IPsec VPN is established but does not send packet

rbuserdl · Wed Jun 14, 2023 12:09 am

Hello team!!

We replaced yesterday a Fortigate with a RB1100AHx4, we had configured in the fortigate, an IPsec VPN with a remote PFSense wich we do not manage.
We copied the settings
We could make the policy to show "established" in "PH2 State"
The only one "Active Peer" appears as "established" too, but it shows many "Rx Packets" and "0" "Tx Packets". It seems that nothing is going out through the VPN.
Sorry, my knowledge about IPsec is poor.

Here the settings:

/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-128 name=P2P-PFsense
/ip ipsec peer
add address=RemotePublicIP/32 name=P2P-PFsense profile=P2P-PFsense
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=12h name=P2P-PFsense pfs-group=modp1536
/ip ipsec identity
add peer=P2P-PFsense
/ip ipsec policy
add dst-address=10.10.10.0/24 peer=P2P-PFsense proposal=P2P-PFsense src-address=192.168.5.0/24 tunnel=yes

The logs show not error but it appears the following lines every about 10 seconds:
--------------------------------------------------------------------
18:01:11 ipsec,debug ipsec: ===== received 92 bytes from RemotePublicIP[500] to LocalPublicIP[500]
18:01:11 ipsec,debug,packet ipsec: 89cd089f cffc7173 b73b7f09 368e5799 08100501 faebf738 0000005c 2730591d
18:01:11 ipsec,debug,packet ipsec: 7a84acf2 47fa5a9c 64814e3e 03ae7f06 ca351a03 ed5e836b 8fd6ca30 d1e59804
18:01:11 ipsec,debug,packet ipsec: aad69aaa 3ba336e1 721787f4 4669a30e 0b434782 720b5372 4cc6c302
18:01:11 ipsec,debug ipsec: receive Information.
18:01:11 ipsec,debug,packet ipsec: compute IV for phase2
18:01:11 ipsec,debug,packet ipsec: phase1 last IV:
18:01:11 ipsec,debug,packet ipsec: 1121d506 8fd608ca e3397f26 7f0f3a06 faebf738
18:01:11 ipsec,debug ipsec: hash(sha1)
18:01:11 ipsec,debug,packet ipsec: encryption(aes)
18:01:11 ipsec,debug,packet ipsec: phase2 IV computed:
18:01:11 ipsec,debug,packet ipsec: e9d9aae8 063f8637 fe4a8fde 2e88e160
18:01:11 ipsec,debug,packet ipsec: encryption(aes)
18:01:11 ipsec,debug,packet ipsec: IV was saved for next processing:
18:01:11 ipsec,debug,packet ipsec: 4669a30e 0b434782 720b5372 4cc6c302
18:01:11 ipsec,debug,packet ipsec: encryption(aes)
18:01:11 ipsec,debug,packet ipsec: with key:
18:01:11 ipsec,debug,packet ipsec: a1e128b0 e6061f80 d4d79b35 c4051584
18:01:11 ipsec,debug,packet ipsec: decrypted payload by IV:
18:01:11 ipsec,debug,packet ipsec: e9d9aae8 063f8637 fe4a8fde 2e88e160
18:01:11 ipsec,debug,packet ipsec: decrypted payload, but not trimed.
18:01:11 ipsec,debug,packet ipsec: 0b000018 bcc8ac00 69517baa 5376bf2b 78e28f51 97a5e47a 00000020 00000001
18:01:11 ipsec,debug,packet ipsec: 01108d28 89cd089f cffc7173 b73b7f09 368e5799 37a251f9 00000000 00000000
18:01:11 ipsec,debug,packet ipsec: padding len=1
18:01:11 ipsec,debug,packet ipsec: skip to trim padding.
18:01:11 ipsec,debug,packet ipsec: decrypted.
18:01:11 ipsec,debug,packet ipsec: 89cd089f cffc7173 b73b7f09 368e5799 08100501 faebf738 0000005c 0b000018
18:01:11 ipsec,debug,packet ipsec: bcc8ac00 69517baa 5376bf2b 78e28f51 97a5e47a 00000020 00000001 01108d28
18:01:11 ipsec,debug,packet ipsec: 89cd089f cffc7173 b73b7f09 368e5799 37a251f9 00000000 00000000
18:01:11 ipsec,debug,packet ipsec: HASH with:
18:01:11 ipsec,debug,packet ipsec: faebf738 00000020 00000001 01108d28 89cd089f cffc7173 b73b7f09 368e5799
18:01:11 ipsec,debug,packet ipsec: 37a251f9
18:01:11 ipsec,debug,packet ipsec: hmac(hmac_sha1)
18:01:11 ipsec,debug,packet ipsec: HASH computed:
18:01:11 ipsec,debug,packet ipsec: bcc8ac00 69517baa 5376bf2b 78e28f51 97a5e47a
18:01:11 ipsec,debug ipsec: hash validated.
18:01:11 ipsec,debug ipsec: begin.
18:01:11 ipsec,debug ipsec: seen nptype=8(hash) len=24
18:01:11 ipsec,debug ipsec: seen nptype=11(notify) len=32
18:01:11 ipsec,debug ipsec: succeed.
18:01:11 ipsec,debug ipsec: RemotePublicIP notify: R_U_THERE
18:01:11 ipsec,debug ipsec: RemotePublicIP DPD R-U-There received
18:01:11 ipsec,debug,packet ipsec: compute IV for phase2
18:01:11 ipsec,debug,packet ipsec: phase1 last IV:
18:01:11 ipsec,debug,packet ipsec: 1121d506 8fd608ca e3397f26 7f0f3a06 b908a4fa
18:01:11 ipsec,debug ipsec: hash(sha1)
18:01:11 ipsec,debug,packet ipsec: encryption(aes)
18:01:11 ipsec,debug,packet ipsec: phase2 IV computed:
18:01:11 ipsec,debug,packet ipsec: ba63f470 5e07945a 6092553e f3b482a0
18:01:11 ipsec,debug,packet ipsec: HASH with:
18:01:11 ipsec,debug,packet ipsec: b908a4fa 00000020 00000001 01108d29 89cd089f cffc7173 b73b7f09 368e5799
18:01:11 ipsec,debug,packet ipsec: 37a251f9
18:01:11 ipsec,debug,packet ipsec: hmac(hmac_sha1)
18:01:11 ipsec,debug,packet ipsec: HASH computed:
18:01:11 ipsec,debug,packet ipsec: 119a28cc 02b71edd d0248005 e8fe3e9e 7b317e4b
18:01:11 ipsec,debug,packet ipsec: begin encryption.
18:01:11 ipsec,debug,packet ipsec: encryption(aes)
18:01:11 ipsec,debug,packet ipsec: pad length = 8
18:01:11 ipsec,debug,packet ipsec: 0b000018 119a28cc 02b71edd d0248005 e8fe3e9e 7b317e4b 00000020 00000001
18:01:11 ipsec,debug,packet ipsec: 01108d29 89cd089f cffc7173 b73b7f09 368e5799 37a251f9 feb3e3d4 b5c2bb07
18:01:11 ipsec,debug,packet ipsec: encryption(aes)
18:01:11 ipsec,debug,packet ipsec: with key:
18:01:11 ipsec,debug,packet ipsec: a1e128b0 e6061f80 d4d79b35 c4051584
18:01:11 ipsec,debug,packet ipsec: encrypted payload by IV:
18:01:11 ipsec,debug,packet ipsec: ba63f470 5e07945a 6092553e f3b482a0
18:01:11 ipsec,debug,packet ipsec: save IV for next:
18:01:11 ipsec,debug,packet ipsec: 77d972eb 4de0de28 2d48738c 9e5fce66
18:01:11 ipsec,debug,packet ipsec: encrypted.
18:01:11 ipsec,debug ipsec: 92 bytes from LocalPublicIP[500] to RemotePublicIP[500]
18:01:11 ipsec,debug ipsec: 1 times of 92 bytes message will be sent to RemotePublicIP[500]
18:01:11 ipsec,debug,packet ipsec: 89cd089f cffc7173 b73b7f09 368e5799 08100501 b908a4fa 0000005c a022488d
18:01:11 ipsec,debug,packet ipsec: f8d937b2 74a9572c ae02acec 8d641ac8 7d402ac5 13d423c2 ef567bb0 941063b1
18:01:11 ipsec,debug,packet ipsec: c685260f 97acc937 b3219006 77d972eb 4de0de28 2d48738c 9e5fce66
18:01:11 ipsec,debug ipsec: sendto Information notify.
18:01:11 ipsec,debug ipsec: received a valid R-U-THERE, ACK sent
--------------------------------------------------------------------
Any suggestion will be apreciated.

Thanks in advance.
Regards,
Damián

Kentzo · Wed Jun 14, 2023 3:00 am

What are the local and remote IPs that you expect to be routed, perhaps the policy is wrong? Make sure that src-address is the RB1100AHx4's LAN and dst-address is the remote.

Perhaps your firewall on Mikrotik is too restrictive?

rbuserdl · Wed Jun 14, 2023 3:52 am

Hello!

Thanks for your answer, Kentzo.
Local LAN is 192.168.5.0/24 and remote LAN is 10.10.10.0/24, I think this is ok.

About the firewall, this is almost the basic rules, with a little modifications to allow ipsec incomming, I think.
Export:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment=Winbox dst-port=82911 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Para L2TP + IPSEC" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Para L2TP + IPSEC" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

What do you think?
Thanks in advance.
Regards,
Damián

own3r1138 · Wed Jun 14, 2023 4:12 am

https://help.mikrotik.com/docs/display/ ... Ev1)tunnel

rbuserdl · Wed Jun 14, 2023 5:04 am

https://help.mikrotik.com/docs/display/ ... Ev1)tunnel

¿?

rbuserdl · Wed Jun 14, 2023 3:23 pm

https://help.mikrotik.com/docs/display/ ... Ev1)tunnel

I read many times your link and I could not figured out what you mean.
Any sugestion?

Regards,
Damián

rbuserdl · Wed Jun 14, 2023 4:39 pm

Hello team!

It seems it is something with the Mikrotik, in local computers (Mikrotik side), doing a traceroute to a remote computer (PFsense side), does not appear any IP:

C:\>tracert -d 10.10.10.2

Traza a 10.10.10.2 sobre caminos de 30 saltos como máximo.

  1     *        *        *     Tiempo de espera agotado para esta solicitud.
  2     *        *        *     Tiempo de espera agotado para esta solicitud.
  3     *        *        *     Tiempo de espera agotado para esta solicitud.
  4     *        *        *     Tiempo de espera agotado para esta solicitud.
  5     *        *        *     Tiempo de espera agotado para esta solicitud.
  6     *        *        *     Tiempo de espera agotado para esta solicitud.
  7     *        *        *     Tiempo de espera agotado para esta solicitud.
  8     *        *        *     Tiempo de espera agotado para esta solicitud.
  9     *        *        *     Tiempo de espera agotado para esta solicitud.
 10     *        *        *     Tiempo de espera agotado para esta solicitud.

If I run a sniffer in the Mikrotik, it shows al incomming packets but does not show if this send the packets to anywere

tool/sniffer/quick ip-address=192.168.5.70 ip-protocol=icmp
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
ether3 - LAN 2.616 1 <- 88:AE:DD:02:7E:63 08:55:31:C7:FA:C4 192.168.5.70 10.10.10.2 ip:icmp 106 1
bridgeLAN 2.616 2 <- 88:AE:DD:02:7E:63 08:55:31:C7:FA:C4 192.168.5.70 10.10.10.2 ip:icmp 106 1
ether3 - LAN 6.62 3 <- 88:AE:DD:02:7E:63 08:55:31:C7:FA:C4 192.168.5.70 10.10.10.2 ip:icmp 106 1
bridgeLAN 6.62 4 <- 88:AE:DD:02:7E:63 08:55:31:C7:FA:C4 192.168.5.70 10.10.10.2 ip:icmp 106 1
ether3 - LAN 10.605 5 <- 88:AE:DD:02:7E:63 08:55:31:C7:FA:C4 192.168.5.70 10.10.10.2 ip:icmp 106 1
bridgeLAN 10.605 6 <- 88:AE:DD:02:7E:63 08:55:31:C7:FA:C4 192.168.5.70 10.10.10.2 ip:icmp 106 1

Everything with incoming direction
Any idea?

Regards,
Damián

rbuserdl · Wed Jun 14, 2023 10:07 pm

Finally, this started to work.
We added the option

ipsec-policy=out,none

to the src-nat rule

Regards,
Damián

Kentzo · Wed Jun 14, 2023 11:11 pm

Relevant documentation link: https://help.mikrotik.com/docs/display/ ... rackBypass

Drablent · Mon Jun 19, 2023 1:29 pm

Relevant documentation link: https://help.mikrotik.com/docs/display/ ... ackBypass/tiny fishing

Thanks for this link!!

IPsec VPN is established but does not send packet [SOLVED]

IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet [SOLVED]

Re: IPsec VPN is established but does not send packet

Re: IPsec VPN is established but does not send packet