Hola,

I recently purchased a few RB1100ahx2's and did the upgrade 6.7 fw upgrade and I am having a buggar of a time trying to connect rb to an exsisting network. Here is what I have. I have 2 offices office A and office B. They are currently running Cisco RV042's and using IPSec and currently working. Last night I went to office A and tried to get the mikrotik to connect to the Cisco. Which did seem to work for awhile... but it had odd drops and such. One minute I could ping the gateway at office B from office A then i wouldn't be able to. However I always had connectivity from office B to office A just not always the other way around... and by connectivity I mean ping.
I had alot of odd issues. At office A I have a SBS 2008 server with an Exchange Server and a Shortel VOIP server and it would work half the time then other times it would just stop. I am assuming I may have garbled some of the IPSec settings up or maybe I need to allow some sort of firewall rules. As of now that rb is in the closet and I wont have access to it for a week (I should have exported all the data sorry)

My end goal here is to take the RB1100ahx2's and use IPsec to connect both offices. I love these mikrotiks and have been trying to learn more about them.
Attached is my end goal. Anyone who could lead me in the right direction, Id be very grateful!

Hola,

I recently purchased a few RB1100ahx2's and did the upgrade 6.7 fw upgrade and I am having a buggar of a time trying to connect rb to an exsisting network. Here is what I have. I have 2 offices office A and office B. They are currently running Cisco RV042's and using IPSec and currently working. Last night I went to office A and tried to get the mikrotik to connect to the Cisco. Which did seem to work for awhile... but it had odd drops and such. One minute I could ping the gateway at office B from office A then i wouldn't be able to. However I always had connectivity from office B to office A just not always the other way around... and by connectivity I mean ping.
I had alot of odd issues. At office A I have a SBS 2008 server with an Exchange Server and a Shortel VOIP server and it would work half the time then other times it would just stop. I am assuming I may have garbled some of the IPSec settings up or maybe I need to allow some sort of firewall rules. As of now that rb is in the closet and I wont have access to it for a week (I should have exported all the data sorry)

My end goal here is to take the RB1100ahx2's and use IPsec to connect both offices. I love these mikrotiks and have been trying to learn more about them.
Attached is my end goal. Anyone who could lead me in the right direction, Id be very grateful!

I'd setup an EOIP tunnel and then encrypt it with IPSec. The EOIP tunnel should keep the IPSec link alive for you.

-Eric

So that will connect to the other side which is the cisco rv042?
If so how would I do that.
Also do I need any firewall or nat rules for the exchange server and voip server?

Your diagram had two Mikrotiks. Where is the Cisco? Eoip is only mikrotik.

Sent from my SCH-I545 using Tapatalk

That is my ideal outcome with the two mikrotiks. See the offices are far away and I cant have them down for that long as I as the transition. Both of them at the moment are using the Cisco's. I would like to use one mikrotik to connect to the cisco as it buys me time to drive to the other location to swap the last one out. It's not something I can do all in one day.

Ideas?

What's the configuration on the Cisco. You need to mirror that on your mikrotik

Sent from my SCH-I545 using Tapatalk

I thought I did that but perhaps I am missing something?
Attached is the setup I need the Mikrotik to connect to. Ideas on how to do it and make it work? Perhaps I screwed it up.
I tried to follow this example http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC
EHHH

I thought I did that but perhaps I am missing something?
Attached is the setup I need the Mikrotik to connect to. Ideas on how to do it and make it work? Perhaps I screwed it up.
I tried to follow this example http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC
EHHH

Alright.. post your config from your mikrotik?

Ill get it to you as soon as I can. It may take a few days.

Just reposting with the syntax highlighting.. I find it easier to read.

ros code

# feb/03/2014 16:37:15 by RouterOS 6.7
#
/interface ethernet
set [ find default-name=ether1 ] comment="Gateway Port"
set [ find default-name=ether2 ] comment="LAN 192.168.20.x"
set [ find default-name=ether3 ] comment="Switch In GW Room" \
    master-port=ether2
set [ find default-name=ether4 ] comment="Win Server" master-port=\
    ether2
set [ find default-name=ether5 ] comment="Belmont VOIP Phone Server" \
    master-port=ether2
/ip neighbor discovery
set ether1 comment="Gateway Port"
set ether2 comment="LAN 192.168.20.x"
set ether3 comment="Switch In GW Room"
set ether4 comment="LITED Server"
set ether5 comment="VOIP Phone Server"
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip address
add address=69.x.x.x interface=ether1 network=69.x.x.x.
add address=192.168.20.1/24 interface=ether2 network=192.168.20.0
/ip dns
set servers=24.x.x.x.,192.168.20.x,8.8.8.8
/ip firewall filter
add chain=input protocol=ipsec-esp src-address=72.x.x.x
add chain=customer dst-address=192.168.21.0/24 in-interface=ether1 \
    out-interface=ether2 src-address=192.168.20.0/24
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add chain=forward connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=forward src-address=192.168.88.0/24
add action=drop chain=forward dst-address=192.168.88.0/24
add action=drop chain=forward src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=forward dst-port=53 protocol=udp src-address-list=delinquency
add chain=forward dst-address-list=delinquency protocol=udp src-port=53
add action=drop chain=forward src-address-list=delinquency
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=BelmontToWarsawVPN \
    src-address=192.168.20.1-192.168.20.254
add action=mark-routing chain=prerouting new-routing-mark=WarsawToBelmontVPN \
    src-address=192.168.21.1-192.168.21.254
/ip firewall nat
add chain=srcnat dst-address=192.168.21.0/24 src-address=192.168.20.0/24
add chain=srcnat dst-address=192.168.20.0/24 src-address=192.168.21.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.20.0/24
add action=dst-nat chain=dstnat comment="Remote Desktop" dst-port=3389 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.20.2 to-ports=3389
add action=dst-nat chain=dstnat comment="Remote Desktop" dst-port=3389 \
    in-interface=ether1 protocol=udp to-addresses=192.168.20.2 to-ports=3389
add action=dst-nat chain=dstnat comment=IMAP dst-port=143,993 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.20.2 to-ports=143
add action=dst-nat chain=dstnat comment=POP3 dst-port=110,995 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.20.2 to-ports=110
add action=dst-nat chain=dstnat comment=L2TP dst-port=1701 in-interface=\
    ether1 protocol=udp to-addresses=192.168.20.1 to-ports=1701
add action=dst-nat chain=dstnat comment=IPSEC dst-port=500 in-interface=\
    ether1 protocol=udp to-addresses=192.168.20.1 to-ports=500
add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface=ether1 \
    protocol=udp to-addresses=192.168.20.2 to-ports=53
add action=dst-nat chain=dstnat comment=QuickVPN dst-port=60433 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.20.1 to-ports=60443
add action=dst-nat chain=dstnat comment=PPTP dst-port=1723 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.20.1 to-ports=1723
add action=dst-nat chain=dstnat comment=SMTP dst-port=25 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.20.2 to-ports=25
add action=dst-nat chain=dstnat comment=HTTP disabled=yes dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.20.2 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.20.2 to-ports=443
add chain=dstnat dst-port=80 protocol=tcp
add chain=dstnat dst-port=443 protocol=tcp
add chain=dstnat dst-port=5004-5446 protocol=udp
add chain=dstnat dst-port=2427-2727 protocol=udp
add chain=dstnat dst-port=25-161 protocol=udp
add chain=dstnat dst-port=21-5555 protocol=tcp
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=72.x.x.x dh-group=modp768 enc-algorithm=des exchange-mode=\
    aggressive hash-algorithm=md5 lifetime=8h secret=password
/ip ipsec policy
add dst-address=192.168.21.0/24 sa-dst-address=72.x.x.x sa-src-address=\
    69.x.x.x src-address=192.168.20.0/24 tunnel=yes
/ip route
add distance=1 gateway=69.x.x.x
/ip service
set www disabled=yes
set api disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=internal
add interface=ether2 type=internal
/ppp secret
add name=remote password=password
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=64.x.x.x
/tool graphing interface
add allow-address=192.168.20.0/24
add allow-address=192.168.21.0/24

I'm going to have to wrap my head around all of that. Your firewall seems slightly confusing to me... you also have a bunch of dst-nat stuff that isn't necessary.

So you said it connects, but no traffic goes across? or what is the exact behavior? Do you see SA's installed (IP -> IPSec -> Installed SAs)?

-Eric

I'm going to have to wrap my head around all of that. Your firewall seems slightly confusing to me... you also have a bunch of dst-nat stuff that isn't necessary.

So you said it connects, but no traffic goes across? or what is the exact behavior? Do you see SA's installed (IP -> IPSec -> Installed SAs)?

-Eric

Actually there is alot of firewall rules that were dupped. It was some old fw rules my buddy was toying with.

I know I have some dst rules that dont need i just dont know which yet.

Yes I see 2 SA keys installed

When I first started the router and went into IPSec I noticed that I didnt have exchange mode set to aggressive like I did in the LinkSYS. So I changed that. I then went to IPSec, Proposals and checked all the AUTH Algo.'s

As for now it seems to be working. The phone system works from here to the other office. The emails seem to be sending.

Although I could use some drastic help w/ the firewall as mentioned lol. Basically, I just want to protect this network the best I can.

I'm going to have to wrap my head around all of that. Your firewall seems slightly confusing to me... you also have a bunch of dst-nat stuff that isn't necessary.

So you said it connects, but no traffic goes across? or what is the exact behavior? Do you see SA's installed (IP -> IPSec -> Installed SAs)?

-Eric

Actually there is alot of firewall rules that were dupped. It was some old fw rules my buddy was toying with.

I know I have some dst rules that dont need i just dont know which yet.

Yes I see 2 SA keys installed

When I first started the router and went into IPSec I noticed that I didnt have exchange mode set to aggressive like I did in the LinkSYS. So I changed that. I then went to IPSec, Proposals and checked all the AUTH Algo.'s

Would that have made it dc at what seemed to be random points?

As for now it seems to be working. The phone system works from here to the other office. The emails seem to be sending.

Although I could use some drastic help w/ the firewall as mentioned lol. Basically, I just want to protect this network the best I can.

Email me at my username at Gmail.com and I can help you with the rules. Just need to know exactly what you need... Then I can help you write the rules.

Sent from my SCH-I545 using Tapatalk

I did send ya an email.

Also, the Mirotik just stopped pinging the attached network that runs through the IPSec. I still see installed SA's but I cant get to the other side. Now the phone wont dial out to the other office.

I did send ya an email.

Also, the Mirotik just stopped pinging the attached network that runs through the IPSec. I still see installed SA's but I cant get to the other side. Now the phone wont dial out to the other office.

Odd... At some point what I would do is just set it up to use IPIP/GRE/EOIP over IPSec... they are stateless and will generally keep the link alive. Also you may want to upgrade to 6.9... there are some issues with the lower v6 and IPSec.

Interesting. I flushed the SA's and BAM it came back online.... what the heck does that mean?

I would like to change to something for stable for sure!

Interesting. I flushed the SA's and BAM it came back online.... what the heck does that mean?

I would like to change to something for stable for sure!

Not sure entirely what that means... Do both sides have the same lifetimes set?...

Yes they do now. Phase 2 timer was set different. I put them all to the same now. There seems to be a heck of alot more Installed SA's now after this update. Is that normal?

That can cause issues. Really they should negotiate, but just for sanity sake make sure they are all the same.

Well do the firewall via email. Emailed you back

Sent from my SCH-I545 using Tapatalk