Community discussions

MikroTik App
 
mn99
just joined
Topic Author
Posts: 2
Joined: Wed Aug 12, 2020 1:43 am

IPSec via IPv6 failed to add SA

Wed Aug 12, 2020 2:38 am

Hello,

Please bear with me if this is just a stupid misconfiguration but I have tried for hours and days.

I would like to have an IPsec roadwarrior setup and tunnel IPv4 in IPv6. Reason is that my Mikrotik RB3011UiAS is behind a router provided by my ISP which has a public IPv6 address only. My mobile client (which runs iOS...) receives an IPv6 address as well and this setup also works well when using OpenVPN with some Raspberry PI as a VPN server connected to the ISP router... but that is not what I want it to be.

When I use the configuration below to connect to the MT via IPv4 (with my mobile client being connected to the ISP router, having an IPv4 and using the MT IPv4 on ether 1 to connect) it works without problems. When I use the same settings to connect to the MT from outside using some ddns ipv6 address it looks good as well until it says that it "failed to add SA".

Any help would be much appreciated, thanks a lot!

IPsec config:
/ip ipsec mode-config
add address-pool=dhcp_pool_l2tp name=default
add address-pool=dhcp_pool_ikev2 name=ikev2 static-dns=192.x.x.x system-dns=no
/ip ipsec policy group
add name=ikev2
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,3des
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2 send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,3des
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ikev2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=MT.server generate-policy=port-strict mode-config=ikev2 peer=ikev2 policy-template-group=ikev2 remote-certificate=MT.client
/ip ipsec policy
add group=ikev2 proposal=ikev2 template=yes
Some parts of log file (please let me know if I removed to much, it is basically all the IPv6 address information which correctly identifies my mobile client and the MT and also switches from UDP 500 to UDP 4500):
ipsec,debug ipsec:: ===== received 604 bytes from 
aug/12 01:09:18 ipsec ipsec:: -> ike2 request, exchange: SA_INIT:0  ...
aug/12 01:09:18 ipsec ipsec:: ike2 respond ...
aug/12 01:09:18 ipsec ipsec:: payload seen: SA (220 bytes) 
aug/12 01:09:18 ipsec ipsec:: payload seen: KE (264 bytes) 
aug/12 01:09:18 ipsec ipsec:: payload seen: NONCE (20 bytes) 
aug/12 01:09:18 ipsec ipsec:: payload seen: NOTIFY (8 bytes) 
aug/12 01:09:18 ipsec ipsec:: payload seen: NOTIFY (28 bytes) 
aug/12 01:09:18 ipsec ipsec:: payload seen: NOTIFY (28 bytes) 
aug/12 01:09:18 ipsec ipsec:: payload seen: NOTIFY (8 bytes) 
aug/12 01:09:18 ipsec ipsec:: processing payload: NONCE 
aug/12 01:09:18 ipsec ipsec:: processing payload: SA 
aug/12 01:09:18 ipsec ipsec:: IKE Protocol: IKE 
aug/12 01:09:18 ipsec ipsec::  proposal #1 
aug/12 01:09:18 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:18 ipsec ipsec::   prf: hmac-sha256 
aug/12 01:09:18 ipsec ipsec::   auth: sha256 
aug/12 01:09:18 ipsec ipsec::   dh: modp2048 
aug/12 01:09:18 ipsec ipsec::  proposal #2 
aug/12 01:09:18 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:18 ipsec ipsec::   prf: hmac-sha256 
aug/12 01:09:18 ipsec ipsec::   auth: sha256 
aug/12 01:09:18 ipsec ipsec::   dh: ecp256 
aug/12 01:09:18 ipsec ipsec::  proposal #3 
aug/12 01:09:18 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:18 ipsec ipsec::   prf: hmac-sha256 
aug/12 01:09:18 ipsec ipsec::   auth: sha256 
aug/12 01:09:18 ipsec ipsec::   dh: modp1536 
aug/12 01:09:18 ipsec ipsec::  proposal #4 
aug/12 01:09:18 ipsec ipsec::   enc: aes128-cbc 
aug/12 01:09:18 ipsec ipsec::   prf: hmac-sha1 
aug/12 01:09:18 ipsec ipsec::   auth: sha1 
aug/12 01:09:18 ipsec ipsec::   dh: modp1024 
aug/12 01:09:18 ipsec ipsec::  proposal #5 
aug/12 01:09:18 ipsec ipsec::   enc: 3des-cbc 
aug/12 01:09:18 ipsec ipsec::   prf: hmac-sha1 
aug/12 01:09:18 ipsec ipsec::   auth: sha1 
aug/12 01:09:18 ipsec ipsec::   dh: modp1024 
aug/12 01:09:18 ipsec ipsec:: matched proposal: 
aug/12 01:09:18 ipsec ipsec::  proposal #1 
aug/12 01:09:18 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:18 ipsec ipsec::   prf: hmac-sha256 
aug/12 01:09:18 ipsec ipsec::   auth: sha256 
aug/12 01:09:18 ipsec ipsec::   dh: modp2048 
aug/12 01:09:18 ipsec ipsec:: processing payload: KE 
aug/12 01:09:19 ipsec,debug ipsec:: => shared secret (size 0x100) 
... 
aug/12 01:09:19 ipsec ipsec:: adding payload: SA 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x30) 
aug/12 01:09:19 ipsec,debug ipsec:: 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
aug/12 01:09:19 ipsec,debug ipsec:: 03000008 0300000c 00000008 0400000e 
aug/12 01:09:19 ipsec ipsec:: adding payload: KE 
aug/12 01:09:19 ipsec,debug ipsec:: => (first 0x100 of 0x108) 
... 
aug/12 01:09:19 ipsec ipsec:: adding payload: NONCE 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x1c) 
aug/12 01:09:19 ipsec,debug ipsec:: 0000001c 635b816b 7ccd991e 5d534f8e ad361057 ec346c56 f19451a0 
aug/12 01:09:19 ipsec ipsec:: adding notify: NAT_DETECTION_SOURCE_IP 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x1c) 
aug/12 01:09:19 ipsec,debug ipsec:: 0000001c 00004004 04df6e8f 47b66f74 40dcfc42 4bba3528 43b74a74 
aug/12 01:09:19 ipsec ipsec:: adding notify: NAT_DETECTION_DESTINATION_IP 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x1c) 
aug/12 01:09:19 ipsec,debug ipsec:: 0000001c 00004005 693bd560 9b939b8d 005c8dea 5ba26626 79cb4abb 
aug/12 01:09:19 ipsec ipsec:: adding payload: CERTREQ 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x5) 
aug/12 01:09:19 ipsec,debug ipsec:: 00000005 04 
aug/12 01:09:19 ipsec ipsec:: <- ike2 reply, exchange: SA_INIT:0 ... 
aug/12 01:09:19 ipsec,debug ipsec:: ===== sending 429 bytes from ... 
aug/12 01:09:19 ipsec,debug ipsec:: 1 times of 429 bytes message will be sent to ... 
aug/12 01:09:19 ipsec,debug ipsec:: => skeyseed (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: 62222c2d a6af4694 b850fe03 4b838dc8 1989fb78 7cab386b 1cc50c61 df4ef1f9 
aug/12 01:09:19 ipsec,debug ipsec:: => keymat (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: 3e165750 8e61b369 43c45bbc c905d0f6 f3e5ff19 8f2d7752 2e00d599 2fd21591 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_ai (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: b94a7cb5 783a5fbc 8cc79357 2d7ee085 a975449e 54307941 59b67b14 12bfc993 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_ar (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: 4b890af0 347b7765 de70a4d6 7e2d126c aa0ba237 a17654d1 f03eca2d 0e4f731b 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_ei (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: be367786 70a1af58 2362f93c 76c89bca adad6453 15dabd94 9a147fe2 0499accb 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_er (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: 1f63c02d b2b48887 7237fca5 613da9a4 5eecac63 d8cdfd89 a40b3ba6 2a9c672a 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_pi (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: e68d6a05 43db355f 872d6eee e78aeefd 234a7888 2acc5636 fbb5e7b7 0b041c64 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_pr (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: 01301855 b8fb2ba1 47c2b1e8 fe0a6d42 3cbdfd4d 00af459a 90a760d3 6cee228b 
aug/12 01:09:19 ipsec,info ipsec:: new ike2 SA (R): ... 
aug/12 01:09:19 ipsec ipsec:: processing payloads: VID (none found) 
aug/12 01:09:19 ipsec ipsec:: processing payloads: NOTIFY 
aug/12 01:09:19 ipsec ipsec::   notify: REDIRECT_SUPPORTED 
aug/12 01:09:19 ipsec ipsec::   notify: NAT_DETECTION_SOURCE_IP 
aug/12 01:09:19 ipsec ipsec::   notify: NAT_DETECTION_DESTINATION_IP 
aug/12 01:09:19 ipsec ipsec::   notify: IKEV2_FRAGMENTATION_SUPPORTED 
aug/12 01:09:19 ipsec ipsec:: (NAT-T) LOCAL 
aug/12 01:09:19 ipsec ipsec:: KA list add: ... 
aug/12 01:09:19 ipsec,debug ipsec:: ===== received 2432 bytes from ... 
aug/12 01:09:19 ipsec ipsec:: -> ike2 request, exchange: AUTH:1 ... 
aug/12 01:09:19 ipsec ipsec:: payload seen: ENC (2404 bytes) 
aug/12 01:09:19 ipsec ipsec:: processing payload: ENC 
aug/12 01:09:19 ipsec,debug ipsec:: => iv (size 0x10) 
aug/12 01:09:19 ipsec,debug ipsec:: e305795c cf7ed6ca 5a2d531e d1a73cad 
aug/12 01:09:19 ipsec,debug ipsec:: => plain payload (trimmed) (first 0x100 of 0x937) 
... 
aug/12 01:09:19 ipsec,debug ipsec:: decrypted 
aug/12 01:09:19 ipsec ipsec:: payload seen: ID_I (29 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: CERT (1381 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: NOTIFY (8 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: ID_R (29 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: AUTH (520 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: CONFIG (40 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: NOTIFY (8 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: NOTIFY (8 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: SA (200 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: TS_I (64 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: TS_R (64 bytes) 
aug/12 01:09:19 ipsec ipsec:: payload seen: NOTIFY (8 bytes) 
aug/12 01:09:19 ipsec ipsec:: processing payloads: NOTIFY 
aug/12 01:09:19 ipsec ipsec::   notify: INITIAL_CONTACT 
aug/12 01:09:19 ipsec ipsec::   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
aug/12 01:09:19 ipsec ipsec::   notify: NON_FIRST_FRAGMENTS_ALSO 
aug/12 01:09:19 ipsec ipsec::   notify: MOBIKE_SUPPORTED 
aug/12 01:09:19 ipsec ipsec:: ike auth: respond 
aug/12 01:09:19 ipsec ipsec:: processing payload: ID_I 
aug/12 01:09:19 ipsec ipsec:: ID_I (FQDN): MT.client 
aug/12 01:09:19 ipsec ipsec:: processing payload: ID_R 
aug/12 01:09:19 ipsec ipsec:: ID_R (FQDN): MT.server 
aug/12 01:09:19 ipsec ipsec:: processing payload: AUTH 
aug/12 01:09:19 ipsec ipsec:: processing payload: CERT 
aug/12 01:09:19 ipsec ipsec:: got CERT: MT.client 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x560) 
... 
aug/12 01:09:19 ipsec ipsec:: requested server id: MT.server 
aug/12 01:09:19 ipsec ipsec:: processing payloads: NOTIFY 
aug/12 01:09:19 ipsec ipsec::   notify: INITIAL_CONTACT 
aug/12 01:09:19 ipsec ipsec::   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
aug/12 01:09:19 ipsec ipsec::   notify: NON_FIRST_FRAGMENTS_ALSO 
aug/12 01:09:19 ipsec ipsec::   notify: MOBIKE_SUPPORTED 
aug/12 01:09:19 ipsec ipsec:: processing payload: AUTH 
aug/12 01:09:19 ipsec ipsec:: requested auth method: RSA 
aug/12 01:09:19 ipsec,debug ipsec:: => peer's auth (first 0x100 of 0x200) 
... 
aug/12 01:09:19 ipsec,debug ipsec:: checking SAN: MT.client 
aug/12 01:09:19 ipsec,debug ipsec:: => auth nonce (size 0x18) 
aug/12 01:09:19 ipsec,debug ipsec:: 635b816b 7ccd991e 5d534f8e ad361057 ec346c56 f19451a0 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_p (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: e68d6a05 43db355f 872d6eee e78aeefd 234a7888 2acc5636 fbb5e7b7 0b041c64 
aug/12 01:09:19 ipsec,debug ipsec:: => idhash (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: e611c155 ea265877 b49326f8 8a1c7815 99038577 a5c1d82e 222268b3 31c889c2 
aug/12 01:09:19 ipsec,info,account ipsec:: peer authorized: ... 
aug/12 01:09:19 ipsec ipsec:: initial contact 
aug/12 01:09:19 ipsec ipsec:: processing payloads: NOTIFY 
aug/12 01:09:19 ipsec ipsec::   notify: INITIAL_CONTACT 
aug/12 01:09:19 ipsec ipsec::   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
aug/12 01:09:19 ipsec ipsec::   notify: NON_FIRST_FRAGMENTS_ALSO 
aug/12 01:09:19 ipsec ipsec::   notify: MOBIKE_SUPPORTED 
aug/12 01:09:19 ipsec ipsec:: peer wants tunnel mode 
aug/12 01:09:19 ipsec ipsec:: processing payload: CONFIG 
aug/12 01:09:19 ipsec ipsec::   attribute: internal IPv4 address 
aug/12 01:09:19 ipsec ipsec::   attribute: internal IPv4 netmask 
aug/12 01:09:19 ipsec ipsec::   attribute: internal IPv4 DHCP 
aug/12 01:09:19 ipsec ipsec::   attribute: internal IPv4 DNS 
aug/12 01:09:19 ipsec ipsec::   attribute: internal IPv6 address 
aug/12 01:09:19 ipsec ipsec::   attribute: internal IPv6 DHCP 
aug/12 01:09:19 ipsec ipsec::   attribute: internal IPv6 DNS 
aug/12 01:09:19 ipsec ipsec::   attribute: internal DNS domain 
aug/12 01:09:19 ipsec,info ipsec:: acquired 192.x.x.x address for ..., MT.client 
aug/12 01:09:19 ipsec ipsec:: processing payload: TS_I 
aug/12 01:09:19 ipsec ipsec:: 0.0.0.0/0 
aug/12 01:09:19 ipsec ipsec:: [::/0] 
aug/12 01:09:19 ipsec ipsec:: processing payload: TS_R 
aug/12 01:09:19 ipsec ipsec:: 0.0.0.0/0 
aug/12 01:09:19 ipsec ipsec:: [::/0] 
aug/12 01:09:19 ipsec ipsec:: TSi in tunnel mode replaced with config address: 192.x.x.x/24 
aug/12 01:09:19 ipsec ipsec:: canditate selectors: 0.0.0.0/0 <=> 192.x.x.x 
aug/12 01:09:19 ipsec ipsec:: canditate selectors: [::/0] <=> [::/0] 
aug/12 01:09:19 ipsec ipsec:: processing payload: SA 
aug/12 01:09:19 ipsec ipsec:: IKE Protocol: ESP 
aug/12 01:09:19 ipsec ipsec::  proposal #1 
aug/12 01:09:19 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:19 ipsec ipsec::   auth: sha256 
aug/12 01:09:19 ipsec ipsec::  proposal #2 
aug/12 01:09:19 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:19 ipsec ipsec::   auth: sha256 
aug/12 01:09:19 ipsec ipsec::  proposal #3 
aug/12 01:09:19 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:19 ipsec ipsec::   auth: sha256 
aug/12 01:09:19 ipsec ipsec::  proposal #4 
aug/12 01:09:19 ipsec ipsec::   enc: aes128-cbc 
aug/12 01:09:19 ipsec ipsec::   auth: sha1 
aug/12 01:09:19 ipsec ipsec::  proposal #5 
aug/12 01:09:19 ipsec ipsec::   enc: 3des-cbc 
aug/12 01:09:19 ipsec ipsec::   auth: sha1 
aug/12 01:09:19 ipsec ipsec:: searching for policy for selector: 0.0.0.0/0 <=> 192.x.x.x 
aug/12 01:09:19 ipsec ipsec:: generating policy 
aug/12 01:09:19 ipsec ipsec:: matched proposal: 
aug/12 01:09:19 ipsec ipsec::  proposal #1 
aug/12 01:09:19 ipsec ipsec::   enc: aes256-cbc 
aug/12 01:09:19 ipsec ipsec::   auth: sha256 
aug/12 01:09:19 ipsec ipsec:: ike auth: finish 
aug/12 01:09:19 ipsec ipsec:: ID_R (FQDN): MT.server 
aug/12 01:09:19 ipsec ipsec:: processing payload: NONCE 
aug/12 01:09:19 ipsec,debug ipsec:: => auth nonce (size 0x10) 
aug/12 01:09:19 ipsec,debug ipsec:: 2efec845 29d80589 102eb827 fc90a8f5 
aug/12 01:09:19 ipsec,debug ipsec:: => SK_p (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: 01301855 b8fb2ba1 47c2b1e8 fe0a6d42 3cbdfd4d 00af459a 90a760d3 6cee228b 
aug/12 01:09:19 ipsec,debug ipsec:: => idhash (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: cefe50ac 1b6e5f1f 217a5815 2b62e725 046d5652 f6b54921 f29712ab f6b95ab0 
aug/12 01:09:19 ipsec,debug ipsec:: => my auth (first 0x100 of 0x200) 
... 
aug/12 01:09:19 ipsec ipsec:: cert: MT.server 
aug/12 01:09:19 ipsec ipsec:: adding payload: CERT 
aug/12 01:09:19 ipsec,debug ipsec:: => (first 0x100 of 0x575) 
...
aug/12 01:09:19 ipsec ipsec:: adding payload: ID_R 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x1d) 
aug/12 01:09:19 ipsec,debug ipsec:: 0000001d 02000000 4d61644d 696b726f 54696b56 504e2e73 65727665 72 
aug/12 01:09:19 ipsec ipsec:: adding payload: AUTH 
aug/12 01:09:19 ipsec,debug ipsec:: => (first 0x100 of 0x208) 
a... 
aug/12 01:09:19 ipsec ipsec:: preparing internal IPv4 address 
aug/12 01:09:19 ipsec ipsec:: preparing internal IPv4 netmask 
aug/12 01:09:19 ipsec ipsec:: preparing internal IPv4 DNS 
aug/12 01:09:19 ipsec ipsec:: adding payload: CONFIG 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x20) 
aug/12 01:09:19 ipsec,debug ipsec:: 00000020 02000000 00010004 c0a851c4 00020004 ffffff00 00030004 c0a86201 
aug/12 01:09:19 ipsec ipsec:: initiator selector: 192.x.x.x 
aug/12 01:09:19 ipsec ipsec:: adding payload: TS_I 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x18) 
aug/12 01:09:19 ipsec,debug ipsec:: 00000018 01000000 07000010 0000ffff c0a851c4 c0a851c4 
aug/12 01:09:19 ipsec ipsec:: responder selector: 0.0.0.0/0 
aug/12 01:09:19 ipsec ipsec:: adding payload: TS_R 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x18) 
aug/12 01:09:19 ipsec,debug ipsec:: 00000018 01000000 07000010 0000ffff 00000000 ffffffff 
aug/12 01:09:19 ipsec ipsec:: adding payload: SA 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x2c) 
aug/12 01:09:19 ipsec,debug ipsec:: 0000002c 00000028 01030403 0784ee58 0300000c 0100000c 800e0100 03000008 
aug/12 01:09:19 ipsec,debug ipsec:: 0300000c 00000008 05000000 
aug/12 01:09:19 ipsec ipsec:: <- ike2 reply, exchange: AUTH:1 ... 
aug/12 01:09:19 ipsec,debug ipsec:: ===== sending 2304 bytes from ... 
aug/12 01:09:19 ipsec,debug ipsec:: 1 times of 2308 bytes message will be sent to ... 
aug/12 01:09:19 ipsec,debug ipsec:: => child keymat (size 0x80) 
... 
aug/12 01:09:19 ipsec ipsec:: failed to add SA 
aug/12 01:09:19 ipsec ipsec:: reply notify: AUTHENTICATION_FAILED 
aug/12 01:09:19 ipsec ipsec:: adding notify: AUTHENTICATION_FAILED 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x8) 
aug/12 01:09:19 ipsec,debug ipsec:: 00000008 00000018 
aug/12 01:09:19 ipsec ipsec:: <- ike2 reply, exchange: AUTH:1 ... 
aug/12 01:09:19 ipsec,debug ipsec:: ===== sending 240 bytes from ... 
aug/12 01:09:19 ipsec,debug ipsec:: 1 times of 244 bytes message will be sent to ...
aug/12 01:09:19 ipsec,info ipsec:: killing ike2 SA: ... 
aug/12 01:09:19 ipsec ipsec:: removing generated policy 
aug/12 01:09:19 ipsec ipsec:: adding payload: DELETE 
aug/12 01:09:19 ipsec,debug ipsec:: => (size 0x8) 
aug/12 01:09:19 ipsec,debug ipsec:: 00000008 01000000 
aug/12 01:09:19 ipsec ipsec:: <- ike2 request, exchange: INFORMATIONAL:0 ...
aug/12 01:09:19 ipsec,debug ipsec:: ===== sending 288 bytes from ...
aug/12 01:09:19 ipsec,debug ipsec:: 1 times of 292 bytes message will be sent to ...
aug/12 01:09:19 ipsec ipsec:: KA remove: ...
aug/12 01:09:19 ipsec,debug ipsec:: KA tree dump: ... (in_use=1) 
aug/12 01:09:19 ipsec,debug ipsec:: KA removing this one... 
aug/12 01:09:19 ipsec,info ipsec:: releasing address 192.x.x.x
 
sunny1081
just joined
Posts: 2
Joined: Sat Jun 25, 2022 4:20 pm

Re: IPSec via IPv6 failed to add SA

Sat Jun 25, 2022 4:32 pm

Hello,

I have the same issue. I followed the road warriors guide to setup ipsec and use StrongSwan on Android 12 as Client. It is working fine with IPv4 but when I use IPv6, authorisation via Certificate is fine but than is fails with "failed to add SA". Config is the same I just enable use IPv6 for outer transport Adress and of cause change the Server Address.

Here my Config;
 RouterOS 7.4beta4
...
# model = RB760iGS
...
/ip ipsec mode-config
add address-pool=vpn-dhcp name=vpnIKEv2 static-dns=192.168.1.1 system-dns=no
/ip ipsec policy group
add name=vpnIKEv2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpnIKEv2
/ip ipsec peer
add exchange-mode=ike2 name=vpnIKEv2 passive=yes profile=vpnIKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-128-cbc,aes-128-gcm name=vpnIKEv2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=MikroVPNServer comment=mVPNS10 generate-policy=port-strict match-by=certificate mode-config=vpnIKEv2 peer=vpnIKEv2 policy-template-group=vpnIKEv2 \
    remote-certificate=mVPNS10
/ip ipsec policy
set 0 group=vpnIKEv2 proposal=vpnIKEv2
add dst-address=0.0.0.0/0 group=vpnIKEv2 proposal=vpnIKEv2 src-address=0.0.0.0/0 template=yes
add disabled=yes dst-address=192.168.100.0/24 group=vpnIKEv2 proposal=vpnIKEv2 src-address=0.0.0.0/0 template=yes
Spend already many hours but could not find anything what is wrong. Any hint would be highly appreciated.

KR
 
sunny1081
just joined
Posts: 2
Joined: Sat Jun 25, 2022 4:20 pm

Re: IPSec via IPv6 failed to add SA

Sun Jul 31, 2022 1:41 pm

Gently Push, should be more relevant day by day. At least in Germany more and more subcriber only get a public IPv6 by their Provider..
 
gdin
just joined
Posts: 9
Joined: Sat Jan 03, 2015 6:15 pm

Re: IPSec via IPv6 failed to add SA

Fri Jul 21, 2023 7:55 am

I spent two days researching this issue, and finally I got the judgment: in the policy configured in /ip ipsec policy, if the dst-address is an IPv4 address then src-address cannot be set to ::/0
I refer to the official Road Warrior setup using IKEv2 with EAP-MSCHAPv2 authentication handled by User Manager (RouterOS v7) (https://help.mikrotik.com/docs/display/ ... serManager(Rout erOSv7)) is configured with IPsec-RoadWarrior based on EAP-MSCHAPv2 authentication. My WAN has dual-stack public IP. When I connect via IPv4, it work fine on Windows/macOS/iOS/Android. When I connect via IPv6, it work fine on Windows/macOS/iOS. But the Android client will repeatedly connect and disconnect.
The reason is that the Android client is not assigned an IPv4 address after connecting. There are instructions for Android configuration in the official old wiki, which requires /ip ipsec policy add group=RoadWarrior dst-address=192.168.77.0/24 src-address=0.0.0.0/0 template=yes (https://wiki.mikrotik.com/wiki/Manual:I ... ient_Notes), The scenario of assigning an IPv4 address to an IKEv2 client connected via IPv6, it should be necessary to add the following rule: /ip ipsec policy add group=RoadWarrior dst-address=192.168.77.0/24 src-address=::/0 template=yes, but when I add the rule, RouterOS will automatically convert the ::/0 of src-address to 0.0.0.0/0, that is, the Android client from IPv6 cannot be assigned an IPv4 address, so the Android client cannot connect successfully. I hope that MikroTik will solve this problem in subsequent versions.
 
mn99
just joined
Topic Author
Posts: 2
Joined: Wed Aug 12, 2020 1:43 am

Re: IPSec via IPv6 failed to add SA

Fri Jul 21, 2023 2:37 pm

Just for the record, I switched my setup to WireGuard some year or so ago when it became available in RouterOS and this works perfectly fine. Everything else unchanged: mobile device with public IPv6 and MikroTik behind ISP device with public IPv6 only. Of course it is only for one client per configuration but that is what I need.

Who is online

Users browsing this forum: BioMax and 35 guests