Community discussions

MikroTik App
 
morph
just joined
Topic Author
Posts: 22
Joined: Fri Mar 16, 2012 10:52 am

IPSEC - one way SPI SA not installed

Mon Feb 10, 2014 11:34 pm

I'm trying to create an ipsec vpn tunnel between a Mikrotik and a cisco router.
It seems that the SPI SA in the direction Mikrotik -> Cisco is installed fine but the
SPI SA in direction Cisco -> Mikrotik is not installed (there is no addtime).

[admin@MikroTik] /ip ipsec installed-sa>> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x382B108 src-address=192.168.10.200 dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="adc4c7acfdbf86e3a9750c0e0a81f569"
enc-key="d3e54e4f122fc8920e651aec4157afd887b
addtime=feb/10/2014 22:12:58 expires-in=27m5
current-bytes=60

1 E spi=0xF778A1E src-address=190.X.X.X dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="448e14a463e062902f5d70507b1dbbcb"
enc-key="74309e284428767f831c42f833544d147b7
add-lifetime=24m/30m
[admin@MikroTik] /ip ipsec installed-sa>>

Does anyone know what can cause this and how to fix it?

Regards.
You do not have the required permissions to view the files attached to this post.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 12:12 am

I'm trying to create an ipsec vpn tunnel between a Mikrotik and a cisco router.
It seems that the SPI SA in the direction Mikrotik -> Cisco is installed fine but the
SPI SA in direction Cisco -> Mikrotik is not installed (there is no addtime).

[admin@MikroTik] /ip ipsec installed-sa>> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x382B108 src-address=192.168.10.200 dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="adc4c7acfdbf86e3a9750c0e0a81f569"
enc-key="d3e54e4f122fc8920e651aec4157afd887b
addtime=feb/10/2014 22:12:58 expires-in=27m5
current-bytes=60

1 E spi=0xF778A1E src-address=190.X.X.X dst
auth-algorithm=md5 enc-algorithm=3des replay
auth-key="448e14a463e062902f5d70507b1dbbcb"
enc-key="74309e284428767f831c42f833544d147b7
add-lifetime=24m/30m
[admin@MikroTik] /ip ipsec installed-sa>>

Does anyone know what can cause this and how to fix it?

Regards.
Need to see the export and the settings from the Cisco. Could be a wide variety of stuff. Any errors? Did you try turning on ipsec debugging to the log and seeing if there are errors?
 
morph
just joined
Topic Author
Posts: 22
Joined: Fri Mar 16, 2012 10:52 am

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 12:26 am

Hi efaden,
These are the settings on the cisco:
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0

crypto ipsec transform-set TS esp-3des esp-md5-hmac 
!
crypto dynamic-map hq-vpn 10
 set security-association lifetime seconds 86400
 set transform-set TS 
 match address VPN1-TRAFFIC
!
!
crypto map VPN 1 ipsec-isakmp dynamic hq-vpn 

ip access-list extended VPN1-TRAFFIC
 permit ip 10.32.0.0 0.0.255.255 192.168.10.0 0.0.0.255
There are no errors in the logs.

Regards.
 
morph
just joined
Topic Author
Posts: 22
Joined: Fri Mar 16, 2012 10:52 am

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 12:29 am

I'm getting the same problem when trying to connect the Mikrotik to a pfSense firewall.
On the side of the Cisco and pfSense there are no errors displayed.
The only problem I see is that the SA is not installed on the Mikrotik.

Regards.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 12:30 am

Post your export. Did you try turning on debugging?

Sent from my SCH-I545 using Tapatalk
 
morph
just joined
Topic Author
Posts: 22
Joined: Fri Mar 16, 2012 10:52 am

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 12:45 am

Post your export. Did you try turning on debugging?

Sent from my SCH-I545 using Tapatalk
Hi Efaden,
When you say export are you looking for the ipsec configuration?
/ip firewall nat
add chain=srcnat dst-address=10.32.0.0/16 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=yes \
    out-interface=ether1-gateway
add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16
/ip ipsec peer
add address=190.X.X.X/32 enc-algorithm=3des hash-algorithm=md5 secret=\
    PASSWORD send-initial-contact=no
/ip ipsec policy
add dst-address=10.32.0.0/16 sa-dst-address=190.X.X.X sa-src-address=\
    0.0.0.0 src-address=192.168.10.0/24 tunnel=yes
I tried turning debugging but I didn't see anything that looks suspicious in the log window.

Regards.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 1:08 am

sa-src-address=0.0.0.0
SA-Src-Address should be set to your public (WAN) IP, and this NAT rule is not necessary:
add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16
BTW, you didn't post your 'IPSec/Proposal' settings.

HTH,
 
morph
just joined
Topic Author
Posts: 22
Joined: Fri Mar 16, 2012 10:52 am

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 1:14 am

sa-src-address=0.0.0.0
SA-Src-Address should be set to your public (WAN) IP, and this NAT rule is not necessary:
add chain=srcnat dst-address=192.168.10.0/24 src-address=10.32.0.0/16
BTW, you didn't post your 'IPSec/Proposal' settings.

HTH,
I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.

Here is the proposal setting:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=1d
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 1:43 am

I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 1:54 am

I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,

Thats what I do...
 
morph
just joined
Topic Author
Posts: 22
Joined: Fri Mar 16, 2012 10:52 am

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 9:01 am

I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,
The 3G stick gets a private address from the provider that is then nat-ed to a public address.

I tried to connect the mikrotik through a LAN cable to my home router. With the above setup (sa-src-address=0.0.0.0) the IPSec did work. So the Mikrotik was behind NAT (my OpenWRT router) and IPSec formed with (sa-src-address=0.0.0.0).

For test I also tried to connect the mikrotik to a Pfsense box and also got the problem with the SA (using the USB stick and also when using LAN cable behind my home router).
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: IPSEC - one way SPI SA not installed

Tue Feb 11, 2014 2:21 pm

I'm using a 3G stick for WAN that does not have a fixed IP address. That's why I used 0.0.0.0 for source.
It's possible to read WAN IP address and set it in 'IPSec/Policy' using script.

Regards,
The 3G stick gets a private address from the provider that is then nat-ed to a public address.

I tried to connect the mikrotik through a LAN cable to my home router. With the above setup (sa-src-address=0.0.0.0) the IPSec did work. So the Mikrotik was behind NAT (my OpenWRT router) and IPSec formed with (sa-src-address=0.0.0.0).

For test I also tried to connect the mikrotik to a Pfsense box and also got the problem with the SA (using the USB stick and also when using LAN cable behind my home router).

I think you need to script the IP into the SA. Never tried this setup though.

Who is online

Users browsing this forum: blitzu, jerryd, kymo2, mada3k, Qanon, wrkq, yhfung and 28 guests