Community discussions

MikroTik App
  4. l雷竞技
  5. General

[SOLVED] Bugfix version 6.38.7 and IPsec tunnel issue![SOLVED]

Post Reply
simvirus
just joined
Topic Author
Posts: 24
Joined: Tue Sep 22, 2009 10:47 am

[SOLVED] Bugfix version 6.38.7 and IPsec tunnel issue!

Fri Sep 01, 2017 3:19 pm

Hello

I've upgraded my devices from bugfix version 6.37.5 to the last错误修复6.38.7 IPsec隧道不工作nymore.
I've tested this issue with 5/6 setup in different infrastructure, with multiple IPsec client (Apple, Windows, etc...)

This is the log:
Code:Select all 
13:57:41 ipsec,info XAuth login succeeded for user: xxxx 13:57:41 ipsec,info acquired 10.255.255.19 address for Y.Y.Y.Y[65169] 13:57:41 ipsec Ignored attribute INTERNAL_IP4_NBNS 13:57:41 ipsec Ignored attribute INTERNAL_ADDRESS_EXPIRY 13:57:41 ipsec Ignored attribute 28683 13:57:43 ipsec respond new phase 2 negotiation: Z.Z.Z.Z[4500]<=>Y.Y.Y.Y[65169] 13:57:43 ipsec searching for policy 13:57:43 ipsec template lookup for selector: 192.168.5.0/24 <=> 10.255.255.19 13:57:43 ipsec no template matches 13:57:43 ipsec failed to get proposal for responder. 13:57:43 ipsec,error Y.Y.Y.Y failed to pre-process ph2 packet. 13:57:43 ipsec sendto Information notify. 13:57:46 ipsec,error Y.Y.Y.Y peer sent packet for dead phase2 13:57:49 ipsec,error Y.Y.Y.Y peer sent packet for dead phase2
and this is the config:
Code:Select all 
/ip ipsec mode-config add address-pool=pool-VPN name=pool-VPN split-include=192.168.5.0/24 system-dns=no /ip ipsec policy group add name="VPN Users" /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h pfs-group=none /ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dpd-interval=10m dpd-maximum-failures=10 enc-algorithm=aes-256 generate-policy=port-override mode-config=pool-VPN passive=yes policy-template-group="VPN Users" secret=xxxxx /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 add dst-address=192.168.5.0/24 group="VPN Users" src-address=10.255.255.0/24 template=yes /ip pool add name=pool-VPN ranges=10.255.255.10-10.255.255.20
Downgrade to all old versions fix the issue.

The changelog from the last to this bugfix version report this:
Code:Select all 
*) ike1 - fixed crash on xauth message; *) ike2 - allow multiple child SA traffic selectors on re-key; *) ike2 - fixed last EAP authentication payload type; *) ike2 - fixed policy release during SA negotiation; *) ike2 - fixed RSA authentication without EAP; *) ike2 - fixed situation when traffic selector prefix was parsed incorrectly; *) ipsec - do not deduct policy src/dst address for tunnel policies; *) ipsec - fixed generated policy priority; *) ipsec - fixed peer "my-id" address reset;
Sure.. this is due to a change of ipsec policy.. but how I can fix it?

Is this a bug?

Regards
Sim
Top
simvirus
just joined
Topic Author
Posts: 24
Joined: Tue Sep 22, 2009 10:47 am

Re: [SOLVED] Bugfix version 6.38.7 and IPsec tunnel issue![SOLVED]

Mon Sep 04, 2017 10:44 am

Hello!
I will share here the reply from the support....
Code:Select all 
You need to swap src-address and dst-address parameters in places for your policy template. Src-address should be the split network and dst-address should be remote peers dynamic address pool.
This tip solved my issue/bad configuration upgrading from the 6.37.x to 6.38.x (bugfix version in my case)

My congratulations for the beautiful support!
I love Mikrotik :D
Top
Post Reply

Who is online

Users browsing this forum:seriosha,yreksand 42 guests
  4. l雷竞技
  5. General

Baidu
map