Arnt Gulbrandsen
About meAbout this blog
2011-11-22

A Mikrotik IPsec policy bug

The short version: Mikrotik RouterOS doesn't support multiple, redundantly configured IPsec links. Amazon's cloud services use just that. Pain ensues. I haven't found any workaround I really like.

The long version: Amazon tells the Mikrotik Packets to 10.12.0.0/16 should be sent to 169.254.255.1, and packets from that network will be sent to you from 169.254.255.1 and also Packets to 10.12.0.0/16 should be sent to 169.254.255.5, etc. Two tunnels, different endpoints.

The Mikrotik detects a conflict between the two rules, and disables one rule. ip ipsec policy print detail shows one I, that's the disabled rule. Any traffic matching that rule will be lost. Each tunnel also carries traffic to the router at the other end, so DPD and monitoring will probably think the tunnel is up and all is well, but still, traffic matching the I rule will not be delivered.

Since I like to see green blinkenlights in my monitoring and the AWS console really wants to use both tunnels I tried to find a workaround that pleases Amazon. I tried using route filters and BGP path stuffing to give Amazon the routes it wants, while avoiding actually using the routes that depend on the frowned-upon policy. No luck. The only way seems to be to disable one BGP peer and/or one policy by hand, and let the AWS console show yellow instead of green. Later I may try to set up a second tunnel to another Mikrotik router for redundancy. But not right now. I want to write code.

If you want to ask Mikrotik about it, send mail to support@ and ask to be notified when the problem is resolved. Mention ticket 2011091666000524 so they'll know which problem it is.

Update: Mate Lang has written a script to translate AWS' generic instructions to Mikrotik commands.

The point of what AWS is doing is to express packets may be sent using either tunnel A or tunnel B, such that when one tunnel is down due to key renegotiation (which takes about one second and runs once per hour) or because AWS' router is down, then the other tunnel is used. Mate's fine work does still not allow Mikrotik routers to fail over and use both tunnels in the way AWS intends.

2011-08-15

tcpdump on Mikrotik

Mikrotik RouterOS doesn't have a tcpdump command. It has solutions for most/all of the problems I like to solve with tcpdump, though. (more…)

2011-07-29

IPsec VPN between Mikrotik RouterOS and an Amazon VPC

This post describes how I configure IPsec tunnels between Mikrotik routers and VPCs (virtual private clouds) hosted at Amazon AWS. (more…)

2010-05-05

Dropping terminal escape sequences

I need to reconfigure a device via its serial console; the device emits many ANSI/VT escape sequences and other control codes. These are perhaps helpful if one is typing, but not so helpful when a script is to reset and reconfigure the device.

The following perl s/// magic gets rid of most (but not all) escape codes. (more…)

2009-10-14

Mikrotik RouterOS, OpenVPN and IPv6

Mikrotik makes a series of small, neat routers. I have a 433UAH (with indoor case), which has a VPN tunnel to OpenVPN running on a rented server at vollmar.net. This describes how to build an IPv4 and IPv6 VPN tunnel between a Mikrotik router with a dynamic IP address and a Linux server running OpenVPN with fixed IP addresses. (more…)