MikroTik

Community discussions
https://forum.mikrotik.com/

3.0beta7: ipsec in tunnel mode still not working...

https://forum.mikrotik.com/viewtopic.php?t=15075

Page 1 of 1

3.0beta7: ipsec in tunnel mode still not working...

Posted: Tue Apr 10, 2007 10:34 am
by amode
Hi,

this is a public request for getting more info about support tickets Ticket#2007040566000286 and Ticket#2007031666000249.

These tickes are _still_ open and _still_ officially unanswered by support!


(A) Short analysis

The problem is that we cannot reach any hosts behind the router (btw: router is set as default gw on both sides of the link).

From technical analysis (see below) it seems that the decryped packets appear at the 'outside' interface and we're not sure if this is correct.

Same confiuration works in 2.9.42. What is different in 3.0beta7? Or bug? Any fix?


(B) Technical analysis

We're trying to use ipsec in tunnel mode to connect network 172.17.0.0/16 to 172.16.0.0/16 via ipsec. The SAs get installed and we have the packet counter increasing on both sides to indicate running traffic across the ipsec link.

Now, we're trying to reach hosts 'behind' the router. For example, we're trying to ping from 172.17.2.113 to 172.16.1.4 across the ipsec link.

For debugging purposes, we're checking the ping answer 'return' coming from the 172.16.1.4 host: For this, we have a test rule on the 172.17.0.0 router which should show that there's a valid packet (the ping response packet) received by this router.
Code: Select all
/ip firewall mangle
 1   chain=prerouting src-address=172.16.1.4 action=log log-prefix=""    // check if packet is coming from other host....
Output in log is then:
Code: Select all
time=18:34:30 topics=firewall,info message=prerouting: in:outside out:(none), src-mac 00:04....  proto ICMP (type 0, code 0), 172.16.1.4->172.17.2.113, len 60
So, from my view, this says the the return packet via 'ipsec' was sucessfully received and decrypted by the router and is in the prerouting chain now. This also seems true, because of the increasing ipsec packet counters.

Next, I was expecting to "find" this ping-response packet in the forward chain, but moving the above rule to the 'forward' chain does not log the packet. But if it is not found in the 'forward' chain, it cannot be found by any host 'behind' the router. Notice the "in:outside" text above. The ipsec decrypted ping-resonse is coming via the 'outside' interface. Is this okay?

Anyone having same trouble? Or even better: Anyone having a working ipsec config in tunnel mode for 3.0beta7?

I'm still confused, because all this worked in 2.9.42.

Thanks for any info here...
Achim

Re: 3.0beta7: ipsec in tunnel mode still not working...

Posted: Fri Apr 13, 2007 4:44 am
by NathanA
These tickes are _still_ open and _still_ officially unanswered by support!
I, too, have a couple of tickets open (for different issues) that also seem to have fallen by the wayside. At least I've never gotten any response from a human yet, even to a simple licensing question. :)

Not sure what's going on over there in the Riga offices. They must be really busy right now, swamped with work. I mean, Normis hasn't even made a post to the forums since the 5th!

Sorry for going off-topic here...

-- Nathan

Posted: Fri Apr 13, 2007 5:13 pm
by changeip
too many mums.

Posted: Tue Apr 17, 2007 10:40 am
by amode
But support - or at least feedback - is essential for a beta product, isn't it?

We cannot recommend any more licenses to our clients if support is so sluggish....

Achim

Posted: Tue Apr 17, 2007 10:40 am
by normis
emails are getting answered fast. hold on for a few hours :)

Posted: Tue Apr 17, 2007 10:44 pm
by NathanA
emails are getting answered fast. hold on for a few hours :)
I can attest to that...both of my open tickets (not beta-related) were responded to within the last couple days, and the responses were more than satisfactory. Thanks, guys!
But support - or at least feedback - is essential for a beta product, isn't it?
Actually, I would say that the opposite is the case: support is essential for a production or stable product. Otherwise, what am I paying for? Feedback is essential to beta testers, yes, but if I were a software company, I would give my highest priority to customers paying for my "stable" code. Although I agree to some extent with Scott's argument, it still surprises me when people roll out code labelled BETA and then gripe when something goes wrong. Beta code is put up for you to test. If you want to risk it on your production network with your paying customers, then go right ahead, but MikroTik released the code to you with the disclaimer that it isn't finished! :)

-- Nathan

Posted: Wed Apr 18, 2007 10:26 am
by amode

I can attest to that...both of my open tickets (not beta-related) were responded
Glad to hear. Unfortunately, my beta-related tickets are stil open.
Normis?
Actually, I would say that the opposite is the case: support is essential for a production or stable product.
Yes, you are right. But if you want to use the Community as (non-paid) beta testers, feedback (or at least some sort of "yes, this is bug...") would be fine.

Achim

PS: Umpf - quite off-topic here, right? :)

Posted: Mon Apr 30, 2007 4:33 pm
by amode
Hello,
IPsec will be repaired in beta8.

Regards,
Thanks guys for this feedback.

Achim
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/