/18/2023 07:12:33 ipsec,debug d9e075e2 161e0b50 1dcd3377 c0d0a895 5760cd53 df2272af 5a072dee 491af121
Apr/18/2023 07:12:33 ipsec,debug 8dfe273d 5889392e 48febd16 8a1b7bf2 d49fcbe8 3902a2dc 690c7ad4 f61c5e64
Apr/18/2023 07:12:33 ipsec,debug c349eaab 90e812c4 2214e27a 51d10162 587ac11c 59397ef1 c93904c4 d36f58a8
Apr/18/2023 07:12:33 ipsec adding payload: NONCE
Apr/18/2023 07:12:33 ipsec,debug => (size 0x1c)
Apr/18/2023 07:12:33 ipsec,debug 0000001c 4211026e 59654f93 4b84bd4c e18b3cc7 c834d475 c76c5b99
Apr/18/2023 07:12:33 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Apr/18/2023 07:12:33 ipsec,debug => (size 0x1c)
Apr/18/2023 07:12:33 ipsec,debug 0000001c 00004004 a33d75e0 b1343608 e1ed3236 454e306a d6b30fd7
Apr/18/2023 07:12:33 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Apr/18/2023 07:12:33 ipsec,debug => (size 0x1c)
Apr/18/2023 07:12:33 ipsec,debug 0000001c 00004005 79d56389 73cc8214 c8fbb6fc 3f80fecf a47dec01
Apr/18/2023 07:12:33 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/18/2023 07:12:33 ipsec,debug => (size 0x8)
Apr/18/2023 07:12:33 ipsec,debug 00000008 0000402e
Apr/18/2023 07:12:33 ipsec <- ike2 request, exchange: SA_INIT:0 149.34.244.129[4500] 58e143f109d133c4:0000000000000000
Apr/18/2023 07:12:33 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:12:33 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:12:39 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 149.34.244.129[4500] 58e143f109d133c4:0000000000000000
Apr/18/2023 07:12:39 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:12:39 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:12:44 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 149.34.244.129[4500] 58e143f109d133c4:0000000000000000
Apr/18/2023 07:12:44 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:12:44 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:12:49 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 149.34.244.129[4500] 58e143f109d133c4:0000000000000000
Apr/18/2023 07:12:49 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:12:49 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:12:54 ipsec ike2 init timeout request, exchange: SA_INIT:0 149.34.244.129[4500] 58e143f109d133c4:0000000000000000
Apr/18/2023 07:13:03 ipsec ike2 starting for: 149.34.244.129
Apr/18/2023 07:13:05 ipsec adding payload: SA
Apr/18/2023 07:13:05 ipsec,debug => (size 0x40)
Apr/18/2023 07:13:05 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0100 03000008 02000005
Apr/18/2023 07:13:05 ipsec,debug 03000008 0300000c 03000008 04000010 03000008 0400000e 00000008 04000002
Apr/18/2023 07:13:05 ipsec adding payload: KE
Apr/18/2023 07:13:05 ipsec,debug => (first 0x100 of 0x208)
Apr/18/2023 07:13:05 ipsec,debug 00000208 00100000 17da75c2 dc155656 a36c9ae7 c2983bdb 68073789 b7dd3431
Apr/18/2023 07:13:05 ipsec,debug d7813c86 e9b94537 76de5dc2 49125183 d96247df bae3e49f 8bdbdc30 9781b8c9
Apr/18/2023 07:13:05 ipsec,debug b96e3a6b 9523c335 f8332f95 1a83794e 6df21a5a c8c6c3a3 0ece1c25 4f7cb640
Apr/18/2023 07:13:05 ipsec,debug 895690f0 5f96c3ab fb95b51f 8f2db227 09436d32 dc778e21 bad8b3fe 87492f79
Apr/18/2023 07:13:05 ipsec,debug 45516bb9 d888a8c5 e43737b2 d70adcc6 e1197d67 a0a651ec efa5877d 796ab341
Apr/18/2023 07:13:05 ipsec,debug a06b6d67 0f37ac09 05f03ef9 ad312a6f 172c4746 fb7416ff 36ded5c1 a0fddbf4
Apr/18/2023 07:13:05 ipsec,debug 8778f1f4 eb90e968 0066ba97 9e2157d3 5906fbff 25e6432e 54a994fb b9d83eff
Apr/18/2023 07:13:05 ipsec,debug cd71f420 2a858a8c f5ee1e58 bb8c8970 66f34e76 90b9dc30 55225f3b 93183a50
Apr/18/2023 07:13:05 ipsec adding payload: NONCE
Apr/18/2023 07:13:05 ipsec,debug => (size 0x1c)
Apr/18/2023 07:13:05 ipsec,debug 0000001c d3fec5dd 606273e7 615d61bb b1ff0a71 3a30af11 330acf51
Apr/18/2023 07:13:05 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Apr/18/2023 07:13:05 ipsec,debug => (size 0x1c)
Apr/18/2023 07:13:05 ipsec,debug 0000001c 00004004 41846de9 d72a1158 c6458648 c2a18bea 26d7100f
Apr/18/2023 07:13:05 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Apr/18/2023 07:13:05 ipsec,debug => (size 0x1c)
Apr/18/2023 07:13:05 ipsec,debug 0000001c 00004005 02b8f8b7 cedd4fd7 3e037d66 e07431a7 4c6bd158
Apr/18/2023 07:13:05 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Apr/18/2023 07:13:05 ipsec,debug => (size 0x8)
Apr/18/2023 07:13:05 ipsec,debug 00000008 0000402e
Apr/18/2023 07:13:05 ipsec <- ike2 request, exchange: SA_INIT:0 149.34.244.129[4500] 541c419d23f9d67e:0000000000000000
Apr/18/2023 07:13:05 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:13:05 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:13:10 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 149.34.244.129[4500] 541c419d23f9d67e:0000000000000000
Apr/18/2023 07:13:10 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:13:10 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:13:15 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 149.34.244.129[4500] 541c419d23f9d67e:0000000000000000
Apr/18/2023 07:13:15 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:13:15 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:13:20 ipsec <- ike2 init retransmit request, exchange: SA_INIT:0 149.34.244.129[4500] 541c419d23f9d67e:0000000000000000
Apr/18/2023 07:13:20 ipsec,debug ===== sending 704 bytes from 10.0.0.3[4500] to 149.34.244.129[4500]
Apr/18/2023 07:13:20 ipsec,debug 1 times of 708 bytes message will be sent to 149.34.244.129[4500]
Apr/18/2023 07:13:25 ipsec ike2 init timeout request, exchange: SA_INIT:0 149.34.244.129[4500] 541c419d23f9d67e:0000000000000000
Apr/18/2023 07:13:35 ipsec ike2 starting for: 149.34.244.129
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Wed Apr 19, 2023 4:30 am

wireguard is easier
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Wed Apr 19, 2023 5:19 am

Downgrade and check again. Moreover, it looks like the new RC version is working correctly.
2023-04-19_06-05-10.png
Regards,
You do not have the required permissions to view the files attached to this post.
 
elaouby
just joined
Topic Author
Posts: 6
Joined: Tue Apr 18, 2023 9:10 am

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Wed Apr 19, 2023 7:21 pm

Downgrade and check again. Moreover, it looks like the new RC version is working correctly.

2023-04-19_06-05-10.png

Regards,
I've tried upgrading to 7.9rc3 and downgrading all the way to 6.49.7, no changes. No peers are connecting
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Wed Apr 19, 2023 7:29 pm

/system logging
add prefix=--->IPSEC topics=ipsec,!packet
share the full log.
 
elaouby
just joined
Topic Author
Posts: 6
Joined: Tue Apr 18, 2023 9:10 am

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Wed Apr 19, 2023 10:35 pm

/system logging
add prefix=--->IPSEC topics=ipsec,!packet
share the full log.
IPSec log here: https://raw.githubusercontent.com/elaou ... psec.0.txt
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Thu Apr 20, 2023 3:49 am

The log indicates that the connection is stuck in the security association.
Export your config and share it. Someone might find out where the problem is.
 
elaouby
just joined
Topic Author
Posts: 6
Joined: Tue Apr 18, 2023 9:10 am

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Thu Apr 20, 2023 5:04 pm

The log indicates that the connection is stuck in the security association.
Export your config and share it. Someone might find out where the problem is.
Full config & ipsec log:
https://raw.githubusercontent.com/elaou ... public.rsc
https://raw.githubusercontent.com/elaou ... psec.0.txt
 
Ddram
just joined
Posts: 19
Joined: Mon Feb 08, 2021 7:56 pm

Re: Can't setup IPSec VPN to work on hap ac3 (tried nordvpn & protonvpn)

Thu Apr 20, 2023 8:45 pm

Noob here,

Got similar problems while changing VPN provider from NordVPN to hide.me.

Certificate error happens in 7.8+, got it fixed per import of two Root certificates following this thread https://community.hide.me/threads/premi ... ites.4048/ (first post, second part about certificates). The Op writes about three certificates, but the third one (i think) got me an error while importing.

After this, connection was established and working, but got killed after about 10sec. Support told me to try using fixed ip address in peer configuration. that worked for me!

My NordVPN config was added while on ROS 6.4x and works normal with 7.8+. Maybe it's a problem with new configurations.

Who is online

Users browsing this forum: No registered users and 20 guests