Still having massive problems with IPSec here.
My IPSec tunnels will come up as in the policy will get generated and a SA installed for both in and out, however from inside my lan on the Mikrotik i cannot ping or communicate at all with the remote lans. Oddly enough though from my remote lans they can ping into my Mikrotik's LAN....
further more when i watch the statistics of the IPSec policy, when the remote lan pings in i see the reply packet encrypted, when i try to ping out from the lan here to the remote lan, nothing gets encrypted! Are there some better tools for me to inspect what the hell is going on?
Its driving me insane please help.
I can be contacted here or at jtaylor*AT*wonderlan.net
Looks like im not the only one having these problems.... what in the world is going on?
:: Interfaces ::
[admin@MikroTik] interface> print detail
Flags: X - disabled, D - dynamic, R - running
0 R name="C1_P1_T1_Uplink" mtu=1500 type=ether rx-rate=0 tx-rate=0
1 R name="C1_P2_Client_WAN" mtu=1500 type=ether rx-rate=0 tx-rate=0
2 R name="C1_P3_WLC_DMZ" mtu=1500 type=ether rx-rate=0 tx-rate=0
3 R name="C1_P4_LAN" mtu=1500 type=ether rx-rate=0 tx-rate=0
4 R name="T1 Bridge" mtu=1500 type=bridge rx-rate=0 tx-rate=0
[admin@MikroTik] interface> eth
[admin@MikroTik] interface ethernet> print detail
Flags: X - disabled, R - running
0 R name="C1_P1_T1_Uplink" mtu=1500 mac-address=00:0C:42:02:2C:E2 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
1 R name="C1_P2_Client_WAN" mtu=1500 mac-address=00:0C:42:02:2C:E3 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
2 R name="C1_P3_WLC_DMZ" mtu=1500 mac-address=00:0C:42:02:2C:E4 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
3 R name="C1_P4_LAN" mtu=1500 mac-address=00:0C:42:02:2C:E5 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps
:: IPSEC ::
[admin@MikroTik] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0 D src-address=192.168.168.0/24:any dst-address=10.208.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=12.145.155.2 sa-dst-address=69.17.100.66 proposal=default
dont-fragment=clear
[admin@MikroTik] ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E spi=0x8A605102 direction=in src-address=69.17.100.66
dst-address=12.145.155.2 auth-algorithm=md5 enc-algorithm=3des
replay=4 state=mature auth-key="472bfcf8c52525fbc5c2bc8d0f4924c8"
enc-key="c18aec37ddb7b4ce96d7e6fb33271032f6dc28519d3b4532"
add-lifetime=6h24m/8h use-lifetime=0s/0s lifebytes=0/0
current-addtime=oct/14/2005 00:30:14
current-usetime=oct/14/2005 00:30:25 current-bytes=72
1 E spi=0xB6AB6B3B direction=out src-address=12.145.155.2
dst-address=69.17.100.66 auth-algorithm=md5 enc-algorithm=3des
replay=4 state=mature auth-key="6403fdad483708ff8e8985d214bc49f7"
enc-key="d8ffd5d5c5b217598ba3c0323b97b8ae1647ac446061c793"
add-lifetime=6h24m/8h use-lifetime=0s/0s lifebytes=0/0
current-addtime=oct/14/2005 00:30:14
current-usetime=oct/14/2005 00:30:25 current-bytes=72
:: NAT Rules ::
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.168.0/24 packet-mark=!VPN
action=masquerade
:::: Marking Rules :::
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward dst-address=10.13.11.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes
1 chain=prerouting dst-address=10.208.1.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes
2 chain=prerouting dst-address=192.168.0.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes
3 chain=prerouting dst-address=10.13.8.0/24 action=mark-packet
new-packet-mark=VPN passthrough=yes
... a lot more related to NETBios, HTTP, HTTPS, and so on
Ok, so i have email Mikrotik 3 times, and spent countless hours at all my branch offices troubleshooting this crap. I am going to attempt a complete rebuild to 2.96 from scratch, if that dosent work its back to 2.8 for me. I can't believe mikrotik still has not even bothered responding. This is absolute crap and F^CK mikrotik for releasing a bugged product. I would much rather pay a few extra hundred dollars for a truly enterprise class product that works how its supposed to and actually provides technical support.
Just so you guys know, after tweaking everything i figured out i could get IPSec tunnels up if i disable and enable policies over and over, eventually the the Mikrotik will bring then up.... great product huh. What a POS.
Just so you guys know, after tweaking everything i figured out i could get IPSec tunnels up if i disable and enable policies over and over, eventually the the Mikrotik will bring then up.... great product huh. What a POS.
I use IPSec "Routing" to connect 3 Sites.
I don't see firewall rules needed to pass the packet from one router to the other. (to pass traffic over the pipe)
Drop me a message and I will get you intouch with the engineer that helped me get my multi site system up.
I know how to do it, but I dont give it out as I did not come up with it.
Drop me a message at sales@pc-routers.com and I will get you intouch with him.
Craig
I don't see firewall rules needed to pass the packet from one router to the other. (to pass traffic over the pipe)
Drop me a message and I will get you intouch with the engineer that helped me get my multi site system up.
I know how to do it, but I dont give it out as I did not come up with it.
Drop me a message at sales@pc-routers.com and I will get you intouch with him.
Craig
Redid in 2.82 works fine
Im so confused, i did the whole thing in 2.82 works fine, rebuilt the whole thing from scratch with 2.96 and get the same weird errors.