Re: [Mikrotik] IPSec

Mon, 23 Jun 2008 07:24:30 -0500 (CDT)

From what I can tell, Mikrotik does treat IPSec as a VPN tunnel, but just
tags the packets with some extra data and sends them on their way. No easy way to check interface uptime, perform routing, etc. In my uninformed opinion, kinda piss poor. 

----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



----- Original Message ----- 
From: "Eric Holtzclaw" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" <[email protected]>
Sent: Monday, June 23, 2008 2:13 AM
Subject: Re: [Mikrotik] IPSec



Try keeping a ping session up on the inside and see if that stops.
Maybe with check gateway ping on route side if that works.

Eric

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hammett
Sent: Sunday, June 22, 2008 3:01 PM
To: Mikrotik discussions
Subject: Re: [Mikrotik] IPSec

It started working, and then stopped again.

[EMAIL PROTECTED] > /log print detail
time=dec/31/1969 18:00:13 topics=system,info message="router rebooted"

time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#) racoon /
MikroTik"

time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#)This product
linked
OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/)"

time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
initializing..."

time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
dialing..."

time=dec/31/1969 18:00:22 topics=wireless,info
message="00:15:6D:50:17:[EMAIL PROTECTED] established connection on 5765, SSID
ICS4"

time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
authenticated"

time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
connected"

time=dec/31/1969 18:00:23 topics=system,info message="dns changed"

time=15:45:25 topics=system,info,account message="user admin logged in
from
10.1.5.8 via winbox"

time=15:47:29 topics=system,info,account message="user admin logged in
from
10.1.1.254 via winbox"

time=15:51:41 topics=system,info,account message="user admin logged in
from
65.182.0.0 via winbox"

time=16:02:41 topics=pptp,info message="TCP connection established from

65.182.0.0"

time=16:02:41 topics=pptp,ppp,info message="<pptp-0>: waiting for
call..."

time=16:02:42 topics=pptp,ppp,info message="<pptp-0>: authenticated"

time=16:02:43 topics=pptp,ppp,info message="<pptp-0>: connected"

time=16:02:43 topics=pptp,ppp,info,account message="mhammett logged in,

192.168.1.252"

time=16:02:44 topics=pptp,ppp,info message="<pptp-mhammett>: using
encoding - MPPE128 stateless"

time=16:05:59 topics=ipsec,ike message="IPsec-SA request for 68.60.0.0
queued due to no phase1 found."

time=16:05:59 topics=ipsec,ike message="initiate new phase 1
negotiation:
65.182.0.0[500]<=>68.60.0.0[500]"

time=16:05:59 topics=ipsec,ike message="begin Identity Protection
mode."

time=16:05:59 topics=ipsec,ike message="received Vendor ID: DPD"

time=16:05:59 topics=ipsec,ike message="ISAKMP-SA established
65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"

time=16:06:00 topics=ipsec,ike message="initiate new phase 2
negotiation:
65.182.0.0[500]<=>68.60.0.0[500]"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel

68.60.0.0[0]->65.182.0.0[0] spi=206061190(0xc483e86)"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
ESP/Tunnel
68.60.0.0[0]->65.182.0.0[0] spi=55768677(0x352f665)"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel

65.182.0.0[0]->68.60.0.0[0] spi=172198929(0xa438c11)"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
ESP/Tunnel
65.182.0.0[0]->68.60.0.0[0] spi=148960180(0x8e0f3b4)"

time=16:18:13 topics=pptp,ppp,info,account message="mhammett logged
out,
931 242052 1589758 2478 2689"

time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>:
terminating... - call cleared"

time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>:
disconnected"

time=16:19:44 topics=ipsec,ike message="purging ISAKMP-SA
spi=2cd56cea0b29c949:1769b0ce00a81785."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=148960180."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=172198929."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=55768677."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=206061190."

time=16:19:44 topics=ipsec,ike message="purged ISAKMP-SA
spi=2cd56cea0b29c949:1769b0ce00a81785."

time=16:19:44 topics=ipsec,ike message="unknown Informational exchange
received."

time=16:19:45 topics=ipsec,ike message="ISAKMP-SA deleted
65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"

time=16:36:01 topics=ipsec,ike message="can't start the quick mode,
there
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"

time=16:36:11 topics=ipsec,ike message="can't start the quick mode,
there
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"

time=16:36:21 topics=ipsec,ike message="can't start the quick mode,
there
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"

time=16:36:31 topics=ipsec,ike message="can't start the quick mode,
there
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39"

time=16:36:41 topics=ipsec,ike message="can't start the quick mode,
there
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39"

time=16:36:51 topics=ipsec,ike message="can't start the quick mode,
there
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39"

[EMAIL PROTECTED] > /log print detail
time=16:42:38 topics=ipsec,ike message="initiate new phase 2
negotiation:
68.60.0.0[500]<=>65.182.0.0[500]"

time=16:42:38 topics=ipsec,ike message="none message must be encrypted"

time=16:42:48 topics=ipsec,ike message="none message must be encrypted"

time=16:42:58 topics=ipsec,ike message="none message must be encrypted"

time=16:43:08 topics=ipsec,ike message="65.182.0.0 give up to get
IPsec-SA
due to time up to wait."

time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel
65.182.0.0[0]->68.60.0.0[0] spi=125157313(0x775bfc1)"

time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel
65.182.0.0[0]->68.60.0.0[0] spi=41544484(0x279eb24)"

time=16:43:08 topics=ipsec,ike message="initiate new phase 2
negotiation:
68.60.0.0[500]<=>65.182.0.0[500]"

time=16:43:08 topics=ipsec,ike message="none message must be encrypted"

time=16:43:18 topics=ipsec,ike message="none message must be encrypted"

time=16:43:28 topics=ipsec,ike message="none message must be encrypted"

time=16:43:38 topics=ipsec,ike message="65.182.0.0 give up to get
IPsec-SA
due to time up to wait."

time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel
65.182.0.0[0]->68.60.0.0[0] spi=61961499(0x3b1751b)"

time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel
65.182.0.0[0]->68.60.0.0[0] spi=23323416(0x163e318)"


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



----- Original Message ----- 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" <[email protected]>
Sent: Thursday, June 19, 2008 11:05 AM
Subject: Re: [Mikrotik] IPSec



Actually, the darn thing stopped working once it started and without

any

changes to either side.  :-\

[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp
tunnel=yes
sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0
    proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0   name="default" auth-algorithms=sha1 enc-algorithms=3des

lifetime=30m

pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0   address=65.182.0.0/32:500 auth-method=pre-shared-key


secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5
"

generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
    proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp
tunnel=yes
sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0
    proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0   name="default" auth-algorithms=sha1 enc-algorithms=3des

lifetime=30m

pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0   address=68.60.0.0/32:500 auth-method=pre-shared-key


secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5
"

generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
    proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
dpd-maximum-failures=1
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



----- Original Message ----- 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" <[email protected]>
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec



I had actually just gotten it fixed by trying the masquerade option

before

Butch told me to do masquerade.  That said, I have attached a map of

what

we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything

else

including and behind NIF router does.  Everything including and

behind

NIF
router can talk to everyone else on that side of the network as well

as

the
Internet.


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



----- Original Message ----- 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" <[email protected]>
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec



I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.

First

off,
the manual isn't correct.  I do exactly what they say and I get an
error.
As it turns out, you're also required to choose an AH In\Out

Algorithm.

It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other

side.



Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah

tunnel=yes

sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
    manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
    esp-spi=0x100 lifetime=0s



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah

tunnel=yes

sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
proposal=default
    manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x101/0x100
    esp-spi=0x100 lifetime=0s



----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL:


http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d5
8b/attachment.html

_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik


-------------- next part --------------
A non-text attachment was scrubbed...
Name: CF NIF IPSec issue.pdf
Type: application/pdf
Size: 62758 bytes
Desc: not available
Url :


http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575d
bf/attachment.pdf

_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik



_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik



_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik



























					Reply via email to