I believe it's referred to as the "bump in the stack" model. It can be much harder to troubleshoot because there are no interfaces to point your finger at, and packets don't strictly follow the routing table (or at least not as you might expect). I find it much easier to let another protocol do the tunneling (e.g. IPIP, GRE) and then use ipsec in transport mode. There's an example in the Mikrotik wiki for setting up ipsec in transport mode to encrypt an IPIP tunnel. Then you can treat it just like any other interface. Much more flexible IMHO.
Regards, -Kristian On Mon, 23 Jun 2008, Mike Hammett wrote: > >From what I can tell, Mikrotik does treat IPSec as a VPN tunnel, but just > tags the packets with some extra data and sends them on their way. No easy > way to check interface uptime, perform routing, etc. In my uninformed > opinion, kinda piss poor. > > > ---------- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > > ----- Original Message ----- > From: "Eric Holtzclaw" <[EMAIL PROTECTED]> > To: "Mikrotik discussions" <[email protected]> > Sent: Monday, June 23, 2008 2:13 AM > Subject: Re: [Mikrotik] IPSec > > > > Try keeping a ping session up on the inside and see if that stops. > > Maybe with check gateway ping on route side if that works. > > > > Eric > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hammett > > Sent: Sunday, June 22, 2008 3:01 PM > > To: Mikrotik discussions > > Subject: Re: [Mikrotik] IPSec > > > > It started working, and then stopped again. > > > > [EMAIL PROTECTED] > /log print detail > > time=dec/31/1969 18:00:13 topics=system,info message="router rebooted" > > > > time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#) racoon / > > MikroTik" > > > > time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#)This product > > linked > > OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/)" > > > > time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE: > > initializing..." > > > > time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE: > > dialing..." > > > > time=dec/31/1969 18:00:22 topics=wireless,info > > message="00:15:6D:50:17:[EMAIL PROTECTED] established connection on 5765, > > SSID > > ICS4" > > > > time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE: > > authenticated" > > > > time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE: > > connected" > > > > time=dec/31/1969 18:00:23 topics=system,info message="dns changed" > > > > time=15:45:25 topics=system,info,account message="user admin logged in > > from > > 10.1.5.8 via winbox" > > > > time=15:47:29 topics=system,info,account message="user admin logged in > > from > > 10.1.1.254 via winbox" > > > > time=15:51:41 topics=system,info,account message="user admin logged in > > from > > 65.182.0.0 via winbox" > > > > time=16:02:41 topics=pptp,info message="TCP connection established from > > > > 65.182.0.0" > > > > time=16:02:41 topics=pptp,ppp,info message="<pptp-0>: waiting for > > call..." > > > > time=16:02:42 topics=pptp,ppp,info message="<pptp-0>: authenticated" > > > > time=16:02:43 topics=pptp,ppp,info message="<pptp-0>: connected" > > > > time=16:02:43 topics=pptp,ppp,info,account message="mhammett logged in, > > > > 192.168.1.252" > > > > time=16:02:44 topics=pptp,ppp,info message="<pptp-mhammett>: using > > encoding - MPPE128 stateless" > > > > time=16:05:59 topics=ipsec,ike message="IPsec-SA request for 68.60.0.0 > > queued due to no phase1 found." > > > > time=16:05:59 topics=ipsec,ike message="initiate new phase 1 > > negotiation: > > 65.182.0.0[500]<=>68.60.0.0[500]" > > > > time=16:05:59 topics=ipsec,ike message="begin Identity Protection > > mode." > > > > time=16:05:59 topics=ipsec,ike message="received Vendor ID: DPD" > > > > time=16:05:59 topics=ipsec,ike message="ISAKMP-SA established > > 65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785" > > > > time=16:06:00 topics=ipsec,ike message="initiate new phase 2 > > negotiation: > > 65.182.0.0[500]<=>68.60.0.0[500]" > > > > time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel > > > > 68.60.0.0[0]->65.182.0.0[0] spi=206061190(0xc483e86)" > > > > time=16:06:00 topics=ipsec,ike message="IPsec-SA established: > > ESP/Tunnel > > 68.60.0.0[0]->65.182.0.0[0] spi=55768677(0x352f665)" > > > > time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel > > > > 65.182.0.0[0]->68.60.0.0[0] spi=172198929(0xa438c11)" > > > > time=16:06:00 topics=ipsec,ike message="IPsec-SA established: > > ESP/Tunnel > > 65.182.0.0[0]->68.60.0.0[0] spi=148960180(0x8e0f3b4)" > > > > time=16:18:13 topics=pptp,ppp,info,account message="mhammett logged > > out, > > 931 242052 1589758 2478 2689" > > > > time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>: > > terminating... - call cleared" > > > > time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>: > > disconnected" > > > > time=16:19:44 topics=ipsec,ike message="purging ISAKMP-SA > > spi=2cd56cea0b29c949:1769b0ce00a81785." > > > > time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=148960180." > > > > time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=172198929." > > > > time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=55768677." > > > > time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=206061190." > > > > time=16:19:44 topics=ipsec,ike message="purged ISAKMP-SA > > spi=2cd56cea0b29c949:1769b0ce00a81785." > > > > time=16:19:44 topics=ipsec,ike message="unknown Informational exchange > > received." > > > > time=16:19:45 topics=ipsec,ike message="ISAKMP-SA deleted > > 65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785" > > > > time=16:36:01 topics=ipsec,ike message="can't start the quick mode, > > there > > is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78" > > > > time=16:36:11 topics=ipsec,ike message="can't start the quick mode, > > there > > is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78" > > > > time=16:36:21 topics=ipsec,ike message="can't start the quick mode, > > there > > is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78" > > > > time=16:36:31 topics=ipsec,ike message="can't start the quick mode, > > there > > is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39" > > > > time=16:36:41 topics=ipsec,ike message="can't start the quick mode, > > there > > is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39" > > > > time=16:36:51 topics=ipsec,ike message="can't start the quick mode, > > there > > is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39" > > > > [EMAIL PROTECTED] > /log print detail > > time=16:42:38 topics=ipsec,ike message="initiate new phase 2 > > negotiation: > > 68.60.0.0[500]<=>65.182.0.0[500]" > > > > time=16:42:38 topics=ipsec,ike message="none message must be encrypted" > > > > time=16:42:48 topics=ipsec,ike message="none message must be encrypted" > > > > time=16:42:58 topics=ipsec,ike message="none message must be encrypted" > > > > time=16:43:08 topics=ipsec,ike message="65.182.0.0 give up to get > > IPsec-SA > > due to time up to wait." > > > > time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel > > 65.182.0.0[0]->68.60.0.0[0] spi=125157313(0x775bfc1)" > > > > time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel > > 65.182.0.0[0]->68.60.0.0[0] spi=41544484(0x279eb24)" > > > > time=16:43:08 topics=ipsec,ike message="initiate new phase 2 > > negotiation: > > 68.60.0.0[500]<=>65.182.0.0[500]" > > > > time=16:43:08 topics=ipsec,ike message="none message must be encrypted" > > > > time=16:43:18 topics=ipsec,ike message="none message must be encrypted" > > > > time=16:43:28 topics=ipsec,ike message="none message must be encrypted" > > > > time=16:43:38 topics=ipsec,ike message="65.182.0.0 give up to get > > IPsec-SA > > due to time up to wait." > > > > time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel > > 65.182.0.0[0]->68.60.0.0[0] spi=61961499(0x3b1751b)" > > > > time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel > > 65.182.0.0[0]->68.60.0.0[0] spi=23323416(0x163e318)" > > > > > > ---------- > > Mike Hammett > > Intelligent Computing Solutions > > http://www.ics-il.com > > > > > > ----- Original Message ----- > > From: "Mike Hammett" <[EMAIL PROTECTED]> > > To: "Mikrotik discussions" <[email protected]> > > Sent: Thursday, June 19, 2008 11:05 AM > > Subject: Re: [Mikrotik] IPSec > > > > > >> Actually, the darn thing stopped working once it started and without > > any > >> changes to either side. :-\ > >> > >> [EMAIL PROTECTED] > /ip ipsec policy print detail > >> Flags: X - disabled, D - dynamic, I - inactive > >> 0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any > >> protocol=all action=encrypt level=require ipsec-protocols=ah,esp > >> tunnel=yes > >> sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0 > >> proposal=default manual-sa=none priority=0 > >> [EMAIL PROTECTED] > /ip ipsec proposal print detail > >> Flags: X - disabled > >> 0 name="default" auth-algorithms=sha1 enc-algorithms=3des > > lifetime=30m > >> pfs-group=modp1024 > >> [EMAIL PROTECTED] > /ip ipsec peer print detail > >> Flags: X - disabled > >> 0 address=65.182.0.0/32:500 auth-method=pre-shared-key > >> > > secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 > > " > >> generate-policy=no exchange-mode=main send-initial-contact=yes > >> nat-traversal=no > >> proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des > >> dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd > >> dpd-maximum-failures=5 > >> [EMAIL PROTECTED] > /ip ipsec installed-sa print detail > >> Flags: A - AH, E - ESP, P - pfs > >> > >> > >> > >> > >> [EMAIL PROTECTED] > /ip ipsec policy print detail > >> Flags: X - disabled, D - dynamic, I - inactive > >> 0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any > >> protocol=all action=encrypt level=require ipsec-protocols=ah,esp > >> tunnel=yes > >> sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0 > >> proposal=default manual-sa=none priority=0 > >> [EMAIL PROTECTED] > /ip ipsec proposal print detail > >> Flags: X - disabled > >> 0 name="default" auth-algorithms=sha1 enc-algorithms=3des > > lifetime=30m > >> pfs-group=modp1024 > >> [EMAIL PROTECTED] > /ip ipsec peer print detail > >> Flags: X - disabled > >> 0 address=68.60.0.0/32:500 auth-method=pre-shared-key > >> > > secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 > > " > >> generate-policy=no exchange-mode=main send-initial-contact=yes > >> nat-traversal=no > >> proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des > >> dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s > >> dpd-maximum-failures=1 > >> [EMAIL PROTECTED] > /ip ipsec installed-sa print detail > >> Flags: A - AH, E - ESP, P - pfs > >> > >> > >> ---------- > >> Mike Hammett > >> Intelligent Computing Solutions > >> http://www.ics-il.com > >> > >> > >> ----- Original Message ----- > >> From: "Mike Hammett" <[EMAIL PROTECTED]> > >> To: "Mikrotik discussions" <[email protected]> > >> Sent: Saturday, June 07, 2008 11:49 AM > >> Subject: Re: [Mikrotik] IPSec > >> > >> > >>>I had actually just gotten it fixed by trying the masquerade option > > before > >>> Butch told me to do masquerade. That said, I have attached a map of > > what > >>> we're working with. The NIF wireless and everything behind it cannot > >>> communicate with anything across the IPSec link, though everything > > else > >>> including and behind NIF router does. Everything including and > > behind > >>> NIF > >>> router can talk to everyone else on that side of the network as well > > as > >>> the > >>> Internet. > >>> > >>> > >>> ---------- > >>> Mike Hammett > >>> Intelligent Computing Solutions > >>> http://www.ics-il.com > >>> > >>> > >>> ----- Original Message ----- > >>> From: "Mike Hammett" <[EMAIL PROTECTED]> > >>> To: "Mikrotik discussions" <[email protected]> > >>> Sent: Friday, June 06, 2008 11:33 PM > >>> Subject: [Mikrotik] IPSec > >>> > >>> > >>>> I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks. > > First > >>>> off, > >>>> the manual isn't correct. I do exactly what they say and I get an > >>>> error. > >>>> As it turns out, you're also required to choose an AH In\Out > > Algorithm. > >>>> It also doesn't explain things well, like ah-spi. > >>>> > >>>> How do I know it's working? I cannot ping addresses on the other > > side. > >>>> > >>>> > >>>> Side 1: > >>>> > >>>> < ICS] > /ip ipsec policy print > >>>> Flags: X - disabled, D - dynamic, I - inactive > >>>> 0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any > >>>> protocol=all action=encrypt level=require ipsec-protocols=ah > > tunnel=yes > >>>> sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111 > >>>> proposal=default > >>>> manual-sa=ah-sa1 priority=0 > >>>> [EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print > >>>> Flags: X - disabled, I - invalid > >>>> 0 name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null > >>>> esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key="" > >>>> esp-enc-key="" ah-spi=0x100/0x101 > >>>> esp-spi=0x100 lifetime=0s > >>>> > >>>> > >>>> > >>>> Side 2: > >>>> > >>>> [EMAIL PROTECTED] Fence] > /ip ipsec policy pr > >>>> Flags: X - disabled, D - dynamic, I - inactive > >>>> 0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any > >>>> protocol=all action=encrypt level=require ipsec-protocols=ah > > tunnel=yes > >>>> sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111 > >>>> proposal=default > >>>> manual-sa=ah-sa1 priority=0 > >>>> [EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr > >>>> Flags: X - disabled, I - invalid > >>>> 0 name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null > >>>> esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key="" > >>>> esp-enc-key="" ah-spi=0x101/0x100 > >>>> esp-spi=0x100 lifetime=0s > >>>> > >>>> > >>>> > >>>> ---------- > >>>> Mike Hammett > >>>> Intelligent Computing Solutions > >>>> http://www.ics-il.com > >>>> > >>>> -------------- next part -------------- > >>>> An HTML attachment was scrubbed... > >>>> URL: > >>>> > > http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d5 > > 8b/attachment.html > >>>> _______________________________________________ > >>>> Mikrotik mailing list > >>>> [email protected] > >>>> http://www.butchevans.com/mailman/listinfo/mikrotik > >>>> > >>> -------------- next part -------------- > >>> A non-text attachment was scrubbed... > >>> Name: CF NIF IPSec issue.pdf > >>> Type: application/pdf > >>> Size: 62758 bytes > >>> Desc: not available > >>> Url : > >>> > > http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575d > > bf/attachment.pdf > >>> _______________________________________________ > >>> Mikrotik mailing list > >>> [email protected] > >>> http://www.butchevans.com/mailman/listinfo/mikrotik > >>> > >> > >> _______________________________________________ > >> Mikrotik mailing list > >> [email protected] > >> http://www.butchevans.com/mailman/listinfo/mikrotik > >> > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > _______________________________________________ > > Mikrotik mailing list > > [email protected] > > http://www.butchevans.com/mailman/listinfo/mikrotik > > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://www.butchevans.com/mailman/listinfo/mikrotik > >
