Tried this again on latest 3.26, but still no change (at least for me)

I'm confused if this bug is so low-prio for these guys that no one really cares....

So, was there any feedback on this one? We also got this after updating to latest (3.25) routeros.

Yes, good catch

It turned out that the config on the remote end was not enabled at this point in time. Anyways, log messages at MT side was not quite helpful here. I was expecting something like "timeout because no... blah blah".

Anyways, thanks for the reply.

Amode.

Hey, using 3.22 on RB450G configured as a plain router beween different ip networks, the icmp ping connection does not show up in the firewall "Connections" screen. But if I check with a log rule in the forwarding chain, I see the icmp packets across the router. I'm confused about this and...

Hey, I'm trying to connect to a Cisco peer via ipsec/tunnel mode/public ips (not nat) on ros3.22, I only get these messages in the log: 02:08:38 ipsec IPsec-SA request for xxx.xxx.xxx.xx queued due to no phase1 found. 02:08:38 ipsec initiate new phase 1 negotiation: yy.yy.yyy.yy[500]<=>xxx.xxx.xxx.x...

Hey, anyone managed to setup Mikrotik as vpn gateway for latest iphones using l2tp/ipsec? I tried a setup and ipsec debug messages produces this output (nat-t enabled btw): 02:42:56 ipsec,ike IPsec-SA established: ESP/Transport xxx.xxx.xxx.xx[4500]->yy.yy.yyy.yy[4500] spi=44661093(0x2a97965) 02:42:5...

Thanks a lot for the reply.

@Mikrotik: So, native Linux l2tp/ipsec works with windows clients. Why does the linux based ROS not work in this context?

Hm, so no answer here after one day means that this "feature" is not so easy to setup as it sounds?
Or it doesn't work at all?
I was thinking that this scenario is quite common out there, but is not...(?)

Achim

Hi, we have a very-typical configuration for "home" workers: Home-Laptop (using private IP) -> Home-Router doing NAT -> Office Mikrotik having static public IP. Now, the home users should be able to connect to the office by using L2TP/IPSEC (using windows xp), but I was not able to setup t...

Hello,
IPsec will be repaired in beta8.

Regards,

Thanks guys for this feedback.

Achim

I can attest to that...both of my open tickets (not beta-related) were responded Glad to hear. Unfortunately, my beta-related tickets are stil open. Normis? Actually, I would say that the opposite is the case: support is essential for a production or stable product. Yes, you are right. But if you w...

But support - or at least feedback - is essential for a beta product, isn't it?

We cannot recommend any more licenses to our clients if support is so sluggish....

Achim

Hi, this is a public request for getting more info about support tickets Ticket#2007040566000286 and Ticket#2007031666000249. These tickes are _still_ open and _still_ officially unanswered by support! (A) Short analysis The problem is that we cannot reach any hosts behind the router (btw: router is...

Hi,

RouterOS 2.9.x is based on Linux kernel version 2.4.31 (from some other post)

So, does someone know which 'ipsec' implementation from Linux is used under the hood? And which version it is?

Thanks,
Achim

Yes, I was also thinking that it _should_ work without reboot. This was driving me crazy yesterday and I was crying loudly as it worked after the reboot...

Besides the flush command for the SAs, there is no other helpful command for clearing ipsec stuff, isn't it?

Achim

Okay, I found it.

It worked, but only after REBOOTING the router. I was expecting that all the changes in ipsec should be handeled without a reboot.

Is this a bug? Or any additional info here which I'm not aware of...?

Thanks,
Achim

Hi, my understanding of ipsec is, that packets are matched against the Security Policy Database (SPD) to find a matching rule and using this for doing encryption oder other stuff. Router is at 192.168.2.1. Why does /ip ipsec policy src-address=192.168.2.0/24 dst-address=172.17.0.0/16 .... NOT work, ...

Hi,

I was told by support to 'retest' this in the next v3.0 beta7.

So, any info when this is released?

Thanks,
Achim

okay, was able to solve this by myself by just searching the forum.

Sorry for the spam..

Achim

Hi,

has someone some help how to make a filter rule which maches something like

"number of tcp connections per second"?

Is this possible at all?

Thanks for any feedback here.

Achim

No, still does not work. I have this command (actual sa-src and sa-dst addresses clobbered for privacy) [admin@vpn2-de] /ip ipsec policy> add src-address=172.17.0.0/16:any dst-address=172.16.0.0/16:any p rotocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=a.b.c.d s...

Hi, while trying to connect two beta6 systems, we have troubles in setting up the required policies. Every time we enter our ipsec policy (using tunnel mode) and pressing "assign" we automatically get 'two' policies generated where one is printed in red color (marked as 'invalid') and the ...

Hi, do you think it's possible to use M3P for speeding up traffic across an ipsec link? It's seems that the documentation text The MikroTik Packet Packer Protocol improves network performance by aggregating many small packets into a big packet, thereby minimizing the network per packet overhead cost...

Hi, we have some strangeness while establishing an ipsec tunnel using peer poposal-check=exact: In the log, it says "phase 2 established" immediately followed by "phase 2 expired". The SAs are actually installed (and ipsec works), but checking the stats says "no phase 2"...

Hi, using ipsec, there are two lifetime values which can be configured: One is the /ip ipsec proposal lifetime and the other is the /ip ipsec peer lifetime a) Can some please explain the relationship between these lifetimes values b) Should the proposal lifetime < peer lifetime c) Or any other rule ...

Hi,

perhaps asked somewhere (but I didn't find - sorry).

The latest RouterOS 3 beta is based on which version of the Linux kernel sources?

Thanks,
Achim

Thanks for the info. personally i'd use l2tp/ipip for the tunneling and stick to end-to-end ipsec and not tunnel mode But we need to connect the entire company networks. Does this work with l2tp/ipip also? The box is a 3 GHz system. So encryption speed should not be the limit. For a 170 ms link you ...

If you want to change window size then you should change it on the machine sending the data Okay, this means if I use a http or web proxy on the RouterOS, I need to change the window size on the RouterOS system, right?. This is in contrast to the usual firewall filtering which only 'forwards' packt...

Hi,

please what is the reason that there is absolutely no information about how to adjust the TCP send and receive window size?

Is this 'parameter' really not usefull for tweaking on RouterOS?

Thanks for getting some info here.

Achim

>Were the IPSec endpoints also the bandwidth test client/server, or were you testing 'thru' them ? Yes, the routerOS box (intel/3GHz) is doing the ipsec and i'm using the bandwith test tools on the same boxes. >Was the OpenBSD hardware similiar to that of the Mikrotik hardware ? Yes, exactely the sa...

Hi, we're using RouterOS 2.9.39 for connecting two company subsidiaries via ipsec. We're using a 10 Mbit/sec fiber line, but because of the transatlatic "jump" we have latencies around 170 ms. The ipsec connection works, but now we would like to do a bandwidth test using the RouterOS provi...