Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

IPsec configuration

Tue Oct 22, 2013 5:05 pm

hello
I'm having problem to understand what I need to config in the RB
for start what is Phase 1 and Phase 2 ??

this is the config the I have on his router

Phase 1

IP address:1.2.3.4
Mode: aggressive
Accept peer-id: center
Authentication method: pre-shared key
Pre-shared key: 123456789
IKE version: 1
Encryption: AES128
Authentication: SHA1
DH group: 5
Keylife: 28800 seconds
Local ID: cente
Xauth: disable
NAT traversal: enable
Keepalive frequency: 10 seconds
Dead peer detection: enable

Phase 2

Encryption: AES128
Authentication: SHA1
Replay detection: enable
PFS: enable
DH group: 5
Keylife: 1800 seconds
Autokey keep alive: enable
Quick mode selector source: 199.10.10.0/24
Quick mode selector destination: 172.27.63.0/24
this is all he gave me .

now , on my side this is what I have
/ip ipsec proposal
add enc-algorithms=aes-128 name=proposal1 pfs-group=modp1536
/ip ipsec peer
add address=1.2.3.4/32 dh-group=modp1536 dpd-interval=10s \
    enc-algorithm=aes-128 exchange-mode=aggressive hash-algorithm=sha1 \
    lifetime=8h nat-traversal=yes proposal-check=claim secret=\
    123456789
/ip ipsec policy
add dst-address=199.10.10.0/24 proposal=proposal1 sa-dst-address=\
    1.2.3.4 sa-src-address=12.13.14.15 src-address=192.168.63.0/24 \
    tunnel=yes
this is the NAT
/ip firewall nat
add action=masquerade chain=srcnat comment=OUT
add chain=srcnat dst-address=199.10.0.0/16 src-address=192.168.63.0/24
what am I missing?
my computer is 192.168.63.12
the computer on the other side is 199.10.10.3

any help will do

Thanks ,
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPsec configuration

Fri Oct 25, 2013 1:36 pm

As explained here: http://wiki.mikrotik.com/wiki/Manual:IP ... e_Protocol

Phase 1 is equivalent to peer config in Mikrotik and Phase 2 is Proposal settings. Policy tells router which traffic to encrypt.

Set source address 172.27.63.0/24, remote 199.10.10.0/24 and use the rest values as they gave you.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: IPsec configuration

Mon Oct 28, 2013 3:50 pm

did it , now it's working - thanks

but now I can't go to the internet ( no ping to google 8.8.8.8) only to the IPSEC network

and when I add in firewall nat rule of :
/ip firewall nat
add action=masquerade chain=srcnat
the IPSEC doesn't work

but if I add this rule after the IPSEC is working - I can go tho google 8.8.8.8

so what I need tot change ?

Thanks ,
 
mjperry82
just joined
Posts: 17
Joined: Wed Feb 06, 2013 11:02 pm

Re: IPsec configuration

Mon Oct 28, 2013 4:07 pm

You need to make sure that the masquerade rule is after the accept rule.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPsec configuration

Mon Oct 28, 2013 5:11 pm

Add a rules in NAT, like this:

add chain=srcnat dst-address=199.10.0.0/16 src-address=192.168.63.0/24 action=accept
add action=masquerade chain=srcnat comment=OUT

It's very important the order of the rules, so packets for your IPSec neighbour(s) are accepted and passed over to the IPSec process before you NAT your output.

Remember, packetflow is your friend: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
:wink:
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: IPsec configuration

Wed Oct 30, 2013 11:42 am

Thanks you - it's working
I didn't know the order of the rules have meaning

Thanks again :-)
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPsec configuration

Wed Oct 30, 2013 11:49 am

In Mikrotik world nearly everything has a meaning. Glad to help.

Who is online

Users browsing this forum: haianh, nanobahr and 14 guests