Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

RDP not working over Ipsec site-2-site

Locked
 
nashaden
just joined
Topic Author
Posts: 17
Joined: Thu Oct 20, 2016 12:43 pm
Location: Poland

RDP not working over Ipsec site-2-site

Thu Oct 20, 2016 1:28 pm

I have an IPSEC site-to-site tunnel beetween my mikrotik RB2011UiAS and my clients router (ZYXEL). Both phases are fine, the connection is established and I can see packets on my firewall going through accept rules. However they have to use RDP to one of my MS-Windows Server 2003 machines, but cannot connect to it neither ping the machine.

My WAN: xx.xx.xx.146
My gateway: xx.xx.xx.145
MY LAN: 10.0.0.0/24

Their WAN: xx.xx.xx.38
Their LAN: 192.168.2.0/24

Address configuration
Code: Select all
address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; LAN-IP
     10.0.0.1/24        10.0.0.0        bridgeLocal                              
 1   ;;; WAN-IP (01)
     xx.xx.xx.146/29    xx.xx.xx.144    WAN1-ether10
IPSEC related things
Code: Select all
ipsec peer print
Flags: X - disabled, D - dynamic 
 0    ;;; Phase 1: KartGis
      address=xx.xx.xx.38/32 local-address=:: passive=no port=500 
      auth-method=pre-shared-key secret="****" generate-policy=no 
      policy-template-group=default exchange-mode=main send-initial-contact=yes 
      nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=aes-256 dh-group=modp1536 lifetime=8h lifebytes=0 
      dpd-interval=2m dpd-maximum-failures=5
	  
ipsec proposal print
Flags: X - disabled, * - default 
 1    name="kartgis" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=1h 
      pfs-group=modp1536
	  
ipsec policy print
 1     ;;; KartGis VPN
       src-address=10.0.0.0/24 src-port=any dst-address=192.168.2.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=xx.xx.xx.146 
       sa-dst-address=xx.xxx.xx.38 proposal=kartgis priority=0

Routes related things
Code: Select all
route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; Gateway 01
        0.0.0.0/0                          xx.xx.xx.145              1
 1 ADC  10.0.0.0/24        10.0.0.1        bridgeLocal               0
 2 ADC  xx.xx.xx.144/29    xx.xx.xx.146    WAN1-ether10              0
NAT related things
Code: Select all
firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; KartGis IPSEC Tunnel
      chain=srcnet action=accept src-address=10.0.0.0/24 dst-address=192.168.2.0/24 log=no log-prefix="" 

 1    ;;; Internet 01
      chain=srcnat action=masquerade src-address=10.0.0.0/24 out-interface=WAN1-ether10 log=no log-prefix=""

Firewall rules
Code: Select all
firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPsec
      chain=input action=accept protocol=udp dst-port=500 

 1    chain=input action=accept protocol=ipsec-esp 

 2    chain=forward action=accept connection-state=established,related src-address=192.168.2.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" 

 3    chain=forward action=accept connection-state=established,related src-address=10.0.0.0/24 dst-address=192.168.2.0/24 log=no log-prefix="" 

 4    ;;; Accept established and related packets
      chain=input action=accept connection-state=established,related 

 5    ;;; Accept all connections from local network
      chain=input action=accept in-interface=bridgeLocal 

 6    ;;; Drop all packets from blacklisted addresses
      chain=input action=drop src-address-list=Hackers in-interface=WAN1-ether10 log=no log-prefix="" 

 7    ;;; Drop invalid packets
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 8    ;;; Drop all packets which are not destined to routes IP address
      chain=input action=drop dst-address-type=!local log=no log-prefix="" 

 9    ;;; Drop all packets which does not have unicast source IP address
      chain=input action=drop src-address-type=!unicast log=no log-prefix="" 

10    ;;; Drop all packets from public internet which should not exist in public network
      chain=input action=drop src-address-list=NotPublic in-interface=WAN1-ether10 log=no log-prefix=""
	  
11    ;;; Accept established and related packets
      chain=forward action=accept connection-state=established,related 

12    ;;; Accept forward packets from natted connection
      chain=forward action=accept connection-state=established,related connection-nat-state=dstnat in-interface=WAN1-ether10 log=no log-prefix="" 

13    ;;; Drop invalid packets
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

14    ;;; Drop new connections from internet which are not dst-natted
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN1-ether10 log=no log-prefix="" 

15    ;;; Drop all packets from public internet which should not exist in public network
      chain=forward action=drop src-address-list=NotPublic in-interface=WAN1-ether10 log=no log-prefix="" 

16    ;;; Drop all packets from local network to internet which should not exist in public network
      chain=forward action=drop dst-address-list=NotPublic in-interface=bridgeLocal log=no log-prefix="" 

17    ;;; Drop all packets in local network which does not have local network address
      chain=forward action=drop src-address=!10.0.0.0/24 in-interface=bridgeLocal log=no log-prefix="" 

18    ;;; No internet but ESET
      chain=forward action=drop src-address-list=nointernet dst-address-list=!eset out-interface=WAN1-ether10 log=no log-prefix="

NotPublic List
Code: Select all
/ip firewall address-list> print
Flags: X - disabled, D - dynamic 
 #   LIST                                                                     ADDRESS                                                                                      TIMEOUT             
 1   NotPublic                                                                0.0.0.0/8                                                                                   
 2   NotPublic                                                                10.0.0.0/8                                                                                  
 3   NotPublic                                                                100.64.0.0/10                                                                               
 4   NotPublic                                                                127.0.0.0/8                                                                                 
 5   NotPublic                                                                169.254.0.0/16                                                                              
 6   NotPublic                                                                172.16.0.0/12                                                                               
 7   NotPublic                                                                192.0.0.0/24                                                                                
 8   NotPublic                                                                192.0.2.0/24                                                                                
 9   NotPublic                                                                192.168.0.0/23                                                                              
10   NotPublic                                                                192.88.99.0/24                                                                              
11   NotPublic                                                                198.18.0.0/15                                                                               
12   NotPublic                                                                198.51.100.0/24                                                                             
13   NotPublic                                                                203.0.113.0/24                                                                              
14   NotPublic                                                                224.0.0.0/4                                                                                 
15   NotPublic                                                                240.0.0.0/4
48   NotPublic                                                                192.168.3.0/24                                                                              
49   NotPublic                                                                192.168.4.0/22                                                                              
50   NotPublic                                                                192.168.8.0/21                                                                              
51   NotPublic                                                                192.168.16.0/20                                                                             
52   NotPublic                                                                192.168.32.0/19
What am I missing here or have too much that ping and RDP do not work over the tunnel? Help!


EDIT
----------------------------------------------
Got the ping to work, by changing this rule:
Code: Select all
14    ;;; Drop new connections from internet which are not dst-natted
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN1-ether10 log=no log-prefix=""

to this
Code: Select all
14    ;;; Drop new connections from internet which are not dst-natted
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN1-ether10 packet-mark=!vpn log=no log-prefix=""
Still RDP is not working.
Top
 
nashaden
just joined
Topic Author
Posts: 17
Joined: Thu Oct 20, 2016 12:43 pm
Location: Poland

Re: RDP not working over Ipsec site-2-site

Fri Oct 21, 2016 2:26 am

I have another MT (rb750r2 hex lite) with an almost mirror configuration to this RB2011, with some minor differences:

1. on both I have the same ISP, but RB2011 uses static IP while hex uses pppoe to access internet.
2. i run ipsec tunnels on both, using the same configuration (apart from addresses of course) for peers, proposals and secrets
3. on hex I additionality use pptp server and it works as a charm
4. i use the same filter/nat rules

The only thing that is really different between those two is the os version; RB2011 runs on 6.37.1 while hex on 6.34.2. Could this be a problem of the new os version? Anyone? I'm running out of ideas.

I even disabled all firewall filter rules yet neither RDP to a windows server machine over the ipsec tunnel nor a pptp server (set up the same way as on hex) works. The pptp server does not let me log in. I'm really clueless...
Top
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:
Contact blajah

Re: RDP not working over Ipsec site-2-site

Sat Oct 22, 2016 9:43 pm

Hi,

Have you tried to explicitly allow RDP in firewall? Like src network, dst network, port 3389 ? Is that rule getting hits? Did you torch rdp connections in current config? Can you connect via RDP to their side?
Top
 
jaytcsd
Member
Member
Posts: 335
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:
Contact jaytcsd

Re: RDP not working over Ipsec site-2-site

Sun Oct 23, 2016 8:00 pm

RDP works on EOIP / IPSEC between my 2 Mikrotiks.
I don't have as many firewall rules as you do, I'd disable from # 8 on and see if that works, then start enabling them one at a time.
If I had a dime for each time my Mikrotik did what I told it to do instead of what I wanted it to do I'd be a millionaire.
Top
 
nashaden
just joined
Topic Author
Posts: 17
Joined: Thu Oct 20, 2016 12:43 pm
Location: Poland

Re: RDP not working over Ipsec site-2-site

Sun Oct 23, 2016 11:24 pm

I did get the ipsec tunnel to run properly (including RDP to win server machine). Here's what I did:

I marked vpn packets with:
Code: Select all
mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=mark-packet new-packet-mark=vpn passthrough=yes protocol=udp dst-port=4500 
      log=no log-prefix="" 

 1    chain=input action=mark-packet new-packet-mark=vpn passthrough=yes protocol=ipsec-esp log=no 
      log-prefix=""
Added two new firewall rules (at top):
Code: Select all
0    ;;; IPsec
      chain=input action=accept protocol=udp dst-port=500,1701,4500 log=no log-prefix="" 

 1    chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
Altered my Drop new connections from internet which are not dst-natted to this:
Code: Select all
15    ;;; Drop new connections from internet which are not dst-natted
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat 
      in-interface=WAN1-ether10 packet-mark=!vpn log=no log-prefix=""
.

Still cannot get the pptp server to run - my win machines connect, but cannot login. Didn't have time to try more magic, will this week.
Top
Locked

Who is online

Users browsing this forum: anav, haedertowfeq, Hemhems, zosoft and 63 guests
  4. RouterOS
  5. Beginner Basics