Community discussions

MikroTik App
 
Desjani
just joined
Topic Author
Posts: 9
Joined: Tue Jan 26, 2016 11:08 pm

IPSec tunnel connects, but unable to ping or connect to remote network [SOLVED]

Tue Jan 26, 2016 11:19 pm

I have installed a MikroTik CRS125-24G-1S-RM on both sites, and I am trying to set up a Site-to-Site VPN between them.

Configuration is as follows:
[admin@OFFICE] > ip ipsec peer print
Flags: X - disabled, D - dynamic 
 0    address=208.53.41.100/32 local-address=:: passive=no port=500 auth-method=pre-shared-key 
      secret="!sa4Domain#" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@OFFICE] > ip ipsec policy print   
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1     src-address=0.0.0.0/24 src-port=any dst-address=0.0.0.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=ah-esp tunnel=yes sa-src-address=173.10.26.100 
       sa-dst-address=208.53.41.100 proposal=default priority=0 


[admin@DATACENTER] > ip ipsec peer print  
Flags: X - disabled, D - dynamic 
 0    address=173.10.26.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="!sa4Domain#" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@DATACENTER] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1     src-address=0.0.0.0/24 src-port=any dst-address=0.0.0.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=ah-esp tunnel=yes sa-src-address=208.53.41.100 
       sa-dst-address=173.10.26.100 proposal=default priority=0 
Looking at the IPSec logs on both sides, the connection is active and stable (all R-U-THEREs get ACKed). However, machines on one network cannot ping or otherwise connect to machines on the other, and vice versa.

Pinging each gateway from the other, returns time out.

Am I missing something? This is my first time working with RouterOS.
Last edited by Desjani on Fri Mar 04, 2016 5:57 pm, edited 1 time in total.
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Wed Jan 27, 2016 11:29 am

Hello,

Can you post your NAT rules? YOu need at least one on the top.

Take a look at this great guide : http://gregsowell.com/?p=787

Regards,
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7186
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Wed Jan 27, 2016 12:20 pm

Not sure what you wanted to achieve with such ipsec policies, but obviously src-address=0.0.0.0/24 dst-address=0.0.0.0/24 is not going to work.
 
Desjani
just joined
Topic Author
Posts: 9
Joined: Tue Jan 26, 2016 11:08 pm

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Wed Jan 27, 2016 10:34 pm

Hello,

Can you post your NAT rules? YOu need at least one on the top.

Take a look at this great guide : http://gregsowell.com/?p=787

Regards,
[admin@DATACENTER] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.2.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix="" 

 2    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.0.2.2 to-ports=21 protocol=tcp in-interface=ether1-master-local 
      dst-port=21 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.0.2.2 to-ports=52500-52600 protocol=tcp 
      in-interface=ether1-master-local dst-port=52500-52600 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.0.2.102 to-ports=80 protocol=tcp dst-port=1102 log=no 
      log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=10.0.2.101 to-ports=7001 protocol=tcp dst-port=7001 log=no 
      log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=10.0.2.101 to-ports=8080 protocol=tcp dst-port=8080 log=no 
      log-prefix="" 

[admin@OFFICE] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.0.0/24 dst-address=10.0.2.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix="" 

 2    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=10.0.0.0/24 log=no log-prefix=""  
 
Desjani
just joined
Topic Author
Posts: 9
Joined: Tue Jan 26, 2016 11:08 pm

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Wed Jan 27, 2016 10:36 pm

Not sure what you wanted to achieve with such ipsec policies, but obviously src-address=0.0.0.0/24 dst-address=0.0.0.0/24 is not going to work.
I was following this video guide, and he used 0.0.0.0/24 https://www.youtube.com/watch?v=y68Dx8iPikA
 
jaytcsd
Member
Member
Posts: 335
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Thu Jan 28, 2016 8:29 am

I had problems with IPsec tunnels but got EOIP with IPsec working very easily.
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Thu Jan 28, 2016 5:12 pm

Did you change your encryption domain in your IPSec policy?
 
jaytcsd
Member
Member
Posts: 335
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Fri Jan 29, 2016 4:02 am

Site 1 is the opposite of 2, too lazy to post it's rules.

site 2
/interface eoip> pr
Flags: X - disabled, R - running
0 R name="to site 1" mtu=auto actual-mtu=1396 l2mtu=65535
mac-address=02:xxxxx arp=enabled local-address=(site 2 WAN IP)
remote-address=(site 1 WAN IP) tunnel-id=0 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no ipsec-secret="PISSOFF" allow-fast-path=no

/ip ipsec policy> pr
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 T group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all
proposal=default template=yes

2 D ;;; to SITE 1
src-address=(site 2 WAN IP) src-port=any dst-address=(site 1 WAN IP)
dst-port=any protocol=gre action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=(site 2 WAN IP)
sa-dst-address=(site 1 WAN IP) priority=0

Can't figure out the terminal command for bridging, my EOIP tunnel is bridged to my LAN port.
 
Desjani
just joined
Topic Author
Posts: 9
Joined: Tue Jan 26, 2016 11:08 pm

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Fri Feb 05, 2016 5:51 pm

Okay I've gone through the suggested guides and recreated the settings as follows:
[admin@OFFICE] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=10.0.0.0/24 src-port=any dst-address=10.0.2.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=173.10.26.100 sa-dst-address=208.53.41.100 
       proposal=default priority=0 
[admin@OFFICE] /ip ipsec> peer print
Flags: X - disabled, D - dynamic 
 0    address=208.53.41.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="FOO" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@OFFICE] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
 [admin@OFFICE] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 2    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 
[admin@OFFICE] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.0.0/24 dst-address=10.0.2.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix="" 

 
 [admin@DATACENTER] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=10.0.2.0/24 src-port=any dst-address=10.0.0.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=208.53.41.100 sa-dst-address=173.10.26.100 
       proposal=default priority=0 
[admin@DATACENTER] /ip ipsec> peer print
Flags: X - disabled, D - dynamic 
 0    address=173.10.26.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="FOO" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@DATACENTER] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024 
 
 [admin@DATACENTER] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 2    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 
[admin@DATACENTER] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.2.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix="" 
The tunnel appears to connect, but I still cannot ping or connect through it.
I am seeing interesting entries on the ipsec log:
DPD R-U-There-Ack recieved
Recieved an R-U-THERE-ACK

1 times of 1 bytes message will be sent to 208.53.41.100[4500]
ff
ignore because do not listen on source address: 173.10.26.100
Any thoughts?
 
jaytcsd
Member
Member
Posts: 335
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Sun Feb 07, 2016 8:36 am

I could not ping from inside one tunnel to inside the other using IPsec tunnels, but could ping in the reverse direction, ie 192.168.100.20 could ping 192.168.200.20 but not from 200.20 to 100.20.

I don't think EOIP helped that either, spent a long time experimenting to get this working and forgot all the steps I went through.

I changed my 200.0/24 network at site 2 to 100.0/24 and renumbered the PCs with duplicate addresses.

My only NAT rule is a masquerade.
My site 2 router is 192.168.100.10, I use that gateway for site 2 PCs but use dhcp from 100.1 at site 1. I only have a few PCs using dhcp.

I don't know if there are any performance issues with using EOIP vs IPsec tunnel but for my small personal network I don't care. My CPU is running 3-6% while copying a 3 gig file between the sites, ping times are over 500 ms but drop to under 100 with little or no traffic.
 
Desjani
just joined
Topic Author
Posts: 9
Joined: Tue Jan 26, 2016 11:08 pm

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Tue Feb 23, 2016 5:44 pm

Thanks all, but it appears simply organizing for the routers to BOTH be rebooted at near-same time made it work. Odd, but I'll take it.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2307
Joined: Mon May 14, 2012 9:30 pm

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Tue Feb 23, 2016 8:47 pm

Thanks all, but it appears simply organizing for the routers to BOTH be rebooted at near-same time made it work. Odd, but I'll take it.
Thats actually in the tutorial. That you have to clear all the connections to get the packets to hit that first NAT rule.
 
jaytcsd
Member
Member
Posts: 335
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSec tunnel connects, but unable to ping or connect to remote network

Wed Feb 24, 2016 10:04 am

@ Desjani
Do you want to mark this topic Solved in the subject in case someone else is looking for a solution?

Who is online

Users browsing this forum: indnti, infabo and 23 guests