IPsec tunnel doesn't come up

TLN · Fri May 29, 2015 2:39 am

Hi.

I'm new to Mikrotik and using it for a couple of weeks.
I got two sites, using 951G model. Both Mikrotiks are behind NAT, but I can manage both sides. Scheme are:

Mikrotik A--- Router A ===INTERNET===Router B--- Mikrotik B
NAT HERE NAT HERE

I'm using a port forwaring on one router and implemented IPSEC site-to-site tunnel. It works fine, but if I reboot remote router B it doesn't come up.
Routers use dynamic public IPs, and I can overcome this with scripting and dyndns.
And interestingly, I didn't found a solution to this, but reset the routers. I don't have extensive configuration and it's easy to get everyhing back, but it's quite annoying.

So:
1. Clear mikrotiks.
2. Set up IPSec - works great. (not really satisfied with speed, but anyways)
3. Reboot Router B.
4. Correct ipsec peer and ipsec policy data accordingly.
5. Doesn't work.
6. Reset, setup from a scratch - works fine.

What might be a problem and how do I solve it?

TLN · Sat May 30, 2015 12:51 am

Anyone??

One side:

[admin@Mikrotik] > ip ipsec peer print
Flags: X - disabled, D - dynamic
 0 address=aa.aa.aa.187/32 local-address=0.0.0.0 passive=no port=501 auth-method=pre-shared-key
 secret="xxxxxxxxxx" generate-policy=no policy-template-group=default exchange-mode=main
 send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

[admin@Mikrotik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

 1 src-address=192.168.0.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt
 level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=aa.aa.aa.187
 proposal=default priority=0

[admin@Mikrotik] > ip ipsec remote-peers print
 0 local-address=10.0.0.2 remote-address=aa.aa.aa.187 port=501 state=established side=initiator established=5m33s

Other side:

[admin@Mikrotik] > ip ipsec peer print
Flags: X - disabled, D - dynamic
 0 address=bb.bb.bb.107/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
 secret="xxxxxxxxx" generate-policy=no policy-template-group=default exchange-mode=main
 send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@Mikrotik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

 1 src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt
 level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=bb.bb.bb.107
 proposal=default priority=0
[admin@Mikrotik] > ip ipsec remote-peers print
 0 local-address=192.168.1.22 remote-address=bb.bb.bb.107 port=3 state=established side=responder established=7m52s

Firewall on one side:

ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add chain=input comment="default configuration = changed" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=\
 ether1-gateway
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

The most strange thing is that it works if I set it up from empty config. Traffic goes fine until one side get's new public IP. After I change(manually or with script) peer IP it doesn't come up. IPsec peer is there, ipsec installed-sa shows connection is established, but I cannot ping another network.

mocando · Sat May 30, 2015 3:46 am

TLN,

Try with
dpd-interval= disable DPD
dpd-maximum-failures=1

In both sides...

TLN · Sat May 30, 2015 4:48 am

I've tried this before and it didn't work. And I've tried this right now - does not work.

as I understand it forms ipsec successully, but traffic doesn't go through it:
ip ipse remote peers print shows remote peer, state established.
ip ipsec installed-sa shows it correct on both sides.

Does ipsec uses some ports besides 500?
It feels like something with NAT on one side. I might put microtik as DMZ on one of the routers and see if it helps.

Here's statistics from one side:

ip ipsec statistics print
                  in-errors: 0
           in-buffer-errors: 0
           in-header-errors: 0
               in-no-states: 0
   in-state-protocol-errors: 0
       in-state-mode-errors: 0
   in-state-sequence-errors: 0
           in-state-expired: 0
        in-state-mismatches: 0
           in-state-invalid: 0
     in-template-mismatches: 0
             in-no-policies: 0
          in-policy-blocked: 0
           in-policy-errors: 0
                 out-errors: 0
          out-bundle-errors: 0
    out-bundle-check-errors: 0
           out-no-states: 5578
 out-state-protocol-errors: 120
      out-state-mode-errors: 0
  out-state-sequence-errors: 0
        out-state-expired: 120
         out-policy-blocked: 0
            out-policy-dead: 0
          out-policy-errors: 0

What does out-no-states and out-state-protocol-errors means?

TLN · Sun May 31, 2015 9:41 pm

Anyone?

kburzyns · Mon Jun 01, 2015 8:45 am

At the very beginning You should enable NAT Traversal. It uses UDP port 4500.

TLN · Mon Jun 01, 2015 8:51 pm

Why do I need this?
I mean if it does work without NAT-T option in the beginning.
And I got port forwarding set on router.

mocando · Wed Jun 03, 2015 6:55 am

TLN,

Did you solve the issue?

TLN · Thu Jun 04, 2015 1:31 am

Nope.

I have reset remote side router, then forwarder 4500 port to mikrotik.
Strange thing happen, that after I do "ip ipsec remote-peers kill-connection" on both sides it establishes connection very fast(1-5 sec and a bit more for SA to show up) but traffic doesn't work. I've checked it in an hour - everything works. But it works until remote side get's new IP within 24hr.

I think to set up DMZ on my side and point it to mikrotik. I'd prefer to forward only some ports, but comcast router doesn't allow me to do that.

TLN · Fri Jun 05, 2015 3:21 am

Ok, I have set DMZ on one router to point to mikrotik and reset both routers once more.
Now it works fine, but I guess it will fail down in 24hrs.

Here what I did to make it work:

	[admin@BBBBBBBBBb] > ip ipsec peer print
	Flags: X - disabled, D - dynamic
	 0    address=aa.aa.aa.107/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
		  secret="aaaaaaaaaaaaa" generate-policy=no policy-template-group=default exchange-mode=main
		  send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
		  dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
	[admin@BBBBBBBBBb] > ip ipsec
	installed-sa  key  mode-config  peer  policy  proposal  remote-peers  statistics  user  export
	[admin@BBBBBBBBBb] > ip ipsec policy print
	Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
	 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

	 1     src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt
		   level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=aa.aa.aa.107
		   proposal=default priority=0
	[admin@BBBBBBBBBb] > ip firewall na print
	Flags: X - disabled, I - invalid, D - dynamic
	 0    chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
	[admin@BBBBBBBBBb] >

anoher side:

[admin@AAAAAAAAAA] > ip ipsec peer print
Flags: X - disabled, D - dynamic
 0    address=BB.BB.BB.81/32 local-address=0.0.0.0 passive=no port=501 auth-method=pre-shared-key
      secret="aaaaaaaa" generate-policy=no policy-template-group=default exchange-mode=main
      send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
      dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@AAAAAAAAAA] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

 1     src-address=192.168.0.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=BB.BB.BB.81
       proposal=default priority=0
[admin@AAAAAAAAAA] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

 1    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""
[admin@AAAAAAAAAA] >

Should be pretty much the same, as I posted earlier. And now with that config it works.

What logs do I need to enable to get needed info before it fails?

TLN · Wed Jun 10, 2015 5:11 am

Looks like my ipsec tunnel and scripts works. It's up for 5 days, and one side definaly have several dynamic IPs through that time.

Ive just put mikrotik as DMZ and it was ok.
PM me if anyone have questions.

IPsec tunnel doesn't come up

IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up

Re: IPsec tunnel doesn't come up