Community discussions

MikroTik App
  4. RouterOS
  5. General

Mikrotik Dynamic IP to Sonicwall VPN

Post Reply
 
Isiman
just joined
Topic Author
Posts: 1
Joined: Fri Oct 14, 2016 1:43 am

Mikrotik Dynamic IP to Sonicwall VPN

Fri Oct 14, 2016 3:20 am

Hello,
I have been fighting with setting up an aggressive mode VPN between a RB750r2 (dynamic IP) and a Sonicwall TZ500 (static IP) firewall and after spending 2 hours on the phone with Sonicwall Support yesterday, I would like to ask some help from this community.

I seem to be having two different problems:
1. Mikrotik to Sonicwall is unable to setup an aggressive mode VPN connection, however the Sonicwall to Mikrotik can.
2. When the Mikrotik is setup as a static IP (on test bench), the VPN connects, but no data is transferred from either end.

I am fairly sure that some of the problems stem from the firewall, however even with no rules set apart from VPN Masquerade, there is still no VPN traffic.

Sonicwall WAN Network: 111.167.211.41/32
Sonicwall LAN Network: 192.168.6.0/24
Mikrotik WAN Network: 222.53.243.169/28 (will be a dynamic ip later, am using this as testing as it *will* bring the VPN up)
Mikrotik LAN Network: 192.168.88.0/28

Current Config:
Mikrotik:
Code: Select all
[admin@MikroTik] > /ip ipsec peer print

Flags: X - disabled, D - dynamic 
 0    ;;; Unsafe configuration, suggestion to use certificates
      address=111.167.211.41/32 local-address=:: passive=no port=500 
      auth-method=pre-shared-key secret="secret" generate-policy=no 
      policy-template-group=default exchange-mode=aggressive 
      send-initial-contact=yes nat-traversal=no my-id=fqdn:test.com.au 
      proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des 
      dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd 
      dpd-maximum-failures=5
Code: Select all
[admin@MikroTik] > /ip ipsec policy  print     

Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all 
       proposal=default template=yes 

 1     src-address=192.168.88.0/28 src-port=any dst-address=192.168.6.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 
       sa-dst-address=111.167.211.41 proposal=default priority=0
Code: Select all
[admin@MikroTik] > /ip ipsec proposal  print  

Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h pfs-group=none
Code: Select all
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPSec VPN traffic destined for this router
      chain=input action=accept src-address=192.168.6.0/24 dst-address=192.168.88.0/28 log=no log-prefix="" 

 1    ;;; IPSec VPN traffic destined to this subnet
      chain=forward action=accept src-address=192.168.6.0/24 dst-address=192.168.88.0/28 log=no log-prefix="" 

 2    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 3    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 4    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 

 5    ;;; Add Syn Flood IP to the list
      chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=30,32 protocol=tcp address-list=Syn_Flooder address-list-timeout=30m log=no log-prefix="" 

 6    ;;; Drop to syn flood list
      chain=input action=drop src-address-list=Syn_Flooder log=no log-prefix="" 

 7    ;;; Port Scanner Detect
      chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w log=no log-prefix="" 

 8    ;;; Drop to port scan list
      chain=input action=drop src-address-list=Port_Scanner log=no log-prefix="" 

 9    ;;; Jump for icmp input flow
      chain=input action=jump jump-target=ICMP protocol=icmp log=no log-prefix="" 

10    ;;; Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST
      chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291 log=no log-prefix="" 

11    ;;; Jump for icmp forward flow
      chain=forward action=jump jump-target=ICMP protocol=icmp log=no 
      log-prefix="" 

12    ;;; Drop to bogon list
      chain=forward action=drop dst-address-list=bogons log=no log-prefix="" 

13    ;;; Avoid spammers action
      chain=forward action=drop protocol=tcp src-address-list=spammers 
      dst-port=25,587 log=no log-prefix="" 

14    ;;; Accept DNS - UDP
      chain=input action=accept protocol=udp port=53 log=no log-prefix="" 

15    ;;; Accept DNS - TCP
      chain=input action=accept protocol=tcp port=53 log=no log-prefix="" 

16    ;;; Accept to established connections
      chain=input action=accept connection-state=established log=no 
      log-prefix="" 

17    ;;; Accept to related connections
      chain=input action=accept connection-state=related log=no log-prefix="" 

18    ;;; Full access to SUPPORT address list
      chain=input action=accept src-address-list=support log=no log-prefix="" 

19    ;;; Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED
      chain=input action=drop log=no log-prefix="" 
      
20    ;;; Echo reply
      chain=ICMP action=accept protocol=icmp icmp-options=0:0 log=no log-prefix="" 

21    ;;; Time Exceeded
      chain=ICMP action=accept protocol=icmp icmp-options=11:0 log=no log-prefix="" 

22    ;;; Destination unreachable
      chain=ICMP action=accept protocol=icmp icmp-options=3:0-1 log=no log-prefix="" 

23    ;;; PMTUD
      chain=ICMP action=accept protocol=icmp icmp-options=3:4 log=no log-prefix="" 

24    ;;; Drop to the other ICMPs - Disable to allow ping through tunnel chain=ICMP action=drop protocol=icmp log=no log-prefix="" 

25    ;;; Jump for icmp output chain=output action=jump jump-target=ICMP protocol=icmp log=no log-prefix=""
Code: Select all
[admin@MikroTik] /ip firewall> nat print      
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.88.0/28 dst-address=192.168.6.0/24 

 1    chain=srcnat action=masquerade
Code: Select all
[admin@MikroTik] /ip firewall> address-list  print
Flags: X - disabled, D - dynamic 
 #   LIST              ADDRESS                               TIMEOUT             
 0   support           192.168.88.0/28                      
 1   ;;; Self-Identification [RFC 3330]
     bogons            0.0.0.0/8                            
 2 X ;;; Private[RFC 1918] - CLASS A # Check if you need this subnet before en...
     bogons            10.0.0.0/8                           
 3   ;;; Loopback [RFC 3330]
     bogons            127.0.0.0/8                          
 4   ;;; Link Local [RFC 3330]
     bogons            169.254.0.0/16                       
 5 X ;;; Private[RFC 1918] - CLASS B # Check if you need this subnet before en...
     bogons            172.16.0.0/12                        
 6 X ;;; Private[RFC 1918] - CLASS C # Check if you need this subnet before en...
     bogons            192.168.0.0/16                       
 7   ;;; Reserved - IANA - TestNet1
     bogons            192.0.2.0/24                         
 8   ;;; 6to4 Relay Anycast [RFC 3068]
     bogons            192.88.99.0/24                       
 9   ;;; NIDB Testing
     bogons            198.18.0.0/15                        
10   ;;; Reserved - IANA - TestNet2
     bogons            198.51.100.0/24                      
11   ;;; Reserved - IANA - TestNet3
     bogons            203.0.113.0/24                       
12 X ;;; MC, Class D, IANA # Check if you need this subnet before enable it
     bogons            224.0.0.0/4                          
13   support           192.168.6.0/24
When the Mikrotik is set as the initiator, I get the following:
Code: Select all
[admin@MikroTik] > /ip ipsec remote-peers print 
 0 local-address=222.53.246.169 remote-address=111.167.211.41 state=established side=initiator established=6s
This shows in the Sonicwall that Aggressive mode 1 is complete, and mode 2 does not start.

When the Sonicwall is set as the initiator, I get the following:
Code: Select all
[admin@MikroTik] > /ip ipsec remote-peers print 
 0 local-address=222.53.246.169 remote-address=111.167.211.41 state=established side=responder established=12s
And that shows in the Sonicwall that both mode 1 and 2 are complete, however still no traffic is sent over the link.

I can never see any bytes or packets being sent using the NAT rule, so not sure if that has something to do with it.

Sonicwall Config below:
Image
Image
Image
Image
Top
 
awebber
just joined
Posts: 5
Joined: Fri Jul 29, 2016 5:49 am
Location: Sydney

Re: Mikrotik Dynamic IP to Sonicwall VPN

Tue Nov 29, 2016 1:21 pm

Hi,

I am having this same issue, we are trying to setup Mikrotik as OOB devices using a 4g card with a dynamic IP, connecting to a Sonicwall NSA 4600.

If you find a fix please let me know, I will do the same

We found using AES for encryption had better results.
Top
 
Ape
Member Candidate
Member Candidate
Posts: 177
Joined: Sun Oct 06, 2013 3:32 pm
Location: Freiburg, Germany
Contact:
Contact Ape

Re: Mikrotik Dynamic IP to Sonicwall VPN

Tue Nov 29, 2016 4:58 pm

Hi,

what's in the logs of the MikroTik and the SonicWALL?
Configuring a syslog server for logging the SonicWALL's messages and the MikroTik's messages would be helpful to correlate the findings.

Regards,
Ape
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests
  4. RouterOS
  5. General