I am setting up a RouterOS (Routerboard 532) to VPN to a Linksys BEFSX41, using IPSEC. I finally got the link configured and connected, but I can't seem to figure out how to pass traffic from one network to the other. Both hosts are on the same ISP and will be in the same IP range. The set up is:
Mikrotik
Public (routable) IP: 216.XXX.XXX.116
Internal IP (ether 3): 10.10.10.1
Internal Machine: 10.10.10.10
Linksys BEFSX41
Public (routable) IP: 216.XXX.XXX.117
Internal IP: 192.168.1.1
Internal Machine: 192.168.1.100
Following the IPSec configuration from the documentation (the FreeSwan one was the only one I could get to work) I came up with this configuration:
ip ipsec peer print
0 address=216.XXX.XXX.117/32:500 secret="secret" generate-policy=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1h lifebytes=0
ip ipsec proposal print
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024
1 name="proposal1" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=none
ip ipsec policy print
0 src-address=10.10.10.0/24:any dst-address=192.168.1.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=216.XXX.XXX.116 sa-dst-address=216.XXX.XXX.117 proposal=proposal1 manual-sa=none dont-fragment=clear
When I ping from either side, I get a network is unreachable error. Both the Mikrotik and the Linksys are reporting that the link is up.
What have I missed? The configuration is very basic at this point, with only Ether1 and Ether3 up and configured. Routing works correctly expect for over the VPN.
One other question, when this finally does work, and you try to connect from the Mikrotik to the Linksys network, does the link come up automatically? At this point I am starting it from the Linksys side, but the user would be on the Mikrotik side of the network.
More information on request if it is needed.
Thank you
Lyle
-
-
stuntshell
Frequent Visitor
- Posts: 57
- Joined:
-
-
joeri91942
Frequent Visitor
- Posts: 88
- Joined:
- Location: Sundsvall, Sweden
-
-
stuntshell
Frequent Visitor
- Posts: 57
- Joined:
Yes I do have NAT and I do have a src-nat rule pointing to my external IP address.
What I'm trying to accomplish is have one side of the network with 2 src-nat and only one of the networks can actually 'talk' to the 'other' side. In this case the 172.16.0.X network
What I'm trying to accomplish is have one side of the network with 2 src-nat and only one of the networks can actually 'talk' to the 'other' side. In this case the 172.16.0.X network
Last edited by stuntshell on Sun Nov 26, 2006 10:06 pm, edited 1 time in total.
-
-
joeri91942
Frequent Visitor
- Posts: 88
- Joined:
- Location: Sundsvall, Sweden
Ok, did you try my suggestion?
"If so, did you add a srcnat/accept rule from your local net to the remote network BEFORE your NAT-rule?"
Did you try a traceroute to see which way your packets took?
My MT box has the following rules FIRST in the list;
This tells my box to accept all traffic to the remote sites (200.21.something * 3), if I do not have this it will src-nat everything (including stuff for the IPSEC tunnels out on Internet).
/Jörgen
"If so, did you add a srcnat/accept rule from your local net to the remote network BEFORE your NAT-rule?"
Did you try a traceroute to see which way your packets took?
My MT box has the following rules FIRST in the list;
Code: Select all
/ ip firewall nat
add chain=srcnat src-address=192.168.2.0/24 dst-address=200.21.23.0/24 \
action=accept comment="IPSec tunnels" disabled=no
add chain=srcnat src-address=192.168.2.0/24 dst-address=200.21.10.0/24 \
action=accept comment="" disabled=no
add chain=srcnat src-address=192.168.2.0/24 dst-address=200.21.28.0/24 \
action=accept comment="" disabled=no/Jörgen
Who is online
Users browsing this forum: EnglishInfix, Techsystem and 34 guests