Community discussions

MikroTik App
 
achenor
just joined
Topic Author
Posts: 2
Joined: Mon Jul 06, 2020 7:01 pm

Support for IKEv2 Fragmentation (RFC 7383)

Thu Jul 16, 2020 11:19 am

There are few threads with people saying that they cannot establish an IPSec VPN connection no matter what, including me (see last posts here). After doing a bit of debugging of the traffic, I found that the problem is IP fragmentation. More specifically the first IKE_AUTH response is a UDP packet >1500 bytes (most likely contains the server's certificate) and gets fragmented in 2 but I only get the last fragment. As a result, RouterOS can't reassemble the packet and tries again sending the authentication request until the max retries is reached and is restarting the process (every about 24 seconds)

wireshark log on a successful connection:
107 3.248516    <mt_public_ip>  <vpn_server_ip> ISAKMP  458 IKE_AUTH MID=01 Initiator Request
114 3.330866    <vpn_server_ip> <mt_public_ip>  IPv4    1514    Fragmented IP protocol (proto=UDP 17, off=0, ID=69b3) [Reassembled in #115]
115 3.331053    <vpn_server_ip> <mt_public_ip>  IKE_AUTH MID=01 Responder Response
wireshark log on a failed connection attempt:
31  3.934743    <mt_public_ip>  <vpn_server_ip> ISAKMP  522 IKE_AUTH MID=01 Initiator Request
32  4.059967    <vpn_server_ip> <mt_public_ip>  IPv4    1506    Fragmented IP protocol (proto=UDP 17, off=1480, ID=36c7)
39  8.930363    <mt_public_ip>  <vpn_server_ip> ISAKMP  522 IKE_AUTH MID=01 Initiator Request
40  9.054702    <vpn_server_ip> <mt_public_ip>  IPv4    1506    Fragmented IP protocol (proto=UDP 17, off=1480, ID=38d1)

My conclusion is that the UDP fragment gets dropped from my ISP, since the same mikrotik router with the same configuration is able to establish a connection on another internet provider. Then the question is why my other devices connected to the same mikrotik (laptop, phone, etc) are able to establish an IKEv2 connection with my ISP provider? The only difference that I see in the logs is an additional payload sent by in the IKE_SA_INIT request named "IKEV2_FRAGMENTATION_SUPPORTED" which is an addon to the protocol to solve exactly the issue with IP fragmentation (RFC 7383).

wireshark log on a successful connection from my laptop:
81  4.689065    <laptop_private_ip>  <vpn_server_ip> ISAKMP  558 IKE_AUTH MID=01 Initiator Request
82  4.823807    <vpn_server_ip> <laptop_private_ip>  ISAKMP  1282    IKE_AUTH MID=01 Responder Response (fragment 1/3)
83  4.823810    <vpn_server_ip> <laptop_private_ip>  ISAKMP  1282    IKE_AUTH MID=01 Responder Response (fragment 2/3)
84  4.823811    <vpn_server_ip> <laptop_private_ip>  ISAKMP  658 IKE_AUTH MID=01 Responder Response (fragment 3/3)

Does RouterOS support this IKEv2 Fragmentation extension? If so how to enable it? And if not, is there anywhere in the roadmap?
 
xornetsl
just joined
Posts: 1
Joined: Tue Jul 28, 2020 2:52 am

Re: Support for IKEv2 Fragmentation (RFC 7383)

Tue Jul 28, 2020 3:02 am

+1 for this issue!
I have the same problem. One of my uplinks of a particular ipsec endpoint have a ip-fragments filter enabled and I use certificate authorization scheme that just doesn't work there =(
strongswan and other black-box vendors have kind a "fragmentation=yes" that can split long IKE messages according to the MTU of outgoung interface. Are there any plans to implement this feature in ROS?
 
Institor
just joined
Posts: 14
Joined: Sat Apr 29, 2017 3:28 pm

Re: Support for IKEv2 Fragmentation (RFC 7383)

Sat Oct 03, 2020 5:14 am

Same issue. Disgusting multiple NAT on satellite internet access, error 809 on windows clients (IKEv2 + RSA certificates)...
Can't change provider, and experiments with MTU on client interfaces is very dangerous/impossible (they are 1500km away with sat access, so... :)) and i doubt it will help.
We can only hope that feature will be in ROS7, i think.
 
sindy
Forum Guru
Forum Guru
Posts: 6268
Joined: Mon Dec 04, 2017 9:19 pm

Re: Support for IKEv2 Fragmentation (RFC 7383)

Sat Oct 03, 2020 11:35 am

For the meantime, use EC certificates rather than RSA ones. They fit into a single packet. Currently they are not supported by SCEP, though.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Institor
just joined
Posts: 14
Joined: Sat Apr 29, 2017 3:28 pm

Re: Support for IKEv2 Fragmentation (RFC 7383)

Thu Oct 15, 2020 7:59 pm

Some progress...
Release 6.48beta48
*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);

Who is online

Users browsing this forum: AmberRose, Bing [Bot], m1964, robmaltsystems and 109 guests