IPSec between Nethserver and Mikrotik

NethServer Version: Latest version
Module: VPN

Hello folks,
I’m trying to set up an VPN between Nethserver and and a Mikrotik device (7.3) and getting this error message:
pluto[17502]: packet from 1.1.1.1:500: initial Main Mode message received on 2.2.2.2:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW

I have tried IKE2, force IKE1 and force IKE2.

Nethserver:
authby=secret
auto=start
compress=no
dpdaction=hold
dpddelay=30
dpdtimeout=120
ike=3des-md5;modp1024
ikelifetime=86400s
ikev2=permit
left=%defaultroute
leftid=@server1.local
leftsourceip=192.168.100.1
leftsubnets={ 192.168.100.0/22 }
pfs=yes
phase2alg=3des-md5;modp1024
right=1.1.1.1
rightid=@server2.remote
rightsubnets={ 10.0.0.0/24 }
salifetime=3600s

Has anyone been able to come up with a setup using something else that is not a Nethserver on both sides?

Thanks,

Hi @jfranco

I don’t use Microtik at all, but I can confirm a well working IPsec VPN between OPNsense and NethServer using IKEv2.

I’ll also confirm using much harder encryption than your settings. I do not use 3DES for several years now. I use AES256, SHA512 and more…

And it all works very stable, no issues even when using a Dynamic IP on one side (DynDNS).

I can also confirm a IPsec connection to a SonicWall firewall from NethServer.

My 2 cents
Andy

Note:

A very old Pentium CPU takes about 4-6 hours to brute-force crack a 3DES encryption. Newer CPUs take less than an hour! Even in the year 2000, 3DES was considered insecure, even though a lot of devices still include it in the encryptions as an option. 3DES was once (a very long time ago!) an encryption standard in the US.
So I don’t suggest using 3DES at all!

1 Like

Under cockpit interface, NethServer 7 relies on CentOS 7 and StronSwan for IPSec. If you can find any tutorial for Mikrotik and CentOS 7, you can find useful information on how do things the right way.

I’d suggest to use IKEv1 or “Force IKE1” as you stated in your first post.

@pike

AFAIK, Microtik does support IKEv2, so I’ld suggest using IKEv2 instead of the much older IKEv1.

Using old docs or very old protocolls CAN result in a non-working VPN, simply as newer devices don’t support and risky encryption like 3DES anymore.
Besides which, why a VPN when anyone can read it?

My 2 cents
Andy

Using IKEv1 don’t mean use 3DES… as far as i know.

No, but on a lot of devices it’s part of the default setting and will default to 3DES…
And it’s not ONLY 3DES why one should NOT use it anymore…

If you’re forced to use eg a Fritzbox (Many germans and swiss), you only have IKEv1 as option…
IKEv2 won’t come soon there as AVM (The maker) won’t be providing a newer Kernel whatever is needed to provide IKEv2 - the basis is that old!

This post is not about “lot of devices”, but about a Mikrotik… And according to your post

Supports also IKEv2, therefore also AES.

No, but it’s generally a not good idea to suggest using 20 years old protocolls when newer and better are available… :slight_smile:

And, as we’re both part of the user experience of NethServer (here in the Forum) and as Paduan or Ambassador, people may follow our suggestions more than what they find via Google (We carry more weight!), it’s better to keep that in mind when suggesting stuff…

Besides which - 6 posts amoung ourselves before the user even replies?
Looks kinda stupid…

:slight_smile:

Newer means only newer… Better yet to be proven. Yes, the same old song about Wireguard

well…

Thank you guys!!!
I went for the defaults when you first create the IPSec VPN on Neth because I tried all the other without success.
I wanted to see if anyone else had struggled with this setup.
I’ll try different approaches and report back if successfull.

I wanted to try Wireguard, but I hear it’s not ready for prime time on Neth.

Thanks,

Also because on CentOS 7 is not part of the kernel…

I was able to get the IPsec VPN between Cisco <=> Mikrotik and pfSense <=> Mikrotik, but not Nethserver <=> Mikrotik.
I have now set SHA256 / AES256 and DH 2048 bits with IKE2 on all platforms.

This is the message I receive:
initial parent SA message received on 1.1.1.1:4500 but no suitable connection found with IKEv2 policy
Jul 18 13:52:08 neth pluto[9755]: packet from 2.2.2.2:4500: responding to SA_INIT message (ID 0) from 1.1.1.1:4500 with unencrypted notification NO_PROPOSAL_CHOSEN

This is a great resource:

Which means that parts did not found an shared set of cypher, PFS, and so on.

Thank you all!


I’ll have to write a tutorial about this experience so people in the future can have this working.
I was able to authenticate Mikrotik, Ubiquity Edgerouter, Ubiquity UDM, pfSense and Cisco devices to Nethserver.

Best regards,

1 Like