Community discussions

MikroTik App
  4. RouterOS
  5. General

IPsec IKEv2 and multiple traffic selectors per SA

Post Reply
 
mweidner
just joined
Topic Author
Posts: 12
Joined: Mon Oct 15, 2018 3:10 pm

IPsec IKEv2 and multiple traffic selectors per SA

Thu Sep 26, 2019 3:11 pm

Hi all,

I interpret section Traffic Selector Negotiation from RFC7296 that I can use multiple local and remote traffic selectors for a single security association.

While reading the page on IPsec from the Manual I am not sure if this is possible with MikroTik and if so, how.

Can anybody here shed a light on this?

Thanks and kind regards,
Mathias
Top
 
dvl
just joined
Posts: 3
Joined: Thu May 05, 2016 11:10 am

Re: IPsec IKEv2 and multiple traffic selectors per SA

Fri Oct 20, 2023 5:22 pm

Hello.

I am also very interested in this topic, even after so many years after this post.
If I do not understand the situation correctly and there is a more correct solution, then I will be very grateful for a hint on how to do this.


As far as I can tell, not yet. At least I was never able to achieve this when working with the StrongSwan server and mikrotik as client.
This all applies to the configuration where dynamic policy are based on the template 0.0.0.0/0

I used a similar scheme with multiple prefixes in the traffic selector quite widely. But, of course, StrongSwan acted as both server and client. (Linux servers). And there were no problems with this. More precisely, in IKEv2 mode Mikrotik only accepts the first prefix in the traffic selector.
But if the connection is between Mikrotiks, then separate SAs are formed for each prefix specified in Split-Include.
Moreover, the wiki also notes that routeros only understands Split-Include. I have a feeling that IKE2 in Mikrotik is not fully finished. Or it was done in some strange way, using a piece of IKEv1. After all, if I understand correctly, then Split-Include is generally provided by an extension to IKE1 from Cicso Unity
If I don't understand correctly, I apologize and would be very grateful for clarification.

In order for this to somehow work when the server is StrongSwan, I had to switch to IKE 1. Since only this version supports the cisco unity extension, which is what this Split-Include extension provides.
But in this mode, firstly, for some reason, ipsec associations after ike associations are not immediately established. And it happens with the second attempt after 120 seconds (DPD timer). Or an interruption occurs when updating an association
If there is a more correct solution, then I will be very grateful for a hint on how to do this.
Top
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 535
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IPsec IKEv2 and multiple traffic selectors per SA

Wed Oct 25, 2023 12:15 am

I have a feeling that IKE2 in Mikrotik is not fully finished. Or it was done in some strange way, using a piece of IKEv1.
This is my experience as well: RouterOS's implementation relies on mode config with IKEv2 even where IKEv2 has a "native" solution.

Please send a feature request at help.mikrotik.com
Top
 
dvl
just joined
Posts: 3
Joined: Thu May 05, 2016 11:10 am

Re: IPsec IKEv2 and multiple traffic selectors per SA

Wed Nov 01, 2023 11:02 am

I did it)!)))
I have achived it by using pool attribude "subnet" in strongswan and addidional local_ts.
Mikrotik used this data from subnet to request additional child_sa.
with *************** i have removed my server name and IP address

Strongswan config
Code: Select all
pools {
    ipsec-test {
        addrs = 192.168.254.2 - 192.168.254.99
        dns = 10.100.0.1
        subnet = 192.168.250.0/24
    }
}

connections {

    ipsec-test-ike2-pubkey-fqdn {
    
        version = 2
        send_cert = always
        pools = ipsec-test
        proposals = aes128-sha256-prfsha256-ecp256
        local {
            auth = pubkey
            id = test-resp-strswan.ipsec.test
            certs = test-resp-strswan.ipsec.test.crt
        }
        remote {
            auth = pubkey
            id = test-init-chr-vm.ipsec.test
        }
        children {
            ipsec-test-net {
            esp_proposals = aes128-sha256-prfsha256-ecp256
                local_ts = 10.100.0.1/32 #, 192.168.250.0/24
            }
            ipsec-test-net2 {
            esp_proposals = aes128-sha256-prfsha256-ecp256
                local_ts = 192.168.250.0/24
            }
        }
    }
}
Active IKE SA and Child SA
Code: Select all
[admin@test_mikrotik] > ip/ipsec/policy/print detail  
Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1   D  peer=ipsec-test-init tunnel=yes src-address=192.168.254.3/32 src-port=any dst-address=10.100.0.1/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=192.168.70.62 sa-dst-address=************** proposal=default 
        priority=0x20000 ph2-count=1 ph2-state=established 

 2   D  peer=ipsec-test-init tunnel=yes src-address=192.168.254.3/32 src-port=any dst-address=192.168.250.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=192.168.70.62 sa-dst-address=*********** proposal=default 
        priority=0x30000 ph2-count=1 ph2-state=established 
[admin@test_mikrotik] > ip/ipsec/installed-sa/print  detail      
Flags: S - seen-traffic; H - hw-aead; A - AH, E - ESP 
 0   E spi=0x8F1A17C src-address=*****************:4500 dst-address=192.168.70.62:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="b40cdf12c0b5f6867d414ab9f2859d0567d007f9e05fd9a4359dfdee597fbabb" 
       enc-key="df1aff9ed23f1d52363d24107bbe484c" add-lifetime=24m4s/30m5s replay=128 

 1   E spi=0xC050E1E5 src-address=192.168.70.62:4500 dst-address=****************:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="6b70b91b93624a856415b03584c5c7170ede72954c30af3b4e62ee4741f135d3" 
       enc-key="5b3fc110d79330c38f6b7eef8c352be3" add-lifetime=24m4s/30m5s replay=128 

 2   E spi=0x4347BE9 src-address=**************:4500 dst-address=192.168.70.62:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="312e1f4699eb5b178126b1d3d6e4474481d9505fdc9d0efed0cfc52f01b0c4f4" 
       enc-key="ebb6daab0b75315aeeb7d4a72613cd9d" add-lifetime=24m23s/30m29s replay=128 

 3   E spi=0xC0CE2051 src-address=192.168.70.62:4500 dst-address=*****************:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128 auth-key="177615a476ab7f34e20580b648f3def740067e5b49fa4a95a85b50b3af0d8eb7" 
       enc-key="abe01cf156fad8d4b5af4418803ad429" add-lifetime=24m23s/30m29s replay=128
Mikrotik config
Code: Select all
[admin@test_mikrotik] > ip ipsec/export hide-sensitive verbose  
# 2023-11-01 08:58:44 by RouterOS 7.11.2
# software id = 
#
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 hash-algorithm=sha256 lifetime=1h name=default nat-traversal=yes proposal-check=obey
/ip ipsec peer
add address=********************* comment=ipsec-test disabled=no exchange-mode=ike2 name=ipsec-test-init profile=default send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=no enc-algorithms=aes-128-cbc lifetime=30m name=default pfs-group=ecp256
/ip ipsec identity
add auth-method=digital-signature certificate=test-init-chr-vm.ipsec.test.pfx_0 comment=ipsec-test-init disabled=no generate-policy=port-strict mode-config=request-only my-id=fqdn:test-init-chr-vm.ipsec.test peer=ipsec-test-init
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10248
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPsec IKEv2 and multiple traffic selectors per SA

Wed Nov 01, 2023 1:37 pm

I used a similar scheme with multiple prefixes in the traffic selector quite widely. But, of course, StrongSwan acted as both server and client. (Linux servers). And there were no problems with this. More precisely, in IKEv2 mode Mikrotik only accepts the first prefix in the traffic selector.
But if the connection is between Mikrotiks, then separate SAs are formed for each prefix specified in Split-Include.
Moreover, the wiki also notes that routeros only understands Split-Include. I have a feeling that IKE2 in Mikrotik is not fully finished. Or it was done in some strange way, using a piece of IKEv1. After all, if I understand correctly, then Split-Include is generally provided by an extension to IKE1 from Cicso Unity
If I don't understand correctly, I apologize and would be very grateful for clarification.
I have noticed this problem as well, but I sort of assumed that it was caused by the other side (Android, ChromeOS).
I have tried to configure IKEv2 with split include, but like you I experienced that only the first prefix works.
Top
Post Reply

Who is online

Users browsing this forum: baragoon and 42 guests
  4. RouterOS
  5. General