Community discussions

MikroTik App
 
porli
just joined
Topic Author
Posts: 5
Joined: Mon Jun 22, 2015 2:00 pm

Site2Site IPsec problems

Mon Nov 23, 2015 5:35 pm

Hello again,

first of all, i'm not a pro in network things, but i think my knowledge is quit "ok".

Since some time, i'm using mikrotik and now i'm just trying to connect 2 mikrotiks via site2site ipsec vpn.
Its not my first time, so normaly, i should know how it works, however, with this 2, the connections is working,
everything seems to be fine, but no byte is passing the tunnel.
There must be a mistake in firewall rules.

so Here is my Config:

Both Locations having RB2011


Location A:
version: 6.21.1
Local IP Range: 192.168.0.0/24
External IP: 80.123.98.xxx/30

Location B:
version: 6.27
Local IP Range: 192.168.1.0/24
External IP: 80.121.239.xxx/30

LocA ipSec Output:
# nov/23/2015 15:25:52 by RouterOS 6.21.1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip ipsec peer
add address=80.121.239.xxx/32 enc-algorithm=aes-256 secret=\
    mysecretkey send-initial-contact=no
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=80.121.239.78 sa-src-address=\
    80.123.98.xxx src-address=192.168.0.0/24 tunnel=yes
LocA Firewall output
/ip firewall filter
add chain=input disabled=yes src-address=80.121.239.xxx
add chain=forward disabled=yes dst-address=192.168.0.0/24 src-address=\
    192.168.1.0/24
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="sstp - vpn " dst-port=1723 in-interface=ether1-gateway \
    protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add chain=input comment=Winbox dst-port=8291 log=yes protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
/ip firewall nat
add chain=srcnat comment="NAT BypassRule VPN" dst-address=192.168.0.0/24 \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq vpn traffic" src-address=\
    192.168.3.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=8006 in-interface=ether1-gateway \
    protocol=tcp src-address-list=snwat to-addresses=192.168.0.10 to-ports=8006
add action=dst-nat chain=dstnat dst-port=8022 protocol=tcp src-address-list=\
    snwat to-addresses=192.168.0.10 to-ports=22

LocB IpSec:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip ipsec peer
add address=80.123.98.xxx/32 enc-algorithm=aes-128,aes-256 nat-traversal=no \
    secret=mysecretkey
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=80.123.98.xxx sa-src-address=\
    80.121.239.xxx src-address=192.168.1.0/24 tunnel=yes
LocB Firewall:
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
/ip firewall nat
add chain=srcnat comment="NAT BypassRule VPN" dst-address=192.168.1.0/24 log=\
    yes src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes src-address=192.168.0.0/24
So remote peer is running, also SAs are installed, but no byte is crossing.

any help?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7198
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Site2Site IPsec problems

Mon Nov 23, 2015 5:54 pm

In input chain you must accept esp and UDP/500. I doubt that with your current firewall configuration have established phase1 not to mention phase2.
 
porli
just joined
Topic Author
Posts: 5
Joined: Mon Jun 22, 2015 2:00 pm

Re: Site2Site IPsec problems

Mon Nov 23, 2015 8:35 pm

nope, still every ping a timeout
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Site2Site IPsec problems

Wed Nov 25, 2015 10:42 am

Swap src- and dst-address space in each location in the first NAT "VPN bypass rule".
-Chris
 
Rudios
Forum Veteran
Forum Veteran
Posts: 977
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Site2Site IPsec problems

Wed Nov 25, 2015 10:04 pm

I agree with cdiedrich
 
downther0ad
just joined
Posts: 9
Joined: Mon Nov 02, 2015 10:21 pm

Re: Site2Site IPsec problems

Thu Nov 26, 2015 4:18 pm

Hi,

I was able to do IPSec with this:

Location A
/ip ipsec policy> add src-address=192.168.0.0/24 dst-address=192.168.1.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.123.98.xxx sa-dst-address=80.121.239.xxx proposal=default priority=0
/ip ipsec peer> add address=80.121.239.xxx port=500 auth-method=pre-shared-key secret="prueba" exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 dpd-interval=120 dpd-maximum-failures=5
/ip firewall nat> add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.1.0/24 action=accept disabled=no
Location B
/ip ipsec policy> add src-address=192.168.1.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.121.239.xxx sa-dst-address=80.123.98.xxx proposal=default priority=0
/ip ipsec peer> add address=80.123.98.xxx port=500 auth-method=pre-shared-key secret="prueba" exchange-mode=main send-initial-contact=yes  proposal-check=obey hash-algorithm=md5 enc-algorithm=3des  dh-group=modp1024 dpd-interval=120  dpd-maximum-failures=5
/ip firewall nat> add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.0.0/24 action=accept
Regards
 
porli
just joined
Topic Author
Posts: 5
Joined: Mon Jun 22, 2015 2:00 pm

Re: Site2Site IPsec problems

Sun Nov 29, 2015 5:15 pm

i'm sorry, i don't understand it. it is not working.

first try to swap nat rules, not changing.

no i resetet all ipsec config, tried the expamle from downther0ad, still same result.

what i am making wrong?!
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Site2Site IPsec problems

Mon Nov 30, 2015 12:02 pm

Really strange - as it should work perfectly with those settings.
enable ipsec debug log and post results here, we can than try to figure out what's going wrong.
-Chris