Community discussions

 
mikruser
Member
Member
Topic Author
Posts: 331
Joined: Wed Jan 16, 2013 6:28 pm

Problem with IPsec after update to 6.42

Wed Jul 04, 2018 3:40 pm

Hello,
After updating from 6.41.4 to 6.42.5 the traffic does not go through the tunnel (tunnel is established, but the traffic does not go).
After downgrade to 6.41.4 everything works fine again.

What changes in 6.42. led to this?
do not ask me why it is necessary.
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Wed Jul 04, 2018 5:37 pm

Only support might know the particular changes in detail, and even that is not sure if they were unintentional. There seems to be some mess in policy ordering, and I had issues where one peer has decided to use plain ESP while the other one was encapsulating it into UDP.

So to start from somewhere, post here the output of /ip ipsec remote-peers print detail, /ip ipsec policy print and /ip ipsec installed-sa print from both ends (if both are Mikrotik ones), after systematically replacing each occurrence of each public address by a distinctive pattern like pub.lic.ip.1, pub.lic.ip.2 (so that the relationship remains visible) and removing the auth-key and enc-key items from the installed-sa output.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mikruser
Member
Member
Topic Author
Posts: 331
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 7:05 pm

I found a bug in the 6.42.x version:
6.42 generate policy with incorrect Dst.Address: instead of 0.0.0.0/0 (in 6.41) i see public ip of remote router (in 6.42)

Mikrotik, please fix this bug ASAP!
do not ask me why it is necessary.
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 7:19 pm

Mikrotik cannot fix a bug if they don't get enough information about it. So generate the supout.rif file and send it to support@mikrotik.com. I am running several IPsec tunnels using various 6.42.x versions and things like this do not happen, so it is not a generic issue to happen to everyone.

I'd suggest you to follow the instructions in my automatic signature, as there may be something in your configuration which results in what you describe.

Plus add the output of /ip ipsec remote-peers print, /ip ipsec policy print, /ip ipsec installed-sa print, of course after applying the systematic public IP address substitutions also on these data before posting them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mikruser
Member
Member
Topic Author
Posts: 331
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 10:10 pm

>>I am running several IPsec tunnels using various 6.42.x versions and things like this do not happen

You also use 0.0.0.0/0 in Src.Address (and Generate Policy on other side)?
do not ask me why it is necessary.
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Fri Jul 13, 2018 10:19 pm

I don't. If you have tested that this is the unambiguous cause (i.e., if you use something else than 0.0.0.0/0, the generated policy is correct), then state this clearly when sending the information to support.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 2210
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with IPsec after update to 6.42

Sat Jul 14, 2018 8:49 pm

BTW, use of two policies, one with 0.0.0.0/1 and another one with 128.0.0.0/1, could be a workaround until Mikrotik fixes the 0.0.0.0/0 issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mikruser
Member
Member
Topic Author
Posts: 331
Joined: Wed Jan 16, 2013 6:28 pm

Re: Problem with IPsec after update to 6.42

Mon Aug 20, 2018 1:26 pm

6.42.7 also have this issue!
do not ask me why it is necessary.

Who is online

Users browsing this forum: B2Admin and 34 guests