Site to Site IKEv2 connection doesn't work

KonstantinKuklin · Thu Jun 09, 2022 3:02 pm

Hi, Im trying to make a tunnel between 2 mikrotiks.
First mikrotik has white ip without any nat(server).
Second doesn't have white ip (client).

After I configured everything I get messages in logs on both sides:

Logs:
14:26:25 ipsec,info new ike2 SA (R): peer SERVER_WHITE_IP SERVER_WHITE_IP[4500]-93.189.202.13[4500] spi:c937289a4100671f:1fc942c0bf837144
14:26:26 ipsec,info killing ike2 SA: peer SERVER_WHITE_IP SERVER_WHITE_IP[4500]-93.189.202.13[4500] spi:c937289a4100671f:1fc942c0bf837144

Client side:

[admin@client] > /ip/ipsec/active-peers/print
Columns: STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
# STATE UPTIME PH2-TOTAL REMOTE-ADDRESS
0 message-1-sent 14s 1 SERVER_WHITE_IP

Server side: no active peers
Server identity:

[admin@server] /ip/ipsec> identity/print
Flags: D - dynamic; X - disabled
0 peer=peer SERVER_WHITE_IP auth-method=pre-shared-key mode-config=modeconf_xvizion-server my-id=fqdn:server.xvizion-ike2 remote-id=user-fqdn:client-babyshka
secret="****" generate-policy=port-strict policy-template-group=group_xvizion-ike2

Client identity:

[admin@client] > /ip/ipsec/identity/print
Flags: D - dynamic; X - disabled
0 peer=peer_xvizion-ike2 auth-method=pre-shared-key mode-config=request-only my-id=user-fqdn:client-babyshka remote-id=fqdn:server.xvizion-ike2 secret="****"
generate-policy=port-strict policy-template-group=group_xvizion-ike2

Server modeconfig:

[admin@server] /ip/ipsec> mode-config/print
Flags: * - default; R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively
1 R name="modeconf_xvizion-server" system-dns=yes address-pool=pool xvizion-ike2 address-prefix-length=32 split-include=0.0.0.0/0 split-dns=""

Client modeconfig:

[admin@client] > /ip/ipsec/mode-config/print
Flags: * - default; R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively

Server peer:

[admin@server] /ip/ipsec> peer/print
Flags: X - disabled; D - dynamic; R - responder
0 R name="peer SERVER_WHITE_IP" local-address=SERVER_WHITE_IP passive=yes profile=profile xvizion-ike2 exchange-mode=ike2 send-initial-contact=yes

Client peer:

[admin@client] > /ip/ipsec/peer/print
Flags: X - disabled; D - dynamic; R - responder
0 name="peer_xvizion-ike2" address=SERVER_WHITE_IP/32 profile=profile_xvizion-ike2 exchange-mode=ike2 send-initial-contact=yes

Server policy:

[admin@server] /ip/ipsec> policy/print
Flags: T - TEMPLATE; X, A - ACTIVE; * - DEFAULT
Columns: SRC-ADDRESS, DST-ADDRESS, PROTOCOL
# SRC-ADDRESS DST-ADDRESS PROTOCOL
0 TX* ::/0 ::/0 all
1 T 0.0.0.0/0 10.0.88.0/24 all

Client policy:

[admin@client] > /ip/ipsec/policy/print
Flags: T - TEMPLATE; * - DEFAULT
Columns: SRC-ADDRESS, DST-ADDRESS, PROTOCOL
# SRC-ADDRESS DST-ADDRESS PROTOCOL
0 T* ::/0 ::/0 all
1 T 10.0.88.0/24 0.0.0.0/0 all

Server profile:

[admin@server] /ip/ipsec> profile/print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m
dpd-maximum-failures=5

1 name="profile xvizion-ike2" hash-algorithm=sha256 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5

Client profile:

[admin@client] /ip/ipsec> profile/print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m
dpd-maximum-failures=5

1 name="profile_xvizion-ike2" hash-algorithm=sha256 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5

Server proposal:

[admin@server] /ip/ipsec> proposal/print
Flags: X - disabled; * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024

1 name="ipsec-proposal" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=30m pfs-group=none

2 name="proposal_xvizion-ike2" auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm
lifetime=8h pfs-group=none

Client proposal:

[admin@client] /ip/ipsec> proposal/print
Flags: X - disabled; * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024

1 name="proposal_xvizion-ike2" auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm
lifetime=8h pfs-group=none

Server firewall:

[admin@server] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; default configuration
chain=input action=accept connection-state=established,related
2 chain=output action=accept log=no log-prefix=""
3 chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=""
4 chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix=""
5 chain=input action=accept in-interface=bridgeLan log=no log-prefix=""
6 chain=forward action=accept in-interface=bridgeLan out-interface=WAN log=no log-prefix=""
7 chain=forward action=accept connection-state=established,related in-interface=WAN out-interface=bridgeLan log=no log-prefix=""
8 chain=forward action=accept in-interface=bridgeLan log=no log-prefix=""
9 chain=forward action=accept src-address=10.10.0.0/24 log=no log-prefix=""
13 chain=output action=accept protocol=ipsec-esp log=no log-prefix=""
14 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
15 chain=input action=accept protocol=icmp log=no log-prefix=""
18 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
19 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
20 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
21 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
22 chain=input action=drop in-interface=WAN log=no log-prefix=""

Client firewall:

[admin@client] /ip/ipsec> /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
2 chain=output action=accept log=no log-prefix=""
3 chain=input action=accept in-interface=bridgeLocal log=no log-prefix=""
5 ;;; ipsec tunnel
chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix=""
6 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
7 chain=forward action=accept in-interface=bridgeLocal out-interface=WAN log=no log-prefix=""
8 chain=forward action=accept connection-state=established,related in-interface=WAN out-interface=bridgeLocal log=no log-prefix=""
9 chain=input action=accept protocol=icmp log=no log-prefix=""
10 chain=input action=drop in-interface=WAN log=no log-prefix=""
12 chain=forward action=accept protocol=ipsec-esp log=no log-prefix=""

Both Mikrotiks have os version: version: 7.3 (stable)
Any suggestions?

sindy · Thu Jun 09, 2022 6:38 pm

What does /ip/pool/print show at the server?

KonstantinKuklin · Thu Jun 09, 2022 6:50 pm

What does /ip/pool/print show at the server?

Shows:

[admin@server] /> /ip/pool/print
Columns: NAME, RANGES
# NAME RANGES
0 dhcp-pool 10.10.0.100-10.10.0.200
1 l2tp-pool 192.168.50.1-192.168.50.50
2 pool xvizion-ike2 10.0.88.2-10.0.88.254

sindy · Thu Jun 09, 2022 7:03 pm

OK, so all the interdependencies are fine - profiles and proposals match verbatim, and the policy templates correspond to the pool to which the mode-config refers at responder side. Unfortunately, /ip/ipsec/policy/print detail is necessary to check that the templates you've added for 10.0.88.0/24<=>0.0.0.0/0 are linked to the proper group and to the proper proposal, but as there is no mistake in all your other settings, I assume this part is also OK.

But if that's the case, it looks like some problem on the interconnection network (fragmentation and lost fragments or failed reassembly), or a bug in RouterOS.

So set /system/logging/add topics=ipsec,!packet at both machines, disable the peer at the initiator side, run /log print follow-only file=ipsec-start-<site> where topics~"ipsec" at both devices (replace <site> with the appropriate name), enable the peer, wait for 20 seconds, stop the /log print ..., download the files and start reading.

KonstantinKuklin · Fri Jun 10, 2022 11:46 am

some kind problems in payload transferring?

ipsec-ikev2-server.txt

ipsec-ikev2-client.txt

sindy · Fri Jun 10, 2022 1:02 pm

Actually no, it is a formal issue with the format of the ID. You've specified the type to be user-fqdn, which is an e-mail address format in layman terms, and the log says:

11:22:03 ipsec processing payload: ID_I
11:22:03 ipsec ID_I (RFC822): malformed id: client-babyshka
11:22:03 ipsec => invalid payload (size 0xf)

So change my-id at initiator (client) and remote-id at responder (server) to either user-fqdn:babyshka@derevnya.net or fqdn:client-babyshka.net to meet the formal requirements and try again.

KonstantinKuklin · Fri Jun 10, 2022 1:15 pm

thank you!
It works

Site to Site IKEv2 connection doesn't work [SOLVED]

Site to Site IKEv2 connection doesn't work

Re: Site to Site IKEv2 connection doesn't work

Re: Site to Site IKEv2 connection doesn't work

Re: Site to Site IKEv2 connection doesn't work

Re: Site to Site IKEv2 connection doesn't work

Re: Site to Site IKEv2 connection doesn't work [SOLVED]

Re: Site to Site IKEv2 connection doesn't work

Who is online