Community discussions

MikroTik App
  4. RouterOS
  5. General

3.0beta7: ipsec in tunnel mode still not working...

Post Reply
 
amode
newbie
Topic Author
Posts: 31
Joined: Fri Feb 23, 2007 1:28 pm

3.0beta7: ipsec in tunnel mode still not working...

Tue Apr 10, 2007 10:34 am

Hi,

this is a public request for getting more info about support tickets Ticket#2007040566000286 and Ticket#2007031666000249.

These tickes are _still_ open and _still_ officially unanswered by support!


(A) Short analysis

The problem is that we cannot reach any hosts behind the router (btw: router is set as default gw on both sides of the link).

From technical analysis (see below) it seems that the decryped packets appear at the 'outside' interface and we're not sure if this is correct.

Same confiuration works in 2.9.42. What is different in 3.0beta7? Or bug? Any fix?


(B) Technical analysis

We're trying to use ipsec in tunnel mode to connect network 172.17.0.0/16 to 172.16.0.0/16 via ipsec. The SAs get installed and we have the packet counter increasing on both sides to indicate running traffic across the ipsec link.

Now, we're trying to reach hosts 'behind' the router. For example, we're trying to ping from 172.17.2.113 to 172.16.1.4 across the ipsec link.

For debugging purposes, we're checking the ping answer 'return' coming from the 172.16.1.4 host: For this, we have a test rule on the 172.17.0.0 router which should show that there's a valid packet (the ping response packet) received by this router.
Code: Select all
/ip firewall mangle
 1   chain=prerouting src-address=172.16.1.4 action=log log-prefix=""    // check if packet is coming from other host....
Output in log is then:
Code: Select all
time=18:34:30 topics=firewall,info message=prerouting: in:outside out:(none), src-mac 00:04....  proto ICMP (type 0, code 0), 172.16.1.4->172.17.2.113, len 60
So, from my view, this says the the return packet via 'ipsec' was sucessfully received and decrypted by the router and is in the prerouting chain now. This also seems true, because of the increasing ipsec packet counters.

Next, I was expecting to "find" this ping-response packet in the forward chain, but moving the above rule to the 'forward' chain does not log the packet. But if it is not found in the 'forward' chain, it cannot be found by any host 'behind' the router. Notice the "in:outside" text above. The ipsec decrypted ping-resonse is coming via the 'outside' interface. Is this okay?

Anyone having same trouble? Or even better: Anyone having a working ipsec config in tunnel mode for 3.0beta7?

I'm still confused, because all this worked in 2.9.42.

Thanks for any info here...
Achim
Top
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 829
Joined: Tue Aug 03, 2004 9:01 am

Re: 3.0beta7: ipsec in tunnel mode still not working...

Fri Apr 13, 2007 4:44 am

These tickes are _still_ open and _still_ officially unanswered by support!
I, too, have a couple of tickets open (for different issues) that also seem to have fallen by the wayside. At least I've never gotten any response from a human yet, even to a simple licensing question. :)

Not sure what's going on over there in the Riga offices. They must be really busy right now, swamped with work. I mean, Normis hasn't even made a post to the forums since the 5th!

Sorry for going off-topic here...

-- Nathan
Top
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Fri Apr 13, 2007 5:13 pm

too many mums.
Top
 
amode
newbie
Topic Author
Posts: 31
Joined: Fri Feb 23, 2007 1:28 pm

Tue Apr 17, 2007 10:40 am

But support - or at least feedback - is essential for a beta product, isn't it?

We cannot recommend any more licenses to our clients if support is so sluggish....

Achim
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26916
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:
Contact normis

Tue Apr 17, 2007 10:40 am

emails are getting answered fast. hold on for a few hours :)
Top
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 829
Joined: Tue Aug 03, 2004 9:01 am

Tue Apr 17, 2007 10:44 pm

emails are getting answered fast. hold on for a few hours :)
I can attest to that...both of my open tickets (not beta-related) were responded to within the last couple days, and the responses were more than satisfactory. Thanks, guys!
But support - or at least feedback - is essential for a beta product, isn't it?
Actually, I would say that the opposite is the case: support is essential for a production or stable product. Otherwise, what am I paying for? Feedback is essential to beta testers, yes, but if I were a software company, I would give my highest priority to customers paying for my "stable" code. Although I agree to some extent with Scott's argument, it still surprises me when people roll out code labelled BETA and then gripe when something goes wrong. Beta code is put up for you to test. If you want to risk it on your production network with your paying customers, then go right ahead, but MikroTik released the code to you with the disclaimer that it isn't finished! :)

-- Nathan
Top
 
amode
newbie
Topic Author
Posts: 31
Joined: Fri Feb 23, 2007 1:28 pm

Wed Apr 18, 2007 10:26 am


I can attest to that...both of my open tickets (not beta-related) were responded
Glad to hear. Unfortunately, my beta-related tickets are stil open.
Normis?
Actually, I would say that the opposite is the case: support is essential for a production or stable product.
Yes, you are right. But if you want to use the Community as (non-paid) beta testers, feedback (or at least some sort of "yes, this is bug...") would be fine.

Achim

PS: Umpf - quite off-topic here, right? :)
Top
 
amode
newbie
Topic Author
Posts: 31
Joined: Fri Feb 23, 2007 1:28 pm

Mon Apr 30, 2007 4:33 pm

Hello,
IPsec will be repaired in beta8.

Regards,
Thanks guys for this feedback.

Achim
Top
Post Reply

Who is online

Users browsing this forum: JohnTRIVOLTA and 40 guests
  4. RouterOS
  5. General