FILTER/NAT RULES FOR IPSEC VPN

Peque · Wed Jul 27, 2016 10:00 am

Hi Forum
I've setting up a system - and can not get the rules for accessing the different network
Headquarter: 192.168.201.0/24
BO1: 192.168.202.0/24
BO2: 192.168.203.0/24

Actually I'm getting the VPN up and running with the IPSEC - following this guide Ipsec Guide
And the VPN are created and talking to each other. I've added a route on each Router :

FLAGS  DST_ADDRESS         PREF_SRC        GATEWAY    DISTANCE
2 A S  192.168.200.0/21   192.168.201.1   WAN            1           1

Where the preffered source are changing on each router - depending on their local
The Firewall rules I've tried without any luck:

From Headquarter
FILTER
 0    chain=forward action=accept src-address=192.168.201.0/24 dst-address=192.168.200.0/21 log=no log-prefix="" 
 1    chain=forward action=accept src-address=192.168.200.0/21 dst-address=192.168.201.0/24 log=no log-prefix="" 

NAT
 1    chain=srcnat action=accept src-address=192.168.200.0/21 dst-address=192.168.201.0/24 log=no log-prefix=""

Both enabled and disbled NAT rules - does not do any thing

As it is now - I cannot ping between the 2 Routers - neither has I access tp the LAN on the other side of the VPN.
So how should I create these rules for getting access LAN2LAN on this setup

Feklar · Wed Jul 27, 2016 6:42 pm

When using pure IPSec, it really doesn't use the routing table how you are thinking. What happens is the IPSec policy grabs the "interesting traffic", encrypts it, and then sends the encapsulated traffic to the SA. DST. from the SA. SRC. This traffic then is considered to be originating from the router.

Please include your IPSec settings, that is where the problem is most likely. Just because peers are setup and talking correctly (phase 1) doesn't mean that the policies are setup correctly.

Peque · Wed Jul 27, 2016 7:11 pm

My Peers are created like this:

ip ipsec peer print
Flags: X - disabled, D - dynamic 
 0    address=93.161.X.X/32 local-address=:: passive=no port=500 
      auth-method=pre-shared-key secret="*******" generate-policy=no 
      policy-template-group=default exchange-mode=main send-initial-contact=yes 
      nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 
      dpd-interval=2m dpd-maximum-failures=5  
ip ipsec policy print
 1     src-address=192.168.202.0/24 src-port=any dst-address=192.168.201.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=78.111.XX.XX 
       sa-dst-address=93.161.XX.X proposal=VPN priority=
ip ipsec proposal print
 1    name="VPN" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

The same on both sides!
firewall Setup at the moment:

HQ
ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Allow BO1 access to LAN
      chain=forward action=accept src-address=192.168.202.0/24 
      dst-address=192.168.201.0/24 log=no log-prefix="" 
 1    ;;; Allow BO2 access to LAN
      chain=forward action=accept src-address=192.168.203.0/24 
      dst-address=192.168.201.0/24 log=no log-prefix=""
ip firewall nat print       
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Access FRB
      chain=srcnat action=accept src-address=192.168.201.0/24 
      dst-address=192.168.202.0/24 log=no log-prefix="" 

 1    ;;; Access FAXE
      chain=srcnat action=accept src-address=192.168.201.0/24 
      dst-address=192.168.203.0/24 log=no log-prefix=""

BO1
ip firewall filter  print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept src-address=192.168.201.0/24 dst-address=192.168.202.0/24 log=no log-prefix="" 

ip firewall nat print  
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.202.0/24 [size=85][font=Helvetica Neue, Helvetica, Arial, sans-serif]dst-address=192.168.201.0/24 log=no log-prefix="" [/font][/size]
 1    ;;; Outgoing Traffik Masquerade 
[size=85][font=Helvetica Neue, Helvetica, Arial, sans-serif] chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""[/font][/size]

I can now ping and access from BO to HQ - but not the other way back.
I can access fileshares and rdp etc and also ping from BO --> HQ subnet - But only ping router and not subnet from HQ --> BO

Media · Wed Jul 27, 2016 8:46 pm

I have similar issue - IPSEC tunnel over Internet, Router A pings everything in the Router B private network, but Router B can ping only Router A private address, pinging anything else - not possible. Tried to add routes but with no success. Any ideas?

pe1chl · Wed Jul 27, 2016 8:53 pm

When in doubt, use IP tunnel with IPsec protection and /30 address on it, then route over that tunnel.
It is much easier to manage in complicated scenarios.

Feklar · Thu Jul 28, 2016 12:22 am

You'll need to provide information for both/all router configs. It's also easier to see things with the export command than the print command.

Media · Thu Jul 28, 2016 1:47 pm

Here are the two configs.

RouterB.rsc

RouterA.rsc

.
Replaced the public IP's and deleted sensitive info.

mrz · Thu Jul 28, 2016 2:02 pm

On RouterA you have fasttrack.
See remarks here
http://wiki.mikrotik.com/wiki/Manual:IP ... ack_Bypass

As well as everything is blocked in input chain except ping ob both routers. In input chain you need to accept UDP 500/4500 and esp protocol.

pe1chl · Thu Jul 28, 2016 3:25 pm

That is why I recommend using an IP tunnel interface with IPsec instead. It is all automatically setup and such
problems are nonexistent. After that, you only need to set a static route at each side, or enable BGP when the
routing is more complicated.

Media · Thu Jul 28, 2016 3:46 pm

By the way, it began to route the networks, or at least have a ping to all the ip addresses, not just the router....and don't know why...wrote the rules and it began to work. But I disabled the rules, even restarted router A and still have ping to its network. And new rules are disabled.
pe1chl, can you give a link for this scenario?

pe1chl · Thu Jul 28, 2016 3:52 pm

Check the manual:
http://wiki.mikrotik.com/wiki/Manual:Interface/IPIP

Media · Thu Jul 28, 2016 7:00 pm

And after that IPSEC tunnel?

Peque · Thu Jul 28, 2016 10:00 pm

Heres My Settings:
Headquarter Router

Filter:
> ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Allow FRB access to LAN
      chain=forward action=accept src-address=192.168.202.0/24 dst-address=192.168.201.0/24 log=no log-prefix=""
NAT:
> ip firewall nat  print      
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Access FRB
      chain=srcnat action=accept src-address=192.168.201.0/24 dst-address=192.168.202.0/24 log=no log-prefix="" 

IPSEC:
> ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=*2 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1     ;;; Policy FRB
       src-address=192.168.201.0/24 src-port=any dst-address=192.168.202.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=93.161.XX.XX sa-dst-address=78.111.XX.XX proposal=VPN priority=0
> ip ipsec peer  print  
Flags: X - disabled, D - dynamic 
 0 X  ;;; FRB 
      address=78.111.XX.XX/32 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="XXXXXXXX" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm="" dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 
> ip ipsec proposal   print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 
 1    name="VPN" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

On Location1 Router:

FILTER:
> ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Access to HQ
      chain=forward action=accept src-address=192.168.201.0/24 dst-address=192.168.203.0/24 log=no log-prefix="" 
NAT:
> ip firewall nat print       
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.203.0/24 dst-address=192.168.201.0/24 log=no log-prefix=""
IPSEC:
> ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1     src-address=192.168.203.0/24 src-port=any dst-address=192.168.201.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=78.111.XXX.XXX sa-dst-address=93.161.XXX.XXX proposal=VPN priority=0
> ip ipsec peer  print    
Flags: X - disabled, D - dynamic 
 0    ;;; HQ
      address=93.161.XXX.XXX/32 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="XXXXXXXXX" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
> ip ipsec proposal  print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 
 1    name="VPN" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

What I can:
From HeadQuarter to Location:
Ping the Location router - both from HQ router and local machines
NOT ping the LAN printer accesspoints etc
NOT Access RDP/Filesharing etc from Location LAN
From Location to HeadQuarter:
Ping the HQ router - both from Location router and local machines
Ping the LAN - printers accesspoints etc
access RDP - filesharing etc from HQ LAN

As far as I can see - the settings are the same on both sides, and the rules are set properly.

Added Config Files
Headquarter: [attachment=1]HeadQuarter.txt[/attachment]
Location: [attachment=0]Location.txt[/attachment]

pe1chl · Thu Jul 28, 2016 10:15 pm

And after that IPSEC tunnel?

IPsec tunnel can be configured inside that configuration! It will be automatically generated.

Revelation · Fri Jul 29, 2016 1:04 am

What I can:
From HeadQuarter to Location:
Ping the Location router - both from HQ router and local machines
NOT ping the LAN printer accesspoints etc
NOT Access RDP/Filesharing etc from Location LAN
From Location to HeadQuarter:
Ping the HQ router - both from Location router and local machines
Ping the LAN - printers accesspoints etc
access RDP - filesharing etc from HQ LAN

As far as I can see - the settings are the same on both sides, and the rules are set properly.

Added Config Files
Headquarter: HeadQuarter.txt
Location: Location.txt

I see nothing on HQ telling it how to get to 192.168.203.0/24 or permitting it.

IntrusDave · Fri Jul 29, 2016 7:14 am

Did you add the src-nat accept rules?

Peque · Fri Jul 29, 2016 7:57 am

My Mistake regarding 192.168.203.0/24

And yes all src NAt are created

FILTER/NAT RULES FOR IPSEC VPN

FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN

Re: FILTER/NAT RULES FOR IPSEC VPN