Hello folks,
I’m trying to set up an VPN between Nethserver and and a Mikrotik device (7.3) and getting this error message:
pluto[17502]: packet from 1.1.1.1:500: initial Main Mode message received on 2.2.2.2:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
I don’t use Microtik at all, but I can confirm a well working IPsec VPN between OPNsense and NethServer using IKEv2.
I’ll also confirm using much harder encryption than your settings. I do not use 3DES for several years now. I use AES256, SHA512 and more…
And it all works very stable, no issues even when using a Dynamic IP on one side (DynDNS).
I can also confirm a IPsec connection to a SonicWall firewall from NethServer.
My 2 cents
Andy
Note:
A very old Pentium CPU takes about 4-6 hours to brute-force crack a 3DES encryption. Newer CPUs take less than an hour! Even in the year 2000, 3DES was considered insecure, even though a lot of devices still include it in the encryptions as an option. 3DES was once (a very long time ago!) an encryption standard in the US.
So I don’t suggest using 3DES at all!
Under cockpit interface, NethServer 7 relies on CentOS 7 and StronSwan for IPSec. If you can find any tutorial for Mikrotik and CentOS 7, you can find useful information on how do things the right way.
I’d suggest to use IKEv1 or “Force IKE1” as you stated in your first post.
AFAIK, Microtik does support IKEv2, so I’ld suggest using IKEv2 instead of the much older IKEv1.
Using old docs or very old protocolls CAN result in a non-working VPN, simply as newer devices don’t support and risky encryption like 3DES anymore.
Besides which, why a VPN when anyone can read it?
No, but on a lot of devices it’s part of the default setting and will default to 3DES…
And it’s not ONLY 3DES why one should NOT use it anymore…
If you’re forced to use eg a Fritzbox (Many germans and swiss), you only have IKEv1 as option…
IKEv2 won’t come soon there as AVM (The maker) won’t be providing a newer Kernel whatever is needed to provide IKEv2 - the basis is that old!
No, but it’s generally a not good idea to suggest using 20 years old protocolls when newer and better are available…
And, as we’re both part of the user experience of NethServer (here in the Forum) and as Paduan or Ambassador, people may follow our suggestions more than what they find via Google (We carry more weight!), it’s better to keep that in mind when suggesting stuff…
Besides which - 6 posts amoung ourselves before the user even replies?
Looks kinda stupid…
Thank you guys!!!
I went for the defaults when you first create the IPSec VPN on Neth because I tried all the other without success.
I wanted to see if anyone else had struggled with this setup.
I’ll try different approaches and report back if successfull.
I wanted to try Wireguard, but I hear it’s not ready for prime time on Neth.
I was able to get the IPsec VPN between Cisco <=> Mikrotik and pfSense <=> Mikrotik, but not Nethserver <=> Mikrotik.
I have now set SHA256 / AES256 and DH 2048 bits with IKE2 on all platforms.
This is the message I receive:
initial parent SA message received on 1.1.1.1:4500 but no suitable connection found with IKEv2 policy
Jul 18 13:52:08 neth pluto[9755]: packet from 2.2.2.2:4500: responding to SA_INIT message (ID 0) from 1.1.1.1:4500 with unencrypted notification NO_PROPOSAL_CHOSEN
I’ll have to write a tutorial about this experience so people in the future can have this working.
I was able to authenticate Mikrotik, Ubiquity Edgerouter, Ubiquity UDM, pfSense and Cisco devices to Nethserver.
did you prepare the HowTo? I want to make a IPSec connection as well between a NethServer box and a MikroTik router … Can you give some advice about the settings?
I did start to write it up, and even posted the nethserver part on the wiki.
BUT, after I upgraded the RouterOS to version 7 it stopped working.
That’s why I didn’t post the RouterOS piece.
The IPSec Tunnel gets up, but I get no traffic between clients.
I gonna have to revise the configs.
