Hi,

this is a public request for getting more info about support tickets Ticket#2007040566000286 and Ticket#2007031666000249.

These tickes are _still_ open and _still_ officially unanswered by support!


(A) Short analysis

The problem is that we cannot reach any hosts behind the router (btw: router is set as default gw on both sides of the link).

From technical analysis (see below) it seems that the decryped packets appear at the 'outside' interface and we're not sure if this is correct.

Same confiuration works in 2.9.42. What is different in 3.0beta7? Or bug? Any fix?


(B) Technical analysis

We're trying to use ipsec in tunnel mode to connect network 172.17.0.0/16 to 172.16.0.0/16 via ipsec. The SAs get installed and we have the packet counter increasing on both sides to indicate running traffic across the ipsec link.

Now, we're trying to reach hosts 'behind' the router. For example, we're trying to ping from 172.17.2.113 to 172.16.1.4 across the ipsec link.

For debugging purposes, we're checking the ping answer 'return' coming from the 172.16.1.4 host: For this, we have a test rule on the 172.17.0.0 router which should show that there's a valid packet (the ping response packet) received by this router.
Output in log is then: So, from my view, this says the the return packet via 'ipsec' was sucessfully received and decrypted by the router and is in the prerouting chain now. This also seems true, because of the increasing ipsec packet counters.

Next, I was expecting to "find" this ping-response packet in the forward chain, but moving the above rule to the 'forward' chain does not log the packet. But if it is not found in the 'forward' chain, it cannot be found by any host 'behind' the router. Notice the "in:outside" text above. The ipsec decrypted ping-resonse is coming via the 'outside' interface. Is this okay?

Anyone having same trouble? Or even better: Anyone having a working ipsec config in tunnel mode for 3.0beta7?

I'm still confused, because all this worked in 2.9.42.

Thanks for any info here...
Achim

These tickes are _still_ open and _still_ officially unanswered by support!

I, too, have a couple of tickets open (for different issues) that also seem to have fallen by the wayside. At least I've never gotten any response from a human yet, even to a simple licensing question.

Not sure what's going on over there in the Riga offices. They must be really busy right now, swamped with work. I mean, Normis hasn't even made a post to the forums since the 5th!

Sorry for going off-topic here...

-- Nathan

too many mums.

But support - or at least feedback - is essential for a beta product, isn't it?

We cannot recommend any more licenses to our clients if support is so sluggish....

Achim

emails are getting answered fast. hold on for a few hours

I can attest to that...both of my open tickets (not beta-related) were responded to within the last couple days, and the responses were more than satisfactory. Thanks, guys!

But support - or at least feedback - is essential for a beta product, isn't it?

Actually, I would say that the opposite is the case: support is essential for a production or stable product. Otherwise, what am I paying for? Feedback is essential to beta testers, yes, but if I were a software company, I would give my highest priority to customers paying for my "stable" code. Although I agree to some extent with Scott's argument, it still surprises me when people roll out code labelled BETA and then gripe when something goes wrong. Beta code is put up for you to test. If you want to risk it on your production network with your paying customers, then go right ahead, but MikroTik released the code to you with the disclaimer that it isn't finished!

-- Nathan

I can attest to that...both of my open tickets (not beta-related) were responded

Glad to hear. Unfortunately, my beta-related tickets are stil open.
Normis?

Actually, I would say that the opposite is the case: support is essential for a production or stable product.

Yes, you are right. But if you want to use the Community as (non-paid) beta testers, feedback (or at least some sort of "yes, this is bug...") would be fine.

Achim

PS: Umpf - quite off-topic here, right?

Hello,
IPsec will be repaired in beta8.

Regards,

Thanks guys for this feedback.

Achim