Hello everyone,

I have a problem with an IPSec VPN between two Mikrotik. The VPN connects directly without problems, but the two LANs can not communicate. I tried to ping the mikrotik IP LAN without success, I tried to and from the two mikrotik.

Below is the firewall / Nat rules I added on both Mikrotik

Fireawall Rule:
- accept - input - tcp - 1701
-accept - input - udp - 500
-accept - input - udp - 4500
-accept - input - ipsec-ah protocol
-accept - input - ipsec-esp protocol
-drop - input - tcp

NAT Rule:
- accept - srcnat - Scr Address (LAN Network remote mikrotik) - Dst. Address (Local LAN Network)


Can you help me?
Thanks in advance.

Post your ip/route print

Hello,

Did you put your nat rule in the top?

Firewall Rule:
- accept - input - tcp - 1701
NAT Rule:
- accept - srcnat - Scr Address (LAN Network remote mikrotik) - Dst. Address (Local LAN Network)

These two rules are wrong:
filter: L2TP uses UDP 1701, not TCP. And as you are interested in plain IPsec with policies, not in L2TP tunnelled through IPsec, you don't need to care about L2TP's port at all.
nat: The srcnat chain handles source address of outgoing traffic, so src-address must match the subnet of the local Mikrotik and dst-address must match the subnet of the remote Mikrotik so that they would be excluded from NAT handling.

When pinging from the Mikrotik itself, the srcnat chain is not used at all. But you have to indicate the source address from the local subnet when pinging, otherwise another one may be chosen and so the source address of the packet will not match the IPsec policy. Better to ping from one external device connected to the LAN to another such device on remote site.

Post your ip/route print

IP/Routes in attachments

Firewall Rule:
- accept - input - tcp - 1701
NAT Rule:
- accept - srcnat - Scr Address (LAN Network remote mikrotik) - Dst. Address (Local LAN Network)

These two rules are wrong:
filter: L2TP uses UDP 1701, not TCP. And as you are interested in plain IPsec with policies, not in L2TP tunnelled through IPsec, you don't need to care about L2TP's port at all.
nat: The srcnat chain handles source address of outgoing traffic, so src-address must match the subnet of the local Mikrotik and dst-address must match the subnet of the remote Mikrotik so that they would be excluded from NAT handling.

When pinging from the Mikrotik itself, the srcnat chain is not used at all. But you have to indicate the source address from the local subnet when pinging, otherwise another one may be chosen and so the source address of the packet will not match the IPsec policy. Better to ping from one external device connected to the LAN to another such device on remote site.

Thank you from reply, i0ve been removed the rule 1701 and NAT rules modified, but the ping not work... (i've been pinged from PC to LAN remote to my Mikrotik IP)

Hello,

Did you put your nat rule in the top?

Yes...

Place here the output of "/export hide-sensitive" from both routers, and replace public addresses, if any, with some x.x.x.x but in a way that the same address is replaced by same letters everywhere.

Place here the output of "/export hide-sensitive" from both routers, and replace public addresses, if any, with some x.x.x.x but in a way that the same address is replaced by same letters everywhere.

OK.
HQ Site with Public IP Static:
jan/06/1970 05:55:24 by RouterOS 6.23
# software id = YZED-T8KD
#
/interface bridge
add admin-mac=4C:5E:0C:6D:0D:43 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge \
wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface ethernet
set [ find default-name=ether5 ] master-port=ether2-master-local name=Ethernet5
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.5-192.168.20.50
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether4-slave-local \
lease-time=3d name=dhcp1 relay=192.168.20.250
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
add address=192.168.22.1/24 interface=ether4-slave-local network=192.168.22.0
add address=XXX.XX.XX.33/29 interface=ether1-gateway network=XXX.XX.XX.32
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no \
interface=ether1-gateway
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.250 gateway=192.168.20.250 \
netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=XXX.XX.XX.33
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-ah
add chain=input protocol=ipsec-esp
add action=drop chain=input protocol=tcp
/ip firewall nat
add chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.22.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=yes \
out-interface=ether1-gateway
add action=masquerade chain=srcnat
/ip ipsec peer
add comment=myIPsec enc-algorithm=3des generate-policy=port-override \
hash-algorithm=md5 send-initial-contact=no
/ip ipsec policy
add comment=myIPsec dst-address=192.168.10.0/24 proposal=proposal1 \
sa-dst-address=0.0.0.0 sa-src-address=XXX.XX.XX.33 src-address=\
192.168.22.0/24 tunnel=yes
/ip route
add distance=1 gateway=XXX.XX.XX.33
/system leds
set 0 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=Ethernet5
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=Ethernet5
add interface=wlan1
add interface=bridge-local


Remote Site with Dynamic Public IP:

jan/29/2018 14:33:21 by RouterOS 6.25
# software id = 5DXW-DVVT
#
/interface bridge
add comment="Bridge porta eth4 e wlan1" name=bridge-e4-w1
/interface ethernet
set [ find default-name=ether2 ] comment="WAN1 - ADSL"
set [ find default-name=ether3 ] comment="WAN2 - Rilancio in fibra"
/ip neighbor discovery
set ether2 comment="WAN1 - ADSL"
set ether3 comment="WAN2 - Rilancio in fibra"
set bridge-e4-w1 comment="Bridge porta eth4 e wlan1"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy dfs-mode=\
no-radar-detect disabled=no l2mtu=2290 mode=ap-bridge security-profile=\
profile1 ssid=TCCS wireless-protocol=802.11
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool_LAN ranges=192.168.10.2-192.168.10.160
/ip dhcp-server
add address-pool=dhcp_pool_LAN disabled=no interface=bridge-e4-w1 lease-time=\
3d name=dhcp_LAN
/ip ipsec mode-config
add address-pool=dhcp_pool_LAN name=cfg1 split-include=192.168.10.0/24
/interface bridge port
add bridge=bridge-e4-w1 interface=ether4
add bridge=bridge-e4-w1 interface=wlan1
/ip address
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=192.168.10.1/24 interface=bridge-e4-w1 network=192.168.10.0
add address=152.62.81.114/24 interface=ether3 network=152.62.81.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=152.62.81.99,8.8.8.8
/ip dns static
add address=152.62.81.251 name=nas-01
add address=152.62.81.253 name=exchange
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
/ip firewall filter
add chain=input dst-port=500 protocol=tcp
add chain=input protocol=ipsec-ah
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udp
add chain=input src-address-list=LAN
add chain=input comment="Accept established connections" connection-state=\
established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="SSH for secure shell" dst-port=22 protocol=tcp
add chain=input comment=winbox dst-port=8291 protocol=tcp
add chain=input comment="From Mikrotikls network" src-address=\
159.148.172.192/28
add chain=input comment="From our private LAN" src-address-list=LAN
add action=log chain=input comment="Log everything else" log-prefix=\
"DROP INPUT"
add action=drop chain=input comment="Drop everything else"
add chain=forward comment="Traffic from/to the LAN" connection-state=new \
in-interface=bridge-e4-w1
add chain=forward comment="Traffic from/to the LAN" connection-state=new \
in-interface=ether5
add chain=forward comment="Accept established connections from/to the LAN" \
connection-state=established
add chain=forward comment="Accept related connections from/to the LAN" \
connection-state=related
add action=drop chain=forward comment="Drop everything else from/to the LAN" \
disabled=yes
add action=log chain=forward disabled=yes log-prefix="DROP FORWARD"
add action=log chain=output disabled=yes log-prefix="DROP OUTPUT"
/ip firewall nat
add chain=srcnat comment="IPsec traffic NAT bypass" dst-address=\
192.168.22.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip ipsec peer
add address=XXX.XX.XX.33/32 comment=myIPsec enc-algorithm=3des \
hash-algorithm=md5
/ip ipsec policy
add comment=myIPsec dst-address=192.168.22.0/24 proposal=proposal1 \
sa-dst-address=XXX.XX.XX.33 sa-src-address=0.0.0.0 src-address=\
192.168.10.0/24 tunnel=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=RB951G-TCCS
/system leds
set 0 interface=wlan1
/system logging
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=193.204114.232 secondary-ntp=193.204.114.233

what does "/ip ipsec remote-peers print" and "/ip ipsec installed-sa print" and "/ip ipsec policy print" show (don't forget to replace public addresses if you are concerned)

what does "/ip ipsec remote-peers print" and "/ip ipsec installed-sa print" and "/ip ipsec policy print" show (don't forget to replace public addresses if you are concerned)

HQ Site:

/ip ipsec remote-peers print
0 local-address=XXX.XX.XX.33 port=4500 remote-address=XX.XXX.XXX.170 port=10325
state=established side=responder established=8m26s
[admin@MikroTik] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP
[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes

1 ;;; myIPsec
src-address=192.168.22.0/24 src-port=any dst-address=192.168.10.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=XXX.XX.XX.33 sa-dst-address=0.0.0.0
proposal=proposal1 priority=0

Remote Site:

/ip ipsec remote-peers print
0 local-address=192.168.1.251 port=4500 remote-address=XXX.XX.XX.33 port=4500
state=established side=initiator established=11m43s
[admin@RB951G-TCCS] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP
[admin@RB951G-TCCS] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 ;;; myIPsec
src-address=192.168.10.0/24 src-port=any dst-address=192.168.22.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0
sa-dst-address=XXX.XX.XX.33 proposal=proposal1 priority=0

On your main site, you have created a manual IPsec policy with sa-dst-address=0.0.0.0. It does not work this way for remote peers behind a NAT. Your settings for the peer correctly say that policy must be generated, but I assume that as a policy with necessary src-address and dst-address already exists (your manually added one), it is impossible to generate the necessary dynamic policy whose sa-dst-address will be the determined public IP of the peer. So please disable your manually created policy, then disable the peer and enable it again.

If that does not help, keep these changes and send the output of "/ip ipsec export verbose hide-sensitive" from both machines.

On your main site, you have created a manual IPsec policy with sa-dst-address=0.0.0.0. It does not work this way for remote peers behind a NAT. Your settings for the peer correctly say that policy must be generated, but I assume that as a policy with necessary src-address and dst-address already exists (your manually added one), it is impossible to generate the necessary dynamic policy whose sa-dst-address will be the determined public IP of the peer. So please disable your manually created policy, then disable the peer and enable it again.

If that does not help, keep these changes and send the output of "/ip ipsec export verbose hide-sensitive" from both machines.

I've been disabled the Ipsec Policy on Main Site, but not work.....
Main Site Export:

jan/07/1970 00:24:57 by RouterOS 6.23
# software id = YZED-T8KD
#
/ip ipsec mode-config
set (unknown) name=request-only send-dns=yes
/ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
aes-128-cbc lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=\
proposal1 pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key comment=myIPsec dh-group=\
modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
3des exchange-mode=main generate-policy=port-override hash-algorithm=md5 \
lifebytes=0 lifetime=1d local-address=0.0.0.0 nat-traversal=yes passive=no \
policy-template-group=default port=500 proposal-check=obey \
send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all \
src-address=::/0 template=yes
add action=encrypt comment=myIPsec disabled=yes dst-address=192.168.10.0/24 \
dst-port=any ipsec-protocols=esp level=require priority=0 proposal=\
proposal1 protocol=all sa-dst-address=0.0.0.0 sa-src-address=XXX.XX.XX.33 \
src-address=192.168.22.0/24 src-port=any tunnel=yes

Export Remote Site:

jan/30/2018 08:57:04 by RouterOS 6.25
# software id = 5DXW-DVVT
#
/ip ipsec mode-config
set (unknown) name=request-only send-dns=yes
add address-pool=dhcp_pool_LAN address-prefix-length=24 name=cfg1 send-dns=yes \
split-include=192.168.10.0/24
/ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
aes-128-cbc lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=\
proposal1 pfs-group=modp1024
/ip ipsec peer
add address=188.15.96.33/32 auth-method=pre-shared-key comment=myIPsec \
dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 \
lifebytes=0 lifetime=1d local-address=0.0.0.0 nat-traversal=yes passive=no \
policy-template-group=default port=500 proposal-check=obey \
send-initial-contact=yes
add address=0.0.0.0/0 auth-method=pre-shared-key comment=myIPsec dh-group=\
modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
3des exchange-mode=main generate-policy=port-override hash-algorithm=md5 \
lifebytes=0 lifetime=1d local-address=0.0.0.0 nat-traversal=yes passive=no \
policy-template-group=default port=500 proposal-check=obey \
send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all \
src-address=::/0 template=yes
add action=encrypt comment=myIPsec disabled=no dst-address=192.168.22.0/24 \
dst-port=any ipsec-protocols=esp level=require priority=0 proposal=\
proposal1 protocol=all sa-dst-address=XXX.XX.XX.33 sa-src-address=0.0.0.0 \
src-address=192.168.10.0/24 src-port=any tunnel=yes

What does '/log print where topics~"ipsec" ' show at both ends?

Please hook both boxes to some ntp reference, IPsec is sensitive about time. Next, switch off the debug of ipsec, as you've provided just a small portion of the log and the interesting part is missing.

If you use the cli command I've given and then use Ctrl-H in a text editor to replace all occurrences of the public addresses by x.x.x.33 and y.y.y.something, it will be more useful.

From the debug it seems to me as if one of the firewalls is closing the pinholes too early so the packets from the remote site cannot get through it.

Can you simultaneously sniff at the internet-facing interfaces of both mikrotiks into a file and then use Wireshark to check that everything that one end sends from port 4500 reaches the other end's port 4500? Especially with regard to the time when the log says Second, can you watch the SA tab while the whole setup is running? The SAs should appear and disappear there if my assumption is correct. When you did "/ip ipsec installed-sa print" yesterday, the SAs were not there, but that may just mean that they were not there exactly at the moment when you did the print.

From the debug it seems to me as if one of the firewalls is closing the pinholes too early so the packets from the remote site cannot get through it.

Can you simultaneously sniff at the internet-facing interfaces of both mikrotiks into a file and then use Wireshark to check that everything that one end sends from port 4500 reaches the other end's port 4500? Especially with regard to the time when the log says

Code: Select all

14:36:15 ipsec,debug,packet DPD R-U-There sent (0) 
14:36:15 ipsec,debug,packet rescheduling send_r_u (5). 
14:36:20 ipsec,debug,packet DPD monitoring....

Second, can you watch the SA tab while the whole setup is running? The SAs should appear and disappear there if my assumption is correct. When you did "/ip ipsec installed-sa print" yesterday, the SAs were not there, but that may just mean that they were not there exactly at the moment when you did the print.

In the IPsec->Installed SAs Tab, the page is blank.

I'm not sure whether IKEv1 with NAT-T is capable to handle NAT at both ends of the connection, and I have nowhere to test at the moment. IKEv2 definitely does support this, but if your Mikrotiks' software release doesn't offer exchange mode ikev2 in IPsec peer settings, you'd have to upgrade first. No further ideas at the moment as you wrote nothing regarding the results of Wireshark analysis of packet sniff files the way I've suggested.

Hello i have 2 mikrotik. One of them has public ip can anyone help me how to connect them together throught vpn.


Thank you