Working ipv6 ipsec configuration got broken (possibly after update)
Posted: Thu Apr 28, 2016 1:35 am
I have a mikrotik at ISP which provides native ipv6 via SLAAC on PPPoE interface, plus delegates a prefix via DHCP. I had ipsec configured for certain networks and everything worked perfectly until a week or two ago. Unfortunately, I did notice if the problem appeared after recent updates. Current version is 6.35.1.
ufanet is the PPPoE interface. The only global address visible here is generated from the prefix acquired via DHCP.
Now, what exactly is wrong:
OK, so... 2a02:1c8
33bc::c. What is this? I don't see this address in /ipv6 address print. It's routable and I can login into my mikrotik using that IP. Where did it come from? My guess is that is the IP obtained via SLAAC on ufanet PPPoE interface, but then why it's not visible in the UI? And why this wasn't a problem before?
I could just use that IP as an endpoint, but my ISP provides IPv6 prefixes dynamically, so I have a bunch of scripts to adjust ipsec configuration and to publish the actual address to the DNS. Therefore, unless there is a way to somehow extract that address from the scripts, I cannot do that.
ufanet is the PPPoE interface. The only global address visible here is generated from the prefix acquired via DHCP.
Code: Select all
[stigger@mikrotik] /log> /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2a02:1c8:101:892::1/64 ufanet bridge-local yes
1 DL fe80::d6ca:6dff:fe92:a2ed/64 bridge-local no
2 DL fe80::d6ca:6dff:fe92:a2ec/64 ether1-gateway no
3 DL fe80::c/64 ufanet noCode: Select all
[stigger@mikrotik] /log> /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=2001:470:1f0b:c2b::2/128 local-address=0.0.0.0 passive=no port=500 auth-method=rsa-key key=ufa remote-key=spb generate-policy=no policy-template-group=group exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=claim hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5Code: Select all
[stigger@mikrotik] /log> /ip ipsec policy print without-paging
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 src-address=2a02:1c8:101:892::/64 src-port=any dst-address=2001:470:1f0b:c2b::/64 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=2a02:1c8:101:892::1 sa-dst-address=2001:470:1f0b:c2b::2 proposal=default priority=0
1 src-address=2a02:1c8:101:892::/64 src-port=any dst-address=2001:470:71ac::/64 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=2a02:1c8:101:892::1 sa-dst-address=2001:470:1f0b:c2b::2 proposal=default priority=0Code: Select all
apr/28 03:18:14 ipsec,debug,packet ===
apr/28 03:18:14 ipsec,debug initiate new phase 1 negotiation: 2a02:1c8:100:33bc::c[500]<=>2001:470:1f0b:c2b::2[500]
apr/28 03:18:14 ipsec,debug begin Identity Protection mode.
apr/28 03:18:14 ipsec,debug,packet new cookie:
apr/28 03:18:14 ipsec,debug,packet cd7c9248670f7773
apr/28 03:18:14 ipsec,debug,packet add payload of len 52, next type 13
apr/28 03:18:14 ipsec,debug,packet add payload of len 16, next type 13
apr/28 03:18:14 ipsec,debug,packet add payload of len 16, next type 0
apr/28 03:18:14 ipsec,debug socket not found for address: 2a02:1c8:100:33bc::c
apr/28 03:18:14 ipsec,error phase1 negotiation failed due to send error. 2a02:1c8:100:33bc::c[500]<=>2001:470:1f0b:c2b::2[500] cd7c9248670f7773:0000000000000000
apr/28 03:18:14 ipsec,debug failed to begin ISAKMP SA negotiation
33bc::c. What is this? I don't see this address in /ipv6 address print. It's routable and I can login into my mikrotik using that IP. Where did it come from? My guess is that is the IP obtained via SLAAC on ufanet PPPoE interface, but then why it's not visible in the UI? And why this wasn't a problem before?I could just use that IP as an endpoint, but my ISP provides IPv6 prefixes dynamically, so I have a bunch of scripts to adjust ipsec configuration and to publish the actual address to the DNS. Therefore, unless there is a way to somehow extract that address from the scripts, I cannot do that.