Hi all,
I have an IPsec tunnel between 2 Mikrotik RB751G. The tunnel is UP, i can ping the devices from both sites, by the way i cannot access the shared folders, the websites hosted in the remote site.
I have tested with a Sonicwall, and i have full acces.
Can you help me please?
Sorry for my bad english.
Bests Regards,
Vincent.
[SOLVED] IPSec problem
Last edited by evince on Wed Jul 11, 2012 9:18 pm, edited 1 time in total.
-
-
antkamidiv
just joined
- Posts: 24
- Joined:
- Contact:
Re: IPSec problem
Hello!
1. First of all check Your policy settings. It might affects inaccessibility of resources.
2. Do You have any rules in a nat table to access your site?
3. How do You access shared folders? For example, if You are trying to open it through windows networking environment You should create specifiс rules in a firewall for port 445 .
1. First of all check Your policy settings. It might affects inaccessibility of resources.
2. Do You have any rules in a nat table to access your site?
3. How do You access shared folders? For example, if You are trying to open it through windows networking environment You should create specifiс rules in a firewall for port 445 .
Re: IPSec problem
Dear,
Thank you for your reply.
Here is my NAT rule : 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.
Do i have to create : 2 chain=input action=accept protocol=tcp src-address=192.168.88.0/24 dst-port=445 ?
Thank you in advance.
Thank you for your reply.
Here is my NAT rule : 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.
Do i have to create : 2 chain=input action=accept protocol=tcp src-address=192.168.88.0/24 dst-port=445 ?
Thank you in advance.
-
-
antkamidiv
just joined
- Posts: 24
- Joined:
- Contact:
Re: IPSec problem
Ok. It will be easier if you describe an entire scheme of Your networks on both sites: LAN addresses, IPSec addresses and etc.
Re: IPSec problem
Here you are :
Site 1 :
LAN : 10.5.0.0/24
ETH2 : 10.5.0.254/24
VLAN15 : 10.15.0.0/24
Site 2 :
LAN : 192.168.88.0/24
ETH2 : 192.168.88.1/24
Thak you for your help
Site 1 :
LAN : 10.5.0.0/24
ETH2 : 10.5.0.254/24
VLAN15 : 10.15.0.0/24
Code: Select all
# jul/09/2012 15:25:07 by RouterOS 5.18
# software id = 9V5C-CE34
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name="to lu" pfs-group=modp1024
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=****** \
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.88.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
proposal="to lu" protocol=all sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=10.0.0.0/8 \
src-port=any tunnel=yes
add action=encrypt disabled=yes dst-address=10.10.10.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
proposal=default protocol=all sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=10.5.0.0/24 \
src-port=any tunnel=yesLAN : 192.168.88.0/24
ETH2 : 192.168.88.1/24
Code: Select all
jan/05/1970 04:41:13 by RouterOS 5.18
# software id = 3EFE-FKCD
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=\
"to vince" pfs-group=modp1024
/ip ipsec peer
add address=yyy.yyy.yyy.yyy/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 \
proposal-check=obey secret=****** send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=yes dst-address=10.0.0.0/8 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal="to vince" \
protocol=all sa-dst-address=yyy.yyy.yyy.yyy sa-src-address=21xxx.xxx.xxx.xxx \
src-address=192.168.88.0/24 src-port=any tunnel=yes
-
-
antkamidiv
just joined
- Posts: 24
- Joined:
- Contact:
Re: IPSec problem
Well, all settings are correct. PC's are be accessible by IP. How do You try to access shared folders?
-
-
antkamidiv
just joined
- Posts: 24
- Joined:
- Contact:
Re: IPSec problem
Do You have such rules?
Site 1: 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.
Site 2: 0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=10.0.0.0/8.
Site 1: 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.
Site 2: 0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=10.0.0.0/8.
-
-
antkamidiv
just joined
- Posts: 24
- Joined:
- Contact:
Re: IPSec problem
Oh, This is a stupid question. Of course, You do have these rules.
I don't understand. You can ping 10.5.0.11?
The only suggestion is that firewall filter rules block port 445. Enable this port on both sites.
I don't understand. You can ping 10.5.0.11?
The only suggestion is that firewall filter rules block port 445. Enable this port on both sites.
Re: IPSec problem
Yes, i can ping my entire network, the only problem is shared folder and http access to my nas (both of them)
It should have a problem in the SITE 2 because when i plug a Sonicwall i do not have any problem.
It should have a problem in the SITE 2 because when i plug a Sonicwall i do not have any problem.
Re: IPSec problem
I just made a test. I tried to connect to my remote website, the page can display, by the way the pictures are not showed and i do not have any error message.
Strange...
Strange...
Re: IPSec problem
Sounds like a possible PMTUD problem. Do you happen to block any of the ICMP messages?I just made a test. I tried to connect to my remote website, the page can display, by the way the pictures are not showed and i do not have any error message.
Strange...
Re: IPSec problem
I don't know yet what is PMTUD but i don't block anything at the moment 
-
-
jandafields
Forum Guru
- Posts: 1515
- Joined:
Re: IPSec problem
Maybe your ISP is blocking 445 or other file sharing ports.
Maybe the sonicwall is using ipsec over l2tp so it works because it doens't use those ports, while you are using straight ipsec (not over l2tp) which will require those 445/file sharing ports...
Maybe the sonicwall is using ipsec over l2tp so it works because it doens't use those ports, while you are using straight ipsec (not over l2tp) which will require those 445/file sharing ports...
Re: IPSec problem
Thank you for your reply. My ISP does not block the port 445 as i work for my ISP 
What is strange, is that i can not display the pictures of my remote website.
Thank you all for your help, i'm lost
What is strange, is that i can not display the pictures of my remote website.
Thank you all for your help, i'm lost
Re: IPSec problem
Problem solved, i have reduced the MTUSounds like a possible PMTUD problem. Do you happen to block any of the ICMP messages?
Thank you very much.