Community discussions

MikroTik App
 
Dmytro911
just joined
Topic Author
Posts: 2
Joined: Sun May 22, 2022 9:52 pm

What am I doing wrong? IPSec in VRF

Sun May 22, 2022 11:13 pm

Trying to built IPSec tunnel with source IP address and interface inside VRF.
Partially such approach is described here https://help.mikrotik.com/docs/display/ ... utingtable

But in my situation not only routing is done in another routing table but source IP and interface is in VRF.
/ip vrf
add interfaces="MNO1 IPSecNet" name=MNO1
/ip address
add address=10.1.0.1/24 interface="MNO1 IPSecNet" network=10.1.0.0
/ip firewall mangle
add action=mark-connection chain=output dst-address=172.0.0.2 dst-port=500,4500 new-connection-mark=ipsec passthrough=yes protocol=udp src-address=10.1.0.1
add action=mark-connection chain=output dst-address=172.0.0.2 new-connection-mark=ipsec passthrough=yes protocol=ipsec-esp src-address=10.1.0.1
add action=mark-routing chain=output connection-mark=ipsec new-routing-mark=MNO1 passthrough=no
/ip ipsec peer
add address=172.0.0.2/32 exchange-mode=ike2 local-address=10.1.0.1 name=toKS
/ip ipsec identity
add peer=toKS
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=toKS src-address=10.0.0.0/24 tunnel=yes

Due to the fact that in main table there is no default route (0.0.0.0/0) or any other route pointing to destination peer (172.0.0.2/32) described approach is not working correctly.
To correct this I had to add routing rule.
/routing rule
add action=lookup disabled=no dst-address=172.0.0.2/32 src-address=10.1.0.1/32 table=MNO1

That is the first issue - despite the fact peer's source IP is in VRF packages are initiated from no-VRF and in main routing-table.
It will be good to set VRF and routing-table in "/ip ipsec peer" record for each peer separately or in "/ip ipsec policy" for each policy. Such approach is done for BGP.
/routing bgp template
add as=21111 disabled=no hold-time=3s name=toKS output.filter-chain=bgp-MNO1-out .redistribute=connected router-id=10.1.0.1 routing-table=MNO1 vrf=MNO1

After adding ip route rule I saw traffic on other device and a connection in this router
/ip/firewall/connection/print detail 
Flags: E - expected; S - seen-reply; A - assured; C - confirmed; D - dying; F - fasttrack; H - hw-offload; s - srcnat; d - dstnat 
 2  SAC      protocol=udp src-address=10.1.0.1:4500 dst-address=172.0.0.2:4500 reply-src-address=172.0.0.2:4500 reply-dst-address=10.1.0.1:4500 timeout=2m56s connection-mark="ipsec" orig-packets=956 orig-bytes=582 384 orig-fasttrack-packets=0 
             orig-fasttrack-bytes=0 repl-packets=478 repl-bytes=196 097 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps 

And attempts to start ipsec ike2 in router debug log
 22:38:09 ipsec ike2 init timeout request, exchange: SA_INIT:0 172.0.0.2[4500] 3d9ab77d6e4eed3a:0000000000000000
 22:38:18 ipsec ike2 starting for: 172.0.0.2
 22:38:18 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
 22:38:18 ipsec,debug => (size 0x8)
 22:38:18 ipsec,debug 00000008 0000402e
 22:38:18 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
 22:38:18 ipsec,debug => (size 0x1c)
 22:38:18 ipsec,debug 0000001c 00004005 0fb10bc9 fb98edd5 232d7e72 38e498cf 5fca379b
 22:38:18 ipsec adding notify: NAT_DETECTION_SOURCE_IP
 22:38:18 ipsec,debug => (size 0x1c)
 22:38:18 ipsec,debug 0000001c 00004004 597a069e 6f2fe453 be408bc8 7d8e29ea 45598556
 22:38:18 ipsec adding payload: NONCE
 22:38:18 ipsec,debug => (size 0x1c)
 22:38:18 ipsec,debug 0000001c 73cc2d2a 90f57dc0 2dc08d11 24cfae52 26ffdfea 754a3b16
 22:38:18 ipsec adding payload: KE
 22:38:18 ipsec,debug => (first 0x100 of 0x108)
...
 22:38:18 ipsec adding payload: SA
 22:38:18 ipsec,debug => (size 0x40)
 22:38:18 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
 22:38:18 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
 22:38:18 ipsec <- ike2 request, exchange: SA_INIT:0 172.0.0.2[4500] 363600806edd72e4:0000000000000000
 22:38:18 ipsec,debug ===== sending 448 bytes from 10.1.0.1[4500] to 172.0.0.2[4500]
 22:38:18 ipsec,debug 1 times of 452 bytes message will be sent to 172.0.0.2[4500]
...

Even saw traffic exchange in both directions.
 22:38:18 firewall,info output: in:(unknown 0) out:MNO1 IPSecNet, proto UDP, 10.1.0.1:4500->172.0.0.2:4500, len 480
 22:38:18 firewall,info input: in:(unknown 6) out:(unknown 0), src-mac 00:0c:29:19:29:10, proto UDP, 172.0.0.2:4500->10.1.0.1:4500, len 68

After some time I get timeout
 22:39:40 ipsec ike2 init timeout request, exchange: SA_INIT:0 172.0.0.2[4500] 3d9ab77d6e4eed3a:0000000000000000
That is the second issue - Router knows about connection and displays both ways traffic exchange in "/ip/firewall/connection/print detail", but this traffic doesn't get its destination inside system.
When I remove VRF - everything works good.

What am I doing wrong or it is really system issue?
Used MikroTik RouterOS 7.2.3 and 7.3beta40

Tried on 6.49.6. IPSec works OK with routing rule, but BGP is not working in VRF with the same symptoms like IPSec does in 7.2.3
 
Dmytro911
just joined
Topic Author
Posts: 2
Joined: Sun May 22, 2022 9:52 pm

Re: What am I doing wrong? IPSec in VRF

Mon May 23, 2022 1:50 pm

Another interesting fact that incoming traffic is not assigned to incoming interface that is inside VRF. Interface number 6 is corresponding number for ether6 with name "MNO1 IPSecNet"
input: in:(unknown 6) out:(unknown 0)

Outgoing trafic is OK
output: in:(unknown 0) out:MNO1 IPSecNet

 22:38:18 firewall,info output: in:(unknown 0) out:MNO1 IPSecNet, proto UDP, 10.1.0.1:4500->172.0.0.2:4500, len 480
 22:38:18 firewall,info input: in:(unknown 6) out:(unknown 0), src-mac 00:0c:29:19:29:10, proto UDP, 172.0.0.2:4500->10.1.0.1:4500, len 68
 
rickyrickuk
just joined
Posts: 2
Joined: Tue Nov 15, 2022 4:56 pm

Re: What am I doing wrong? IPSec in VRF

Tue Nov 15, 2022 7:31 pm

Hi, did you ever find a fix for this?

Who is online

Users browsing this forum: GoogleOther [Bot], tangent and 85 guests