today I discovered a strange behaviour between a linux client using strongSwan and an RB1100AHx4.
One of our customers is using the MikroTik as IPSec concentrator, were many IPSec connections were terminated and routed from the MikroTik into the customers network. While analyzing another Problem on the linux machine i stumbled about the following:
The linux machine (running strongSwan) has an established IPSec connection and traffic is exchanged trough IPSec. To analyze the traffic which is sent using IPSec I created a rule to forward all decapsulated IPSec traffic to NFLOG. Like described in the strongsSwan Wiki (https://wiki.strongswan.org/projects/st ... rafficDump).
While analyzing the traffic (captured with tcpdump and forwarded to a machine running wireshark) I saw some packets were missing in the protocol which uses the IPSec connection. After starting another tcpdump on the interface which is used to establish the VPN connection. I can see that the missing packets were arriving on this interface.
Our customer is using IPSec, IKEv2 and Mode Conf.
The linux machines define a "virtual IP address" which matches the Mode Config defined on the MikroTik Router. The Virtual IP-Adresses were used in the customers network to route the Packets to the MikroTik (IPSec concentrator)
The RB1100 has an established IPSec connection, a ChildSA is created and a dynamic policy exists which defines that all data moves from 10.0.0.0/8 to the Virtual IP has to be encrypted.
BUT I can see there are some packages which doesn't follow this policy. I can see data Data from a host 10.x.y.z arriving on interface on the linux machine which should have been sent over IPSec.
Unfortunately I'm not allowed to shared the configuration or a supout.rif of the MikroTik Router because of an NDA.
Does anyone have an idea, or have seen a similar behaviour?