Community discussions

 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Problem with IPsec after update to 6.42

Wed Jul 04, 2018 3:40 pm

Hello,
After updating from 6.41.4 to 6.42.5 the traffic does not go through the tunnel (tunnel is established, but the traffic does not go).
After downgrade to 6.41.4 everything works fine again.

What changes in 6.42. led to this?
do not ask me why it is necessary.
 
sindy
Forum Guru
Forum Guru
Posts: 2514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Wed Jul 04, 2018 5:37 pm

Only support might know the particular changes in detail, and even that is not sure if they were unintentional. There seems to be some mess in policy ordering, and I had issues where one peer has decided to use plain ESP while the other one was encapsulating it into UDP.

So to start from somewhere, post here the output of /ip ipsec remote-peers print detail, /ip ipsec policy print and /ip ipsec installed-sa print from both ends (if both are Mikrotik ones), after systematically replacing each occurrence of each public address by a distinctive pattern like pub.lic.ip.1, pub.lic.ip.2 (so that the relationship remains visible) and removing the auth-key and enc-key items from the installed-sa output.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 7:05 pm

I found a bug in the 6.42.x version:
6.42 generate policy with incorrect Dst.Address: instead of 0.0.0.0/0 (in 6.41) i see public ip of remote router (in 6.42)

Mikrotik, please fix this bug ASAP!
do not ask me why it is necessary.
 
sindy
Forum Guru
Forum Guru
Posts: 2514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 7:19 pm

Mikrotik cannot fix a bug if they don't get enough information about it. So generate the supout.rif file and send it to support@mikrotik.com. I am running several IPsec tunnels using various 6.42.x versions and things like this do not happen, so it is not a generic issue to happen to everyone.

I'd suggest you to follow the instructions in my automatic signature, as there may be something in your configuration which results in what you describe.

Plus add the output of /ip ipsec remote-peers print, /ip ipsec policy print, /ip ipsec installed-sa print, of course after applying the systematic public IP address substitutions also on these data before posting them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 10:10 pm

>>I am running several IPsec tunnels using various 6.42.x versions and things like this do not happen

You also use 0.0.0.0/0 in Src.Address (and Generate Policy on other side)?
do not ask me why it is necessary.
 
sindy
Forum Guru
Forum Guru
Posts: 2514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 10:19 pm

I don't. If you have tested that this is the unambiguous cause (i.e., if you use something else than 0.0.0.0/0, the generated policy is correct), then state this clearly when sending the information to support.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 2514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Sat Jul 14, 2018 8:49 pm

BTW, use of two policies, one with 0.0.0.0/1 and another one with 128.0.0.0/1, could be a workaround until Mikrotik fixes the 0.0.0.0/0 issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Mon Aug 20, 2018 1:26 pm

6.42.7 also have this issue!
do not ask me why it is necessary.
 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Tue Sep 25, 2018 7:47 pm

6.43.2 also have this issue!
do not ask me why it is necessary.
 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Thu Oct 18, 2018 1:46 pm

6.43.4 also have this issue!
do not ask me why it is necessary.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8110
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Problem with IPsec after update to 6.42

Thu Oct 18, 2018 7:03 pm

Mikrotik cannot fix a bug if they don't get enough information about it. So generate the supout.rif file and send it to support@mikrotik.com.
Have you done this?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Thu Oct 18, 2018 7:56 pm

This behavior can be easily reproduced in the test lab.
do not ask me why it is necessary.
 
sindy
Forum Guru
Forum Guru
Posts: 2514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Thu Oct 18, 2018 8:23 pm

This behavior can be easily reproduced in the test lab.
The key here is to send the e-mail to support with a clear description of the problem, have you done at least that? Because posting it at the forum is not the way to inform Mikrotik about the problem, they don't read every single post at the forum, while they do read every single e-mail which arrives to support@mikrotik.com.

Sending supout.rif makes it easier (and sometimes at all possible) to analyse for guys at support because they have all the necessary information in one place; what they actually need is the complete configuration including the dynamic elements which are not part of the export (because e.g. a dynamically assigned address may collide with a manually configured one) plus the information about the routerboard model, routeros version, and the actually running version of the firmware. So if your case description is clear enough, the supout.rif may not be actually necessary, but the formal process the support guys have to follow makes them ask for it because the alternative ways of putting the information together cost them more time. So I've found it easier to change the passwords and addresses (or, better, set up an environment with no public addresses) and generate the supout.rif than to argue with them why it is not necessary.

But again, the key is to describe the case clearly enough using the right information channel.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8110
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Problem with IPsec after update to 6.42

Thu Oct 18, 2018 10:39 pm

This behavior can be easily reproduced in the test lab.
Have you written to them so that they can try to reproduce the problem? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 262
Joined: Thu Dec 11, 2014 8:53 am

Re: Problem with IPsec after update to 6.42

Fri Oct 19, 2018 11:11 am

Since you are so hesitant to contact support, can you explain your setup and logic behind your policy configuration here? I can not think of a single case where responder should generate a dynamic policy with dst-address=0.0.0.0/0. Later versions (6.42+) has a security measure that disallows this to not allow an initiator to possibly disrupt network on responder.
 
mikruser
Member
Member
Topic Author
Posts: 349
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Fri Oct 19, 2018 12:45 pm

can you explain your setup and logic behind your policy configuration here? I can not think of a single case where responder should generate a dynamic policy with dst-address=0.0.0.0/0.
We have a large number of subnets, and instead of creating a separate policy for each subnet, we create one policy for 0.0.0.0/0

Later versions (6.42+) has a security measure that disallows this to not allow an initiator to possibly disrupt network on responder.
My configuration worked fine for 7 years, and only 6.42 disrupt my network.

why didn't you write about these fundamental changes in 6.42 changelog??
do not ask me why it is necessary.

Who is online

Users browsing this forum: No registered users and 37 guests