Two problems regarding IPSec

BjoernG · Sun Jan 19, 2020 1:56 pm

Hi all,

I got three sites connected to each other through IPSec.

Site A and B are RB4011iGS+ and site C is a CHR.
All of them running ROS 6.46.1.

There two problems I'm facing:

The connection to a site (e.g. site B => site C) kinda "falls asleep" after a while when there isn't any traffic between the sites. When I try to ping from B to C it isn't working anymore. When I ping "back" at the same time from C to B it starts working again. I have seen hints on Google Cloud VPC to ping every x seconds to keep a tunnel alive. Is this also best practice for ROS-to-ROS connections?
I got a smart home systems thats very sensitive regarding connection drops. I got a PH1 lifetime of 1d and every time that lifetime is reached and a new SA established the smart home system crashes. Do you have any suggestions to bypass that problem? Maybe weaker ciphers for faster SA handling? Restarting the smart home system after reaching SA lifetime is the last thing I would like to do.

Here is my IPSec configuration of Site A.

/ip ipsec profile
add dh-group=modp8192 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha512 name=Site_B proposal-check=strict
add dh-group=modp8192 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha512 name=Site_C proposal-check=strict
/ip ipsec peer
add address=Site_C exchange-mode=ike2 name=Site_C port=500 profile=Site_C
add address=Site_B exchange-mode=ike2 name=Site_B port=500 profile=Site_B
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm name=Site_B pfs-group=modp8192
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm name=Site_C pfs-group=modp8192
/ip ipsec identity
add auth-method=digital-signature certificate=Site_A.p12_0 match-by=certificate peer=Site_B remote-certificate=Site_B.crt_0
add auth-method=digital-signature certificate=Site_A.p12_0 match-by=certificate peer=Site_C remote-certificate=Site_C.crt_0
/ip ipsec policy
add dst-address=10.1.0.0/24 level=unique peer=Site_B proposal=Site_B sa-dst-address=Site_B sa-src-address=Site_A src-address=10.0.0.0/24 tunnel=yes
add dst-address=192.168.204.0/24 level=unique peer=Site_B proposal=Site_B sa-dst-address=Site_B sa-src-address=Site_A src-address=10.0.0.0/24 tunnel=yes
add dst-address=10.1.0.0/24 level=unique peer=Site_B proposal=Site_B sa-dst-address=Site_B sa-src-address=Site_A src-address=192.168.203.0/24 tunnel=yes
add dst-address=192.168.204.0/24 level=unique peer=Site_B proposal=Site_B sa-dst-address=Site_B sa-src-address=Site_A src-address=192.168.203.0/24 tunnel=yes
add dst-address=10.2.0.0/24 level=unique peer=Site_C proposal=Site_C sa-dst-address=Site_C sa-src-address=Site_A src-address=10.0.0.0/24 tunnel=yes
add dst-address=10.2.0.0/24 level=unique peer=Site_C proposal=Site_C sa-dst-address=Site_C sa-src-address=Site_A src-address=192.168.203.0/24 tunnel=yes
/ip firewall filter
add action=accept chain=forward dst-address=10.1.0.0/24 src-address=10.0.0.0/24
add action=accept chain=forward dst-address=192.168.204.0/24 src-address=10.0.0.0/24
add action=accept chain=forward dst-address=10.2.0.0/24 src-address=10.0.0.0/24
add action=accept chain=forward dst-address=10.1.0.0/24 src-address=192.168.203.0/24
add action=accept chain=forward dst-address=192.168.204.0/24 src-address=192.168.203.0/24
add action=accept chain=forward dst-address=10.2.0.0/24 src-address=192.168.203.0/24
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=10.1.0.0/24
add action=accept chain=forward dst-address=192.168.203.0/24 src-address=10.1.0.0/24
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=192.168.204.0/24
add action=accept chain=forward dst-address=192.168.203.0/24 src-address=192.168.204.0/24
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=10.2.0.0/24
add action=accept chain=forward dst-address=192.168.203.0/24 src-address=10.2.0.0/24
/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.0.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.204.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=10.2.0.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=10.1.0.0/24 src-address=192.168.203.0/24
add action=accept chain=srcnat dst-address=192.168.204.0/24 src-address=192.168.203.0/24
add action=accept chain=srcnat dst-address=10.2.0.0/24 src-address=192.168.203.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=10.1.0.0/24 src-address=10.0.0.0/24
add action=notrack chain=prerouting dst-address=192.168.204.0/24 src-address=10.0.0.0/24
add action=notrack chain=prerouting dst-address=10.2.0.0/24 src-address=10.0.0.0/24
add action=notrack chain=prerouting dst-address=10.1.0.0/24 src-address=192.168.203.0/24
add action=notrack chain=prerouting dst-address=192.168.204.0/24 src-address=192.168.203.0/24
add action=notrack chain=prerouting dst-address=10.2.0.0/24 src-address=192.168.203.0/24
add action=notrack chain=prerouting dst-address=10.0.0.0/24 src-address=10.1.0.0/24
add action=notrack chain=prerouting dst-address=192.168.203.0/24 src-address=10.1.0.0/24
add action=notrack chain=prerouting dst-address=10.0.0.0/24 src-address=192.168.204.0/24
add action=notrack chain=prerouting dst-address=192.168.203.0/24 src-address=192.168.204.0/24
add action=notrack chain=prerouting dst-address=10.0.0.0/24 src-address=10.2.0.0/24
add action=notrack chain=prerouting dst-address=192.168.203.0/24 src-address=10.2.0.0/24
/ip route
add distance=1 dst-address=10.1.0.0/24 gateway=ether2
add distance=1 dst-address=10.2.0.0/24 gateway=ether2
add distance=1 dst-address=192.168.204.0/24 gateway=ether2

Site A has subnets 10.0.0.0/24 and 192.168.203.0/24
Site B 10.1.0.0/24 and 192.168.204.0/24
Site C 10.2.0.0/24

The other sites are configured the same way, just vice versa.
DPD is disabled here - having it enabled doesn't change anything.

Thanks in advance and greetings from Germany

Björn

Two problems regarding IPSec

Two problems regarding IPSec

Who is online