Community discussions

MikroTik App
  4. RouterOS
  5. General

IPsec tunnel not working RB951

Post Reply
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

IPsec tunnel not working RB951

Tue Dec 24, 2024 10:20 am

Hi All,

I purchased SurfShark VPN, but I am not able to set it up on my 951RB.
Can you please help?

Config is bellow:
Code: Select all
# dec/24/2024 09:16:39 by RouterOS 6.49.17
# software id = BQNP-FVIM
#
# model = 951G-2HnD
# serial number = <removed>
/interface bridge
add admin-mac=4C:5E:0C:71:19:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-71193D wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=FRBD responder=no src-address-list=local
/ip ipsec policy group
add name=FRBD
/ip ipsec profile
add name=FRBD
/ip ipsec peer
add address=rs-beg.prod.surfshark.com disabled=yes exchange-mode=ike2 name=\
    FRBD profile=FRBD
/ip ipsec proposal
add name=FRBD pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
add address=192.168.88.254 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=\
    eap-mschapv2 generate-policy=port-strict mode-config=FRBD password=\
    a4Dt2LXXXXXXXXXXEXXX peer=FRBD policy-template-group=FRBD username=\
    dFyBTaXXXXXXXXXXXXXX
/ip ipsec policy
add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 \
    template=yes
/system clock
set time-zone-name=Europe/Belgrade
/system logging
add prefix=ipsec,debug topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by holvoetn on Tue Dec 24, 2024 10:23 am, edited 1 time in total.
Reason: Added code quotes for readability, removed serial
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 2733
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 10:34 am

I checked the documentation (haven't used IPSEC befor), and found this:
https://wiki.mikrotik.com/Manual:IP/IPs ... figuration
Code: Select all
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 name=ike2-gre
/ip ipsec proposal
add auth-algorithms=null enc-algorithms=aes-128-gcm name=ike2-gre pfs-group=none
Code: Select all
/ip ipsec mode-config
add name=ike2-gre responder=no
Code: Select all
/ip ipsec policy group
add name=ike2-gre
Code: Select all
/ip ipsec policy
add dst-address=192.168.99.1/32 group=ike2-gre proposal=ike2-gre src-address=192.168.99.2/32 template=yes
Code: Select all
/ip ipsec peer
add address=n.mynetname.net exchange-mode=ike2 name=p1.ez profile=ike2-gre
Code: Select all
/ip ipsec identity
add generate-policy=port-strict mode-config=ike2-gre peer=p1.ez policy-template-group=ike2-gre secret=test
You probably won't need everything, but as there is no encryption in your config...at all...you missed some steps.
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 12:12 pm

Hi,

Not sure, that configuration is the problem, since tunnel is up, but I am not able to reach anything.
You do not have the required permissions to view the files attached to this post.
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 5:24 pm

Bellow is a IPsec debug:

# dec/24/2024 16:21:13 by RouterOS 6.49.17
# software id = BQNP-FVIM
#
16:18:15 ipsec,debug,packet ipsec,debug: 300d0609 2a864886 f70d0101 0b050030 3d310b30 09060355 04061302 56473112
16:18:15 ipsec,debug,packet ipsec,debug: 30100603 55040a0c 09537572 66736861 726b311a 30180603 5504030c 11537572
16:18:15 ipsec,debug,packet ipsec,debug: 66736861 726b2052 6f6f7420 4341301e 170d3138 30333134 30383539 32335a17
16:18:15 ipsec,debug,packet ipsec,debug: 0d323830 33313130 38353932 335a303d 310b3009 06035504 06130256 47311230
16:18:15 ipsec,debug,packet ipsec,debug:
16:18:15 ipsec,debug,packet ipsec,debug: 10060355 040a0c09 53757266 73686172 6b311a30 18060355 04030c11 53757266
16:18:15 ipsec,debug,packet ipsec,debug: 73686172 6b20526f 6f742043 41308202 22300d06 092a8648 86f70d01 01010500
16:18:15 ipsec,debug,packet ipsec,debug: 0382020f 00308202 0a028202 0100c418 c363d1a8 ac33ade8 4a499527 264f6985
16:18:15 ipsec,debug,packet ipsec,debug: fb68fb19 b73b31a3 a9baa795 ad6b7306 012a2bc9 1b01b916 87e9555a d1fc1b23
16:18:15 ipsec,debug,packet ipsec,debug: 59f0e6e6 f2c64b9a 35ae2fdf 31d5c2e4 aae85d69 f12f35d7 ed583f56 affa3a83
16:18:15 ipsec,debug,packet ipsec,debug: 70cca88c 7d2e8d94 8721c6ff 8b92ed68 7357050d ea378f02 73bb2a06 74c8205a
16:18:15 ipsec,debug,packet ipsec,debug: 666f91ed 850ff8a5 6f9af366 f582e339 7591ec87 babe2ca4 032069af b4cb4ed7
16:18:15 ipsec,debug,packet ipsec,debug: e3449e68 fcd41029 15aca268 3d6082fc 03238c7b a3f63792 c7d64821 e7a971b2
16:18:15 ipsec,debug,packet ipsec,debug:
16:18:15 ipsec,debug,packet ipsec,debug: ab34852e 1f10b90a d3996526 f3860718 5c68235f fc00a748 c95a01e8 18dc68c2
16:18:15 ipsec,debug,packet ipsec,debug: ad2acfe9 6dcb64ea f9339987 f45e61a8 bc328f40 5e8cc147 a47212e3 07981204
16:18:15 ipsec,debug,packet ipsec,debug: d9e9b524 3d90d827 4cbaa2d0 ea52c08e a2c57e76 2acbdae9 433c3f4d 59221599
16:18:15 ipsec,debug,packet ipsec,debug: eae6bf4f fb40ae03 83cb9259 316fa943 503a2f46 fb7a021e 821a702a 73d11bee
16:18:15 ipsec,debug,packet ipsec,debug: 42ce03b4 279504ea 0bf4d349 aa6e60b7 09b892f3 18b6c6e3 60aee032 6368543a
16:18:15 ipsec,debug,packet ipsec,debug: 857dfc1b 817aff2d b44e590a c247dd89 46e8db5b 67d84f73 ad468814 b1f0d267
16:18:15 ipsec,debug,packet ipsec,debug: 5f9407c8 29df89cf d7f3b792 4ff6a666 c64200e2 79bf810f 49a2ab22 db7e1eb1
16:18:15 ipsec,debug,packet ipsec,debug: 05599408 ab87c998 724d35b6 2f5b3084 d3c00bfb 9ffa67e9 716ff066 ddd6a9c7
16:18:15 ipsec ipsec,debug: payload seen: AUTH (28 bytes)
16:18:15 ipsec ipsec,debug: payload seen: CONFIG (40 bytes)
16:18:15 ipsec ipsec,debug: payload seen: SA (44 bytes)
16:18:15 ipsec ipsec,debug: payload seen: TS_I (24 bytes)
16:18:15 ipsec ipsec,debug: payload seen: TS_R (24 bytes)
16:18:15 ipsec ipsec,debug: processing payloads: NOTIFY (none found)
16:18:15 ipsec ipsec,debug: processing payload: AUTH
16:18:15 ipsec ipsec,debug: requested auth method: SKEY
16:18:15 ipsec,debug ipsec,debug: => peer's auth (size 0x14)
16:18:15 ipsec,debug ipsec,debug: be244eb3 d7552023 88138b28 6eab8f0b c83b265a
16:18:15 ipsec,debug ipsec,debug: => auth nonce (size 0x18)
16:18:15 ipsec,debug ipsec,debug: 68625d22 beeac987 425a1119 0b331241 7fc44530 d3a5bbf6
16:18:15 ipsec,debug ipsec,debug: => SK_p (size 0x14)
16:18:15 ipsec,debug ipsec,debug: 92dabba3 c2f82808 d13a2881 d449ac77 5a09b104
16:18:15 ipsec,debug ipsec,debug: => idhash (size 0x14)
16:18:15 ipsec,debug ipsec,debug: 8cd2d3f1 a338e260 56f74672 2a638c86 b839be2f
16:18:15 ipsec,debug ipsec,debug: => calculated peer's AUTH (size 0x14)
16:18:15 ipsec,debug ipsec,debug: be244eb3 d7552023 88138b28 6eab8f0b c83b265a
16:18:15 ipsec,info,account EAP authorized: FRBD 192.168.100.31[4500]-37.120.193.227[4500] spi:71f886bf3799c574:8e1e04b99491820b
16:18:15 ipsec,info,account ipsec,debug: EAP authorized: FRBD 192.168.100.31[4500]-37.120.193.227[4500] spi:71f886bf3799c574:8e1e04b99491820b
16:18:15 ipsec ipsec,debug: processing payloads: NOTIFY (none found)
16:18:15 ipsec ipsec,debug: peer selected tunnel mode
16:18:15 ipsec ipsec,debug: processing payload: SA
16:18:15 ipsec ipsec,debug: IKE Protocol: ESP
16:18:15 ipsec ipsec,debug: proposal #1
16:18:15 ipsec ipsec,debug: enc: aes256-cbc
16:18:15 ipsec ipsec,debug: auth: sha1
16:18:15 ipsec ipsec,debug: matched proposal:
16:18:15 ipsec ipsec,debug: proposal #1
16:18:15 ipsec ipsec,debug: enc: aes256-cbc
16:18:15 ipsec ipsec,debug: auth: sha1
16:18:15 ipsec ipsec,debug: processing payload: TS_I
16:18:15 ipsec ipsec,debug: 10.6.2.164
16:18:15 ipsec ipsec,debug: processing payload: TS_R
16:18:15 ipsec ipsec,debug: 0.0.0.0/0
16:18:15 ipsec ipsec,debug: updating my selectors
16:18:15 ipsec ipsec,debug: using selectors: 10.6.2.164 <=> 0.0.0.0/0
16:18:15 ipsec ipsec,debug: searching for policy for selector: 10.6.2.164 <=> 0.0.0.0/0
16:18:15 ipsec ipsec,debug: generating policy
16:18:15 ipsec,debug ipsec,debug: => child keymat (size 0x78)
16:18:15 ipsec,debug ipsec,debug: 7c362a60 ff1d12de 886c4987 fbada5fb 9bc751f5 7bf6cdd5 a59afbce 69f55fb7
16:18:15 ipsec,debug ipsec,debug: 709e134e 6b956df2 8581ed15 851ca417 8872f3f6 ffb21b2d ab17f369 060efab1
16:18:15 ipsec,debug ipsec,debug: 3678b493 c7d0c0ef afd47c5c 52abd613 849d7583 0725b7b7 0ec88532 3e218b66
16:18:15 ipsec,debug ipsec,debug: 9ea7bba9 580c9db4 7002cd10 cbbbd5b3 4795a128 42996bc9
16:18:15 ipsec ipsec,debug: IPsec-SA established: 37.120.193.227[4500]->192.168.100.31[4500] spi=0xfd68f91
16:18:15 ipsec ipsec,debug: IPsec-SA established: 192.168.100.31[4500]->37.120.193.227[4500] spi=0xc78d1c97
16:18:15 ipsec ipsec,debug: processing payload: CONFIG
16:18:15 ipsec ipsec,debug: attribute: internal IPv4 address size: 4
16:18:15 ipsec ipsec,debug: attribute: internal IPv4 DNS size: 4
16:18:15 ipsec ipsec,debug: attribute: internal IPv4 DNS size: 4
16:18:15 ipsec ipsec,debug: attribute: internal IPv4 netmask size: 4
16:18:15 ipsec ipsec,debug: got address 10.6.2.164
16:18:15 ipsec ipsec,debug: got netmask 255.255.255.255
16:18:15 ipsec ipsec,debug: exclusive dns 162.252.172.57
16:18:15 ipsec ipsec,debug: exclusive dns 149.154.159.92
16:18:17 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:18:21 system,error,critical login failure for user admin from 95.189.105.218 via telnet
16:18:24 ipsec,debug ipsec,debug: KA: 192.168.100.31[4500]->37.120.193.227[4500]
16:18:24 ipsec,debug ipsec,debug: 1 times of 1 bytes message will be sent to 37.120.193.227[4500]
16:18:24 ipsec,debug,packet ipsec,debug: ff
16:18:25 system,error,critical login failure for user supportadmin from 113.228.148.200 via telnet
16:18:31 system,error,critical login failure for user root from 95.189.105.218 via telnet
16:18:34 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:18:42 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:18:44 ipsec,debug ipsec,debug: KA: 192.168.100.31[4500]->37.120.193.227[4500]
16:18:44 ipsec,debug ipsec,debug: 1 times of 1 bytes message will be sent to 37.120.193.227[4500]
16:18:44 ipsec,debug,packet ipsec,debug: ff
16:18:51 system,error,critical login failure for user admin from 113.228.148.200 via telnet
16:18:59 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:19:04 ipsec,debug ipsec,debug: KA: 192.168.100.31[4500]->37.120.193.227[4500]
16:19:04 ipsec,debug ipsec,debug: 1 times of 1 bytes message will be sent to 37.120.193.227[4500]
16:19:04 ipsec,debug,packet ipsec,debug: ff
16:19:08 system,error,critical login failure for user admin from 113.228.148.200 via telnet
16:19:16 system,error,critical login failure for user admin from 113.228.148.200 via telnet
16:19:24 ipsec,debug ipsec,debug: KA: 192.168.100.31[4500]->37.120.193.227[4500]
16:19:24 ipsec,debug ipsec,debug: 1 times of 1 bytes message will be sent to 37.120.193.227[4500]
16:19:24 ipsec,debug,packet ipsec,debug: ff
16:19:24 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:19:33 system,error,critical login failure for user vstarcam2015 from 113.228.148.200 via telnet
16:19:41 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:19:44 ipsec,debug ipsec,debug: KA: 192.168.100.31[4500]->37.120.193.227[4500]
16:19:44 ipsec,debug ipsec,debug: 1 times of 1 bytes message will be sent to 37.120.193.227[4500]
16:19:44 ipsec,debug,packet ipsec,debug: ff
16:19:50 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:19:58 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:20:04 ipsec,debug ipsec,debug: KA: 192.168.100.31[4500]->37.120.193.227[4500]
16:20:04 ipsec,debug ipsec,debug: 1 times of 1 bytes message will be sent to 37.120.193.227[4500]
16:20:04 ipsec,debug,packet ipsec,debug: ff
16:20:07 system,error,critical login failure for user e8telnet from 113.228.148.200 via telnet
16:20:15 system,error,critical login failure for user cisco from 113.228.148.200 via telnet
16:20:15 ipsec ipsec,debug: sending dpd packet
16:20:15 ipsec ipsec,debug: <- ike2 request, exchange: INFORMATIONAL:7 37.120.193.227[4500] 71f886bf3799c574:8e1e04b99491820b
16:20:15 ipsec,debug,packet ipsec,debug: => outgoing plain packet (size 0x1c)
16:20:15 ipsec,debug,packet ipsec,debug: 71f886bf 3799c574 8e1e04b9 9491820b 00202508 00000007 0000001c
16:20:15 ipsec ipsec,debug: adding payload: ENC
16:20:15 ipsec,debug ipsec,debug: => (size 0x60)
16:20:15 ipsec,debug ipsec,debug: 00000060 05d64d4b 6df02aef 22398ee1 5cadab91 b75d01d4 0fe8e539 9a394082
16:20:15 ipsec,debug ipsec,debug: 27873817 ff0056b2 31c2435f 0509a72f 2a0b4a45 cd69b127 37d1e119 785a5b02
16:20:15 ipsec,debug ipsec,debug: b3653c04 b044d79e ddf7f3b4 b64cc4ee f187c8d5 00000010 00000000 00000000
16:20:15 ipsec,debug ipsec,debug: ===== sending 124 bytes from 192.168.100.31[4500] to 37.120.193.227[4500]
16:20:15 ipsec,debug ipsec,debug: 1 times of 128 bytes message will be sent to 37.120.193.227[4500]
16:20:15 ipsec,debug,packet ipsec,debug: 71f886bf 3799c574 8e1e04b9 9491820b 2e202508 00000007 0000007c 00000060
16:20:15 ipsec,debug,packet ipsec,debug: 05d64d4b 6df02aef 22398ee1 5cadab91 b75d01d4 0fe8e539 9a394082 27873817
16:20:15 ipsec,debug,packet ipsec,debug: ff0056b2 31c2435f 0509a72f 2a0b4a45 cd69b127 37d1e119 785a5b02 b3653c04
16:20:15 ipsec,debug,packet ipsec,debug: b044d79e ddf7f3b4 b64cc4ee f187c8d5 12662379 e40cc870 f3a85708
16:20:15 ipsec,debug ipsec,debug: ===== received 76 bytes from 37.120.193.227[4500] to 192.168.100.31[4500]
16:20:15 ipsec,debug,packet ipsec,debug: 71f886bf 3799c574 8e1e04b9 9491820b 2e202520 00000007 0000004c 00000030
16:20:15 ipsec,debug,packet ipsec,debug: 762e9bc9 651b781c b141ca6d 6827d307 3b78d902 b3d82059 2ac50ed2 a9eede65
16:20:15 ipsec,debug,packet ipsec,debug: b5c8304c 9ac6bf8a 704f7226
16:20:15 ipsec ipsec,debug: -> ike2 reply, exchange: INFORMATIONAL:7 37.120.193.227[4500] 71f886bf3799c574:8e1e04b99491820b
16:20:15 ipsec ipsec,debug: payload seen: ENC (48 bytes)
16:20:15 ipsec ipsec,debug: processing payload: ENC
16:20:15 ipsec,debug ipsec,debug: => iv (size 0x10)
16:20:15 ipsec,debug ipsec,debug: 762e9bc9 651b781c b141ca6d 6827d307
16:20:15 ipsec,debug ipsec,debug: decrypted packet
16:20:15 ipsec,debug,packet ipsec,debug: => decrypted packet (size 0x1c)
16:20:15 ipsec,debug,packet ipsec,debug: 71f886bf 3799c574 8e1e04b9 9491820b 00202520 00000007 0000001c
16:20:15 ipsec ipsec,debug: respond: info
16:20:15 ipsec,debug ipsec,debug: reply ignored
16:20:23 system,error,critical login failure for user root from 113.228.148.200 via telnet
16:20:24 ipsec,debug ipsec,debug: KA: 192.168.100.31[4500]->37.120.193.227[4500]
16:20:24 ipsec,debug ipsec,debug: 1 times of 1 bytes message will be sent to 37.120.193.227[4500]
16:20:24 ipsec,debug,packet ipsec,debug: ff
16:20:32 system,error,critical login failure for user support from 113.228.148.200 via telnet
16:20:41 system,error,critical login failure for user admin from 113.228.148.200 via telnet
16:20:41 ipsec,info killing ike2 SA: FRBD 192.168.100.31[4500]-37.120.193.227[4500] spi:71f886bf3799c574:8e1e04b99491820b
16:20:41 ipsec,info ipsec,debug: killing ike2 SA: FRBD 192.168.100.31[4500]-37.120.193.227[4500] spi:71f886bf3799c574:8e1e04b99491820b
16:20:41 ipsec ipsec,debug: IPsec-SA killing: 37.120.193.227[4500]->192.168.100.31[4500] spi=0xfd68f91
16:20:41 ipsec ipsec,debug: IPsec-SA killing: 192.168.100.31[4500]->37.120.193.227[4500] spi=0xc78d1c97
16:20:41 ipsec ipsec,debug: removing generated policy
16:20:41 ipsec ipsec,debug: adding payload: DELETE
16:20:41 ipsec,debug ipsec,debug: => (size 0x8)
16:20:41 ipsec,debug ipsec,debug: 00000008 01000000
16:20:41 ipsec ipsec,debug: <- ike2 request, exchange: INFORMATIONAL:8 37.120.193.227[4500] 71f886bf3799c574:8e1e04b99491820b
16:20:41 ipsec,debug,packet ipsec,debug: => outgoing plain packet (size 0x24)
16:20:41 ipsec,debug,packet ipsec,debug: 71f886bf 3799c574 8e1e04b9 9491820b 2a202508 00000008 00000024 00000008
16:20:41 ipsec,debug,packet ipsec,debug: 01000000
16:20:41 ipsec ipsec,debug: adding payload: ENC
16:20:41 ipsec,debug ipsec,debug: => (size 0xf0)
16:20:41 ipsec,debug ipsec,debug: 2a0000f0 d2a9eede 65b5c830 4c9ac6bf 8a704f72 09e347d9 b02b30e5 fb2eeb5a
16:20:41 ipsec,debug ipsec,debug: 2cd1d2eb 9e64bf9a 0e93fbb7 706fabac ec26e03c 0b26e249 cabac7c9 6af4557a
16:20:41 ipsec,debug ipsec,debug: 2ff8d8ed c338dcb9 bf61b4f4 9b51b2f7 510a15ee a99a0f8b 20db90e0 78f99e9a
16:20:41 ipsec,debug ipsec,debug: 0204f3c6 7704cbab 01be7016 af08f262 eada32e9 fd5e46af 5427400e e533ff60
16:20:41 ipsec,debug ipsec,debug: 3a88ee11 8418abd6 6f7bc553 7a42a668 b7f5537d 03938ff0 5b700597 c646b61f
16:20:41 ipsec,debug ipsec,debug: 3e250972 aa4487aa 0bb12535 1eb4a8dd f82574e0 d5ac4a83 f8c9eb5a f5651cc8
16:20:41 ipsec,debug ipsec,debug: 43a1b692 d790ee5d 1c29fa2d 6d5a5d05 8353067a 272f52f9 0913a132 2c28259c
16:20:41 ipsec,debug ipsec,debug: babd8b56 01080440 ffffffff fe210764
16:20:41 ipsec,debug ipsec,debug: ===== sending 268 bytes from 192.168.100.31[4500] to 37.120.193.227[4500]
16:20:41 ipsec,debug ipsec,debug: 1 times of 272 bytes message will be sent to 37.120.193.227[4500]
16:20:41 ipsec,debug,packet ipsec,debug: 71f886bf 3799c574 8e1e04b9 9491820b 2e202508 00000008 0000010c 2a0000f0
16:20:41 ipsec,debug,packet ipsec,debug: d2a9eede 65b5c830 4c9ac6bf 8a704f72 09e347d9 b02b30e5 fb2eeb5a 2cd1d2eb
16:20:41 ipsec,debug,packet ipsec,debug: 9e64bf9a 0e93fbb7 706fabac ec26e03c 0b26e249 cabac7c9 6af4557a 2ff8d8ed
16:20:41 ipsec,debug,packet ipsec,debug: c338dcb9 bf61b4f4 9b51b2f7 510a15ee a99a0f8b 20db90e0 78f99e9a 0204f3c6
16:20:41 ipsec,debug,packet ipsec,debug: 7704cbab 01be7016 af08f262 eada32e9 fd5e46af 5427400e e533ff60 3a88ee11
16:20:41 ipsec,debug,packet ipsec,debug: 8418abd6 6f7bc553 7a42a668 b7f5537d 03938ff0 5b700597 c646b61f 3e250972
16:20:41 ipsec,debug,packet ipsec,debug: aa4487aa 0bb12535 1eb4a8dd f82574e0 d5ac4a83 f8c9eb5a f5651cc8 43a1b692
16:20:41 ipsec,debug,packet ipsec,debug: d790ee5d 1c29fa2d 6d5a5d05 8353067a 272f52f9 0913a132 2c28259c babd8b56
16:20:41 ipsec,debug,packet ipsec,debug: dacecbdc decdf983 d21f29b4
16:20:41 ipsec ipsec,debug: KA remove: 192.168.100.31[4500]->37.120.193.227[4500]
16:20:41 ipsec,debug ipsec,debug: KA tree dump: 192.168.100.31[4500]->37.120.193.227[4500] (in_use=1)
16:20:41 ipsec,debug ipsec,debug: KA removing this one...
16:20:41 system,info ipsec peer FRBD changed by admin
Last edited by burca on Thu Dec 26, 2024 11:11 am, edited 1 time in total.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 5:52 pm

@erlinden, your suggestion is for another type of connection - according to their own instruction specific for Mikrotik, Surfshark uses bare IKEv2.

@burca, the log only confirms that the IPsec connection sets up successfully, plus it reveals that at least while taking the log, you have disabled some firewall rules so telnet was open to the world - a bad idea.

So keep the firewall rules enabled and enable the peer and identity. Once the connection establishes, run ping 9.9.9.9 src-address=192.168.88.1 from the command line of the router, and post the output of the following commands:
/ip firewall nat print

/ip ipsec installed-sa print detail

You don't need to worry about the keys as they are ephemeral (by default, the lifetime of an SA is about 30 minutes), but if you want to be really safe, just disable the peer before posting, so that the keys would become useless immediately.
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 6:00 pm

Hi Sindy,

Thanks, i have re-enabled rules in FW.

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none

/ip ipsec installed-sa print detail
Flags: H - hw-aead, A - AH, E - ESP
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 6:02 pm

This cannot be the output while the IPsec connection is up.
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 10:58 pm

Ooh sry, it ipsec was disabled.

/ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.6.1.80 src-address-list=local
dst-address-list=!local

1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no
log-prefix="" ipsec-policy=out,none

/ip ipsec installed-sa print detail

Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0xB5DDFB4 src-address=146.70.111.109:4500
dst-address=192.168.100.31:4500 state=mature auth-algorithm=sha1
enc-algorithm=aes-cbc enc-key-size=256
auth-key="6b1f9331bc5065651d70130038d91328xxxxxxxx"
enc-key="abcd66d00a28b50c87ae3137365a5fd5e5611ad5d4d90c0xxxxxxxxxxx"
addtime=dec/24/2024 21:57:13 expires-in=29m37s add-lifetime=24m2s/30m3s
current-bytes=85897 current-packets=400 replay=128

1 E spi=0xC0CE6A7C src-address=192.168.100.31:4500
dst-address=146.70.111.109:4500 state=mature auth-algorithm=sha1
enc-algorithm=aes-cbc enc-key-size=256
auth-key="acd6a85d803fcb1c137fc3e97aexxxxxxxxx"
enc-key="147048c2b4d7b9d9472a0759a2b22c2e8cad560d8536d297a09xxxxxxx"
addtime=dec/24/2024 21:57:13 expires-in=29m37s add-lifetime=24m2s/30m3s
current-bytes=93076 current-packets=883 replay=128
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Tue Dec 24, 2024 11:08 pm

OK, this looks much better, but it also shows that everything works as it should - the src-nat rule pops up at the beginning of the srcnat chain in accord with the mode-config settings, and the SA carries traffic in both directions.

So did the pings to 9.9.9.9 get a response? If yes, disable the only action=fasttrack-connection rule in /ip firewall filter and try to open a web page from a PC or phone in the 192.168.88.0/24 subnet again - does it work that way?
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Wed Dec 25, 2024 11:23 pm

Hi Sindy,

I have disabled fastrack, and able to reach 9.9.9.9, but nothing better came out.
Same situation again.
I am not able to reach any webpage, only with disabled ipsec I can.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Thu Dec 26, 2024 10:39 am

OK, let's try another way, but keep the fasttrack rule disabled until we get further.

Disable the only mangle rule (action=change-mss) and apply the following command:
/ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.88.0/24 action=none place-before=[find where group=FRBD]
Then try accessing web pages again.
Top
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 3081
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: IPsec tunnel not working RB951

Thu Dec 26, 2024 11:07 am

@burca: could you please edit your post and trim it as seems to be a little "too long"? Hex dump has no sense to be analyzed. viewtopic.php?p=1116397#p1116225
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Thu Dec 26, 2024 4:56 pm

Hi Sindy,

Did as proposed, and now I have access to webpages, but outside of IPSEC :(
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Thu Dec 26, 2024 5:43 pm

Wait - are you saying that the IPsec connection is active but the PC bypasses it?

What does /ip ipsec policy print detail show?
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Thu Dec 26, 2024 6:03 pm

...and sorry, in the policy with action=none you have added, change the src-address to 0.0.0.0/0, my mistake. It does not explain why the PC can bypass the tunnel, but the 192.168.88.0/24 as src-address was incorrect.

If it still does not work, consider using this way.
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Thu Dec 26, 2024 6:05 pm

Hi Sindy,

I have made a mistake, and edited Ipsec policy related to FBRD group.
Now, its edited as requested, and same situation, webpage is not opened.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Thu Dec 26, 2024 6:18 pm

Have you noticed this post?
Top
 
burca
just joined
Topic Author
Posts: 23
Joined: Tue Apr 26, 2016 11:04 am

Re: IPsec tunnel not working RB951

Fri Dec 27, 2024 1:01 am

Hi Sindy,

iRHuefTx0rDoEuyidx/e3SWr17b9DtRUkp4LEtD3mv1W6hCFw5of+T3LxPGwKTRd
aPk6nRZeUp7HV7nIctEGMFuvED1mYPUMF0v8vZMLeTBdVed1seXvuL9a4wuiF2nB
PqrFncu7ochX5LyU/Go4JFsyFp4QYxAyuKhdzSP/aZAGUty3xm14m7r/WJEeJHA3
X0rvp9Sslx9zfkfRU7A2xgAdHS10LTk8Aj3C0MqW6RMHZAyw5r8y6zGfG9Ias0SF
YuU5HeaZEh+2A6NFQXTmdM6uP7XzB9EJNtcFaIQLq7zVX0sTUq5brpBRGkD21Wzy
15jBn9nOlw1jMxV0sXmixvAI5Un63SsuXmFyBUHA48aIDVEWMwjM+BlPkRhP0KUX
ImY5/7TvohRk9H3M0gzf0efw1mboU3znUsTkyE0dL9PNvMb4oBFzQZ7IDRZRlAng
Gi8PAMHNf+bbuBs2jXJcnMV10aTA1VmpoR67r5fBWInEZjD7f01a34+HuYJt6+ah
PSLoxFkuMM9+vTRyAadcXwBSHuwJGF5M7sm7m3ugGJ+LPh0X0zKrUzIYEIQBHYHI
SWV/C6HjIyfWc5kltXGGzFdypUdHX1Wl1KlOcWLXiWhE1dqcpqgdodlG1mnt0Kcf
qUnOm2rVPl/npScHJpEz0Eu0V7Uba9l3x8aDkar40vs=
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1397
Joined: Tue Jun 23, 2015 2:35 pm

Re: IPsec tunnel not working RB951

Sat Dec 28, 2024 6:16 am

@burca

just curious, does that help?
Code: Select all
/ip ipsec policy add src-address=0.0.0.0/0 dst-address=192.168.88.0/24 action=none place-before=[find where group=FRBD]
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not working RB951

Sat Dec 28, 2024 12:51 pm

Yes and no. The summary is that with that action=none policy in place, the ICMP "packet too large" messages were indeed sent to the LAN host, but it was not enough to make the traffic pass through the tunnel. The action=change-mss ... new-mss=clamp-to-pmtu rule in mangle wasn't enough either, as clamp-to-out-interface-mtu would be a more appropriate description of what it actually does.

So to make it work, it was necessary to use the action=change-mss ... tcp-mss=1379-65535 new-mss=1378 rule in mangle. We did not investigate whether the PMTUD was actually failing in the server->client direction or whether the client in LAN was ignoring the "packet too large" messages as they were coming from the IP address the VPN server has assigned to the router (which should not be an issue normally as they can normally come from any router on the path, but the Windows firewall may have a different opinion).
Top
Post Reply
  4. RouterOS
  5. General