IPsec MikroTik <–> pfSense 2.2 broken

patrick7

Hi,

I today upgraded from pfSense 2.1.5 to 2.2. I'm running IPsec to 3 different locations (all 3 locations are MikroTik based). Before the upgrade, everything was fine. But since I upgraded, sometimes IPsec connection drops (is shown as established in status -> ipsec). I already tried dis -and reenable ipsec on pfSense, flush installed SAs on MikroTik, kill all connections on MikroTik, reboot both devices, without any success. But after some time (20-30 mins), the connection comes up again.

config on MikroTik:

/ip ipsec proposal print
name="default" auth-algorithms=sha1 enc-algorithms=blowfish lifetime=1h pfs-group=modp1024

/ip ipsec peer print
address=(pfsense wan ip) local-address=(mikrotik wan ip) passive=no port=500 auth-method=pre-shared-key secret="(key)" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no 
proposal-check=obey hash-algorithm=sha256 enc-algorithm=aes-128 dh-group=modp1024 lifetime=20m lifebytes=0 dpd-interval=10s dpd-maximum-failures=5

/ip ipsec policy print
src-address=(mikrotik network)/22 src-port=any dst-address=(pfsense network)/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=(mikrotik wan ip) 
sa-dst-address=(pfsense wan ip) proposal=default priority=0

pfSense config:

MikroTik log:

20:22:49 ipsec,error failed to pre-process ph2 packet. 
20:23:21 ipsec,error failed to pre-process ph2 packet. 
20:23:53 ipsec,error failed to pre-process ph2 packet. 
20:24:25 ipsec,error failed to pre-process ph2 packet. 
20:24:58 ipsec,error failed to pre-process ph2 packet. 
20:25:30 ipsec,error failed to pre-process ph2 packet. 
20:26:02 ipsec,error failed to pre-process ph2 packet. 
20:26:34 ipsec,error failed to pre-process ph2 packet. 
20:27:06 ipsec,error failed to pre-process ph2 packet. 
20:27:38 ipsec,error failed to pre-process ph2 packet. 
20:28:11 ipsec,error failed to pre-process ph2 packet. 
20:28:43 ipsec,error failed to pre-process ph2 packet. 
20:29:15 ipsec,error failed to pre-process ph2 packet. 
20:29:47 ipsec,error failed to pre-process ph2 packet. 
20:30:19 ipsec,error failed to pre-process ph2 packet. 
20:30:51 ipsec,error failed to pre-process ph2 packet. 
20:31:23 ipsec,error failed to pre-process ph2 packet. 
20:31:55 ipsec,error failed to pre-process ph2 packet. 

Any ideas? :-)

Regards
Patrick

georgeman

I have just upgraded, and I am seeing the exact same issue, it is starting to get on my nerves… Will keep investigating...

Any heads up are appreciated!!

EDIT: I think I got it. It seems OpenSwan doesn't like to be a responder of the MikroTik devices. Workaround: set the MikroTiks to "Passive" on the Peers section, so they do no initiate the connection.

Still, there's an issue. As per the MikroTik logs, it looks like OpenSwan is proposing "0.0.0.0/0" as the phase2 subnet, but only when working as a responder ???

Riccardo90

Hello,
I have the same issue of you, but i have it also to PfSense to PfSense IPSec connection.

i tried several times to reload the service on both sites, reconfigure the VPN, changing the parameters, but nothing to do.. IPSec is still down with all sites.

Before the upgrade i was able to use the VPN tunnel with Cisco Meraki environment, PfSense etc..

Do you have any suggestion?.. there is any way to replace the strongSwan with racoon?

Thanks,
Regards

Riccardo

patrick7

@georgeman Thanks - seems to be the solution. But now the problem is that the first traffic needs to come from pfSense site to establish the IPsec. In my case, all traffic comes from MikroTik site. Also the "Automatically ping host" option does not work. Bug in pfSense?

Zeon

Yea I had another thread about something similar for pfsense to pfsense. Think there are some changes in the new IPSEC which changes previously working behaviour.

cmb

@georgeman:

Still, there's an issue. As per the MikroTik logs, it looks like OpenSwan is proposing "0.0.0.0/0" as the phase2 subnet, but only when working as a responder ???

Try disabling the unity plugin on the advanced settings tab under VPN>IPsec, there is some circumstance with unity which kicks strongswan into changing its local to 0.0.0.0/0. If you know of a config to reliably replicate that, I'd like to know details so we have a replicable test case to help get that problem fixed upstream in strongswan.

georgeman

@cmb:

@georgeman:

Still, there's an issue. As per the MikroTik logs, it looks like OpenSwan is proposing "0.0.0.0/0" as the phase2 subnet, but only when working as a responder ???

Try disabling the unity plugin on the advanced settings tab under VPN>IPsec, there is some circumstance with unity which kicks strongswan into changing its local to 0.0.0.0/0. If you know of a config to reliably replicate that, I'd like to know details so we have a replicable test case to help get that problem fixed upstream in strongswan.

Seems to be (at least) partially related to what you mention, except after disabling the Cisco Unity plugin it keeps behaving in the same way (I even rebooted the box after disabling unity).

This is a site-to-site IKEv1 VPN from an Alix 2D13 towards a MikroTik RB750 running RouterOS v6.25 (latest), configured with RSA authentication, which BTW worked fine with pfSense v2.1.x and racoon.

This is on the strongswan log:

Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39> proposing traffic selectors for us:
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] proposing traffic selectors for us:
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39>  172.21.2.0/24|/0
Jan 26 20:31:41 pfsenseurq charon: 12[CFG]  172.21.2.0/24|/0
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39> proposing traffic selectors for other:
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] proposing traffic selectors for other:
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39>  172.21.3.0/24|/0
Jan 26 20:31:41 pfsenseurq charon: 12[CFG]  172.21.3.0/24|/0
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39> changing proposed traffic selectors for us:
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] changing proposed traffic selectors for us:
Jan 26 20:31:41 pfsenseurq charon: 12[CFG] <con2000|39>  0.0.0.0/0|/0
Jan 26 20:31:41 pfsenseurq charon: 12[CFG]  0.0.0.0/0|/0</con2000|39></con2000|39></con2000|39></con2000|39></con2000|39></con2000|39></con2000|39></con2000|39>

This is what gets logged on the MikroTik device:

no policy found: 0.0.0.0/0[0] 172.21.3.0/24[0] proto=any dir=in
failed to get proposal for responder.
failed to pre-process ph2 packet.

strongswan.conf

# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. 
starter {
load_warning = no
}

charon {
# number of worker threads in charon
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000
install_routes = no

cisco_unity = no
interfaces_use = vr2,vr0

# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
	identifier = charon
	# default level to the LOG_DAEMON facility
	daemon {
	}
	# very minimalistic IKE auditing logs to LOG_AUTHPRIV
	auth {
		default = -1
		ike = 1
		ike_name = yes
	}
}
	plugins {
	}
}

Relevant part of ipsec.conf

conn con2000
	reqid = 4
	fragmentation = yes
	keyexchange = ikev1
	reauth = yes
	forceencaps = no
	rekey = yes
	installpolicy = yes
	type = tunnel
	dpdaction = restart
	dpddelay = 10s
	dpdtimeout = 60s
	auto = route
	left = xxx.xxx.xxx.xxx
	right = yyy.yyy.yyy.yyy
	leftid = 
	ikelifetime = 28800s
	lifetime = 3600s
	ike = aes128-sha1-modp1024!
	esp = aes128-sha1,aes128-sha1!
	leftauth = pubkey
	rightauth = pubkey
	leftcert=/var/etc/ipsec/ipsec.d/certs/cert-2.crt
	rightid = <<certificate cn="" between="" quotes="">>
	aggressive = no
	rightsubnet = 172.21.3.0/24
	leftsubnet = 172.21.2.0/24</certificate>

This is only happening when strongswan works as a responder.

On the MikroTik documentation, it says the following:

@http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Mode_Config:

Note: If RouterOS client is initiator, it will always send CISCO UNITY extension, and RouterOS supports only split-include from this extension.

Any clues?? I couldn't find further information on how to stop this behavior from strongswan.

If you need more info, please let me know.

Best regards!

georgeman

Ok, although the option is checked on the GUI, unity does not seem to be disabled:

[2.2-RELEASE][root@xxx]/root:  ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, i386):
  uptime: 49 seconds, since Jan 26 22:00:58 2015
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
  loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity

Does the "cisco_unity" option in strongswan.conf completely disable the plugin, or is it just a configuration option that makes it not send the flags when initiating a connection? Can it be disabled in other way besides at configure time??

Cheers!

georgeman

Alright, I modified /etc/inc/vpn.inc so the generated strongswan.conf gets an explicit list of plugins to load:

# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. 
starter {
load_warning = no
}

charon {
load = charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
# number of worker threads in charon
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000
install_routes = no
{$i_dont_care_about_security_and_use_aggressive_mode_psk}
{$accept_unencrypted}
# cisco_unity = {$unity_enabled}
{$ifacesuse}

# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
	identifier = charon
	# default level to the LOG_DAEMON facility
	daemon {
	}
	# very minimalistic IKE auditing logs to LOG_AUTHPRIV
	auth {
		default = -1
		ike = 1
		ike_name = yes
	}
}

EOD;

I got that list from the regular list of loaded plugins from "ipsec statusall" but removed unity from it. Once unity is not loaded, the phase2 settings are not automatically changed anymore and everything works fine.

I am not sure if this is the proper way to handle it, but I seriously needed this to work right away. Feedback is appreciated.

Conclusions from all these:

• The unity plugin is the culprit (probably worth reporting and/or fixing upstream)
• pfSense is not properly disabling the unity plugin

Best regards!!

cmb

It does set "cisco_unity = no" in strongswan.conf when you disable it, which should be adequate, but sounds like that's not enough to fix that problem.

Hopefully with your Mikrotik config there I'll be able to replicate it now. Added note to the still-open bug on this.
https://redmine.pfsense.org/issues/4178

eri--

Can you also please do a test by choosing another modp than 1024 on both phase1 and phase2?

abidkhanhk

Hi,

I am also having same issue, only the 1st entry of the P2 connected and rest dont work

the Tunnels are between 2 PFboxes,

at first i thought it was because tunnel from 2.1.5 were not compatible with 2.2 and created new ones

tried the following

• changed IKE to all three modes V1, V2 and Auto,
• disabled Unity option in advanced menu
• Changed PFS to off and other options

both boxes are upgraded to 2.2 release.

Regards
Abid

georgeman

@hongkonger: that is not the same issue

@ermal: I tried the following combinations of ph1 / ph2 and all of them behave in the same way when the unity plugin is loaded, as described before:

modp1024 / none
modp768 / none
modp768 / modp768
modp2048 / none
modp2048 / modp2048
modp1536 / modp768
modp768 / modp1536

eri--

Do all tunnels have the same subnets specified on phase2?

georgeman

I forgot to mention that I tested with only one phase1 and one phase2 on both sides.

Best regards

zueri

Sorry to warm up this topic.

Is there any news on this? I've updated to 2.2.1 last week and am facing the same issues. Switch Mikrotik to passive helped but it is not realy a good solution for me (Mikrotik should be Initiator in my case).

cmb

The unity bug that was the source of OP's issue was fixed/worked around in 2.2.1. If you check the "disable unity" checkbox on the advanced tab, it'll prevent that from being an issue.

@zueri:

Is there any news on this? I've updated to 2.2.1 last week and am facing the same issues. Switch Mikrotik to passive helped but it is not realy a good solution for me (Mikrotik should be Initiator in my case).

That definitely sounds the same as OP's issue, disable unity.

pfoerster

This post is deleted!