Community discussions

MikroTik App
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

IPsec: what can drop DPD packets while allowing the rest?

Sat May 27, 2023 1:09 am

RouterOS 6.49.8 is configured as an IPsec responder:
/ip ipsec mode-config
add address-pool=ipsec-roadwarrior address-prefix-length=32 name=roadwarrior split-include=192.168.0.0/16 system-dns=no
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
add dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=roadwarrior prf-algorithm=sha256 \
    proposal-check=claim
/ip ipsec peer
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name=roadwarrior pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=roadwarrior my-id=fqdn:... peer=roadwarrior policy-template-group=roadwarrior remote-id=ignore secret=...
/ip ipsec policy
set 0 disabled=yes
add comment=roadwarrior dst-address=10.13.37.0/24 group=roadwarrior proposal=roadwarrior src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set accounting=no

/system logging
add topics=ipsec
Builtin macOS (13.3.1) IPsec initiator is configured using global IPv6 address of the router.

When my laptop is connected to the internet via Google Fiber, IPsec consistently breaks due to DPD failure. What is supremely strange is that I can ssh into the router via this very same IPsec connection and see the failures in realtime. I just run `/log print follow` and see that after 2 minutes (as configured) a DPD is sent followed by 4 (as configured) retransmits at which point IPsec stops working as the router kills the association.

When I connect from any other network (say cafe's XFINITY), it works just fine.

If I retry the test using global IPv4 address of the router, then everything works fine.

How come all ESPs are coming through (I follow logging in realtime) but ISAKMP for DPD aren't, and why could it happen only behind Google Fiber?

Who is online

Users browsing this forum: adrianmartin16, Ahrefs [Bot], rogerioqueiroz, svmk, Valerio5000 and 84 guests