Need help configuring Site-to-Site IPsec when one of the peers is behind a NAT

intelfx · Sat Jan 21, 2017 9:55 pm

Hello.

(...I'm relatively new to networking, so please bear with me...)

I am trying to build an IPsec (no L2TP) tunnel between two networks with Mikrotik routers in NAT mode. One of the routers ("main") has a public IP, while the other one ("remote") is behind a carrier NAT itself.

My first problem is that I cannot create a policy template in tunnel mode: the tunnel checkbox gets reset to "no". But I do not even know if that's the right way.

So, here is "main" configuration (LAN subnet is is 10.159.230.0/24, WAN address is 77.41.63.43):

[admin@main] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                             
 0   10.159.230.1/24    10.159.230.0    bridge-eth
 1 D 77.41.63.43/20     77.41.48.0      ether1-gateway
 
 [admin@main] > /ip ipsec export 
# jan/21/2017 22:46:47 by RouterOS 6.39rc15
# software id = NUGB-0ZRG
#
/ip ipsec policy group
add name=site2site
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec peer
add address=0.0.0.0/0 comment="peer for remote" enc-algorithm=aes-128 generate-policy=port-strict passive=yes policy-template-group=site2site secret=XXXX
/ip ipsec policy
set 0 disabled=yes
add comment="from main to remote" dst-address=10.167.15.0/24 group=site2site src-address=10.159.230.0/24 template=yes

Here is the "remote" configuration (LAN subnet is 10.167.15.0/24, nvm two addresses for ovpn1 — this is a workaround for a bug in ovpn-client):

[admin@remote] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                             
 0   10.167.15.1/24     10.167.15.0     wlan1
 1   10.159.231.4/24    10.159.231.0    ovpn1
 2 D 100.64.211.102/32  10.112.112.132  3g
 3 D 10.159.231.4/32    10.159.231.1    ovpn1
 
 [admin@remote] > /ip ipsec export
# jan/21/2017 22:50:17 by RouterOS 6.39rc15
# software id = IDVP-LT14
#
/ip ipsec policy group
add name=site2site
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=77.41.63.43/32 comment=main enc-algorithm=aes-128 exchange-mode=aggressive generate-policy=port-strict secret=XXXX
/ip ipsec policy
set 0 disabled=yes
add comment="remote to main" dst-address=10.159.230.0/24 group=site2site src-address=10.167.15.0/24 template=yes

The firewalls are configured as per wiki: http://wiki.mikrotik.com/wiki/Manual:IP ... ack_Bypass (ipsec-esp and udp 500,4500 are also allowed on both peers).

Basically, in this setup the remote peer appears in the "Remote Peers" list, but nothing happens afterwards.

Thanks for any help and attention.

intelfx · Sun Jan 22, 2017 12:04 am

Looks like I solved this.

In the "remote" peer, I created a non-template policy with sa-dst-address=<"main" address> and tunnel=yes:

[admin@remote] /ip ipsec> /ip ipsec export
# jan/22/2017 01:00:48 by RouterOS 6.39rc15
# software id = IDVP-LT14
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=null enc-algorithms=aes-256-gcm
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=77.41.63.43/32 comment=intelfx.name enc-algorithm=aes-256 secret=XXX
/ip ipsec policy
set 0 disabled=yes
add comment=intelfx.name dst-address=10.159.230.0/24 level=unique sa-dst-address=77.41.63.43 sa-src-address=0.0.0.0 src-address=10.167.15.0/24 tunnel=yes

Need help configuring Site-to-Site IPsec when one of the peers is behind a NAT

Need help configuring Site-to-Site IPsec when one of the peers is behind a NAT

Re: Need help configuring Site-to-Site IPsec when one of the peers is behind a NAT