[Mikrotik] IPSec

Mike Hammett butch-mikrotik at ics-il.net
Mon Jun 23 07:24:02 CDT 2008


>From what I can tell, Mikrotik does treat IPSec as a VPN tunnel, but just 
tags the packets with some extra data and sends them on their way.  No easy 
way to check interface uptime, perform routing, etc.  In my uninformed 
opinion, kinda piss poor.


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


----- Original Message ----- 
From: "Eric Holtzclaw" <eric.holtzclaw at ispan.us>
To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
Sent: Monday, June 23, 2008 2:13 AM
Subject: Re: [Mikrotik] IPSec


> Try keeping a ping session up on the inside and see if that stops.
> Maybe with check gateway ping on route side if that works.
>
> Eric
>
> -----Original Message-----
> From: mikrotik-bounces at mail.butchevans.com
> [mailto:mikrotik-bounces at mail.butchevans.com] On Behalf Of Mike Hammett
> Sent: Sunday, June 22, 2008 3:01 PM
> To: Mikrotik discussions
> Subject: Re: [Mikrotik] IPSec
>
> It started working, and then stopped again.
>
> [admin at NIF] > /log print detail
> time=dec/31/1969 18:00:13 topics=system,info message="router rebooted"
>
> time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#) racoon /
> MikroTik"
>
> time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#)This product
> linked
> OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/)"
>
> time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
> initializing..."
>
> time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
> dialing..."
>
> time=dec/31/1969 18:00:22 topics=wireless,info
> message="00:15:6D:50:17:09 at ICS established connection on 5765, SSID
> ICS4"
>
> time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
> authenticated"
>
> time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
> connected"
>
> time=dec/31/1969 18:00:23 topics=system,info message="dns changed"
>
> time=15:45:25 topics=system,info,account message="user admin logged in
> from
> 10.1.5.8 via winbox"
>
> time=15:47:29 topics=system,info,account message="user admin logged in
> from
> 10.1.1.254 via winbox"
>
> time=15:51:41 topics=system,info,account message="user admin logged in
> from
> 65.182.0.0 via winbox"
>
> time=16:02:41 topics=pptp,info message="TCP connection established from
>
> 65.182.0.0"
>
> time=16:02:41 topics=pptp,ppp,info message="<pptp-0>: waiting for
> call..."
>
> time=16:02:42 topics=pptp,ppp,info message="<pptp-0>: authenticated"
>
> time=16:02:43 topics=pptp,ppp,info message="<pptp-0>: connected"
>
> time=16:02:43 topics=pptp,ppp,info,account message="mhammett logged in,
>
> 192.168.1.252"
>
> time=16:02:44 topics=pptp,ppp,info message="<pptp-mhammett>: using
> encoding - MPPE128 stateless"
>
> time=16:05:59 topics=ipsec,ike message="IPsec-SA request for 68.60.0.0
> queued due to no phase1 found."
>
> time=16:05:59 topics=ipsec,ike message="initiate new phase 1
> negotiation:
> 65.182.0.0[500]<=>68.60.0.0[500]"
>
> time=16:05:59 topics=ipsec,ike message="begin Identity Protection
> mode."
>
> time=16:05:59 topics=ipsec,ike message="received Vendor ID: DPD"
>
> time=16:05:59 topics=ipsec,ike message="ISAKMP-SA established
> 65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"
>
> time=16:06:00 topics=ipsec,ike message="initiate new phase 2
> negotiation:
> 65.182.0.0[500]<=>68.60.0.0[500]"
>
> time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel
>
> 68.60.0.0[0]->65.182.0.0[0] spi=206061190(0xc483e86)"
>
> time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
> ESP/Tunnel
> 68.60.0.0[0]->65.182.0.0[0] spi=55768677(0x352f665)"
>
> time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel
>
> 65.182.0.0[0]->68.60.0.0[0] spi=172198929(0xa438c11)"
>
> time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
> ESP/Tunnel
> 65.182.0.0[0]->68.60.0.0[0] spi=148960180(0x8e0f3b4)"
>
> time=16:18:13 topics=pptp,ppp,info,account message="mhammett logged
> out,
> 931 242052 1589758 2478 2689"
>
> time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>:
> terminating... - call cleared"
>
> time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>:
> disconnected"
>
> time=16:19:44 topics=ipsec,ike message="purging ISAKMP-SA
> spi=2cd56cea0b29c949:1769b0ce00a81785."
>
> time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=148960180."
>
> time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=172198929."
>
> time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=55768677."
>
> time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=206061190."
>
> time=16:19:44 topics=ipsec,ike message="purged ISAKMP-SA
> spi=2cd56cea0b29c949:1769b0ce00a81785."
>
> time=16:19:44 topics=ipsec,ike message="unknown Informational exchange
> received."
>
> time=16:19:45 topics=ipsec,ike message="ISAKMP-SA deleted
> 65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"
>
> time=16:36:01 topics=ipsec,ike message="can't start the quick mode,
> there
> is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"
>
> time=16:36:11 topics=ipsec,ike message="can't start the quick mode,
> there
> is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"
>
> time=16:36:21 topics=ipsec,ike message="can't start the quick mode,
> there
> is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"
>
> time=16:36:31 topics=ipsec,ike message="can't start the quick mode,
> there
> is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39"
>
> time=16:36:41 topics=ipsec,ike message="can't start the quick mode,
> there
> is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39"
>
> time=16:36:51 topics=ipsec,ike message="can't start the quick mode,
> there
> is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39"
>
> [admin at CF] > /log print detail
> time=16:42:38 topics=ipsec,ike message="initiate new phase 2
> negotiation:
> 68.60.0.0[500]<=>65.182.0.0[500]"
>
> time=16:42:38 topics=ipsec,ike message="none message must be encrypted"
>
> time=16:42:48 topics=ipsec,ike message="none message must be encrypted"
>
> time=16:42:58 topics=ipsec,ike message="none message must be encrypted"
>
> time=16:43:08 topics=ipsec,ike message="65.182.0.0 give up to get
> IPsec-SA
> due to time up to wait."
>
> time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel
> 65.182.0.0[0]->68.60.0.0[0] spi=125157313(0x775bfc1)"
>
> time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel
> 65.182.0.0[0]->68.60.0.0[0] spi=41544484(0x279eb24)"
>
> time=16:43:08 topics=ipsec,ike message="initiate new phase 2
> negotiation:
> 68.60.0.0[500]<=>65.182.0.0[500]"
>
> time=16:43:08 topics=ipsec,ike message="none message must be encrypted"
>
> time=16:43:18 topics=ipsec,ike message="none message must be encrypted"
>
> time=16:43:28 topics=ipsec,ike message="none message must be encrypted"
>
> time=16:43:38 topics=ipsec,ike message="65.182.0.0 give up to get
> IPsec-SA
> due to time up to wait."
>
> time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel
> 65.182.0.0[0]->68.60.0.0[0] spi=61961499(0x3b1751b)"
>
> time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel
> 65.182.0.0[0]->68.60.0.0[0] spi=23323416(0x163e318)"
>
>
> ----------
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
> ----- Original Message ----- 
> From: "Mike Hammett" <butch-mikrotik at ics-il.net>
> To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
> Sent: Thursday, June 19, 2008 11:05 AM
> Subject: Re: [Mikrotik] IPSec
>
>
>> Actually, the darn thing stopped working once it started and without
> any
>> changes to either side.  :-\
>>
>> [admin at CF] > /ip ipsec policy print detail
>> Flags: X - disabled, D - dynamic, I - inactive
>> 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
>> protocol=all action=encrypt level=require ipsec-protocols=ah,esp
>> tunnel=yes
>> sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0
>>     proposal=default manual-sa=none priority=0
>> [admin at CF] > /ip ipsec proposal print detail
>> Flags: X - disabled
>> 0   name="default" auth-algorithms=sha1 enc-algorithms=3des
> lifetime=30m
>> pfs-group=modp1024
>> [admin at CF] > /ip ipsec peer print detail
>> Flags: X - disabled
>> 0   address=65.182.0.0/32:500 auth-method=pre-shared-key
>>
> secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5
> "
>> generate-policy=no exchange-mode=main send-initial-contact=yes
>> nat-traversal=no
>>     proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
>> dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
>> dpd-maximum-failures=5
>> [admin at CF] > /ip ipsec installed-sa print detail
>> Flags: A - AH, E - ESP, P - pfs
>>
>>
>>
>>
>> [admin at NIF] > /ip ipsec policy print detail
>> Flags: X - disabled, D - dynamic, I - inactive
>> 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
>> protocol=all action=encrypt level=require ipsec-protocols=ah,esp
>> tunnel=yes
>> sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0
>>     proposal=default manual-sa=none priority=0
>> [admin at NIF] > /ip ipsec proposal print detail
>> Flags: X - disabled
>> 0   name="default" auth-algorithms=sha1 enc-algorithms=3des
> lifetime=30m
>> pfs-group=modp1024
>> [admin at NIF] > /ip ipsec peer print detail
>> Flags: X - disabled
>> 0   address=68.60.0.0/32:500 auth-method=pre-shared-key
>>
> secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5
> "
>> generate-policy=no exchange-mode=main send-initial-contact=yes
>> nat-traversal=no
>>     proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
>> dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
>> dpd-maximum-failures=1
>> [admin at NIF] > /ip ipsec installed-sa print detail
>> Flags: A - AH, E - ESP, P - pfs
>>
>>
>> ----------
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>>
>> ----- Original Message ----- 
>> From: "Mike Hammett" <butch-mikrotik at ics-il.net>
>> To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
>> Sent: Saturday, June 07, 2008 11:49 AM
>> Subject: Re: [Mikrotik] IPSec
>>
>>
>>>I had actually just gotten it fixed by trying the masquerade option
> before
>>> Butch told me to do masquerade.  That said, I have attached a map of
> what
>>> we're working with.  The NIF wireless and everything behind it cannot
>>> communicate with anything across the IPSec link, though everything
> else
>>> including and behind NIF router does.  Everything including and
> behind
>>> NIF
>>> router can talk to everyone else on that side of the network as well
> as
>>> the
>>> Internet.
>>>
>>>
>>> ----------
>>> Mike Hammett
>>> Intelligent Computing Solutions
>>> http://www.ics-il.com
>>>
>>>
>>> ----- Original Message ----- 
>>> From: "Mike Hammett" <butch-mikrotik at ics-il.net>
>>> To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
>>> Sent: Friday, June 06, 2008 11:33 PM
>>> Subject: [Mikrotik] IPSec
>>>
>>>
>>>> I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.
> First
>>>> off,
>>>> the manual isn't correct.  I do exactly what they say and I get an
>>>> error.
>>>> As it turns out, you're also required to choose an AH In\Out
> Algorithm.
>>>> It also doesn't explain things well, like ah-spi.
>>>>
>>>> How do I know it's working?  I cannot ping addresses on the other
> side.
>>>>
>>>>
>>>> Side 1:
>>>>
>>>> < ICS] > /ip ipsec policy print
>>>> Flags: X - disabled, D - dynamic, I - inactive
>>>> 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
>>>> protocol=all action=encrypt level=require ipsec-protocols=ah
> tunnel=yes
>>>> sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
>>>> proposal=default
>>>>     manual-sa=ah-sa1 priority=0
>>>> [admin at NIFence - ICS] > /ip ipsec manual-sa print
>>>> Flags: X - disabled, I - invalid
>>>> 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
>>>> esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
>>>> esp-enc-key="" ah-spi=0x100/0x101
>>>>     esp-spi=0x100 lifetime=0s
>>>>
>>>>
>>>>
>>>> Side 2:
>>>>
>>>> [admin at Complete Fence] > /ip ipsec policy pr
>>>> Flags: X - disabled, D - dynamic, I - inactive
>>>> 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
>>>> protocol=all action=encrypt level=require ipsec-protocols=ah
> tunnel=yes
>>>> sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
>>>> proposal=default
>>>>     manual-sa=ah-sa1 priority=0
>>>> [admin at Complete Fence] > /ip ipsec manual-sa pr
>>>> Flags: X - disabled, I - invalid
>>>> 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
>>>> esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
>>>> esp-enc-key="" ah-spi=0x101/0x100
>>>>     esp-spi=0x100 lifetime=0s
>>>>
>>>>
>>>>
>>>> ----------
>>>> Mike Hammett
>>>> Intelligent Computing Solutions
>>>> http://www.ics-il.com
>>>>
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL:
>>>>
> http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d5
> 8b/attachment.html
>>>> _______________________________________________
>>>> Mikrotik mailing list
>>>> Mikrotik at mail.butchevans.com
>>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>>
>>> -------------- next part --------------
>>> A non-text attachment was scrubbed...
>>> Name: CF NIF IPSec issue.pdf
>>> Type: application/pdf
>>> Size: 62758 bytes
>>> Desc: not available
>>> Url :
>>>
> http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575d
> bf/attachment.pdf
>>> _______________________________________________
>>> Mikrotik mailing list
>>> Mikrotik at mail.butchevans.com
>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>
>>
>> _______________________________________________
>> Mikrotik mailing list
>> Mikrotik at mail.butchevans.com
>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>
>
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
> 




More information about the Mikrotik mailing list