Community discussions

MikroTik App
 
marypoppins
newbie
Topic Author
Posts: 30
Joined: Wed Nov 27, 2019 3:38 pm

Ipsec debug

Wed Mar 01, 2023 5:41 pm

Dear All,


I have a hard struggle to give evidence to my ipsec peer, that voip packets send to them is really go through my mikrotic's ipsec and left my device. I know that in a tunnel the packets are encrypted and can not debug, but a little info should be nice that says, oh this packet entered the tunnel and forwarded to the peer, so I tried to find something like this.

Very briefly: there is a working (for other than ports 5060) ipsec tunnel between my node A and the peer's node B.
I think these setting are the relevant and must be enough to fulfill the communication:
- no nat configuration (neither in ipsec nat-traversal, neither in firewall nat section)
- in ipsec policy there is no port and protocol filtering, so any can be travel between us
- also in firewall filter there is no protocol or port filtering between A and B node and both direction exists.
- in firewall service-port the sip (5060/5061) disabled ( a question for this: only one site among a lot mentioned that router should restart after disabling this helper. Is it really true? i skipped restart because of a lot of sensitive traffic)

So they (the peer) stand they do not see packets travelling to their node B's port 5060, while they can see traffic on other ports to the same node.( of course there is no nat)

In the dump (node A and B) I only can see my incoming side, where packets received my mikrotik, and go through my input interfaces (ether3, vlan42, vrrp42), that is all.
I tried ipsec,debug but it seems ike and ipsec debug that is not usefull what happened packets entering the tunnel.
The firewall logging says this: forward: in:vrrp42 out:vrrp2 (vrrp2 is on the outgoing interface, which is not garantee that go through ipsec).
It also does not help debugging the traffic from the ipsec-esp to the peer perspective, because unfortunately there is a high other esp traffic to this peer...

So my question is how can I prove that my packets really leave my mikrotik and are on the way to their device?


Thank you very much

Who is online

Users browsing this forum: No registered users and 99 guests