I've configure IPSEC VPN in my head office to brance office router. After complete configuration I cant access head office to branch office & branch office to head office. There are shows PH2 state is ready to sent. I can't understand why it is not work. Branch office router model is (RB951G-2HnD) & head office router model (RB450G).
Hear office router IP: 118.179.161.242(WAN IP) & 192.168.2.1/24 (LAN IP)
Branch office router IP: 118.179.47.56 (WAN IP) & 192.168.88.1/24 (LAN IP)
Configuration(Head office)
---------------------------------------
ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=118.179.47.56/32 local-address=118.179.161.242
auth-method=pre-shared-key secret="1234" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024
1 name="proposal1" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=none
ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 src-address=192.168.2.0/24 src-port=any dst-address=192.168.88.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=118.179.161.242
sa-dst-address=118.179.47.56 proposal=proposal1 ph2-count=0
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 X chain=dstnat action=dst-nat to-addresses=118.179.223.10 to-ports=53
protocol=udp dst-port=53 log=no log-prefix=""
2 ;;; Dinning Room AP
chain=dstnat action=dst-nat to-addresses=192.168.2.3 to-ports=80
protocol=tcp dst-port=881 log=yes log-prefix=""
3 ;;; Balcony AP
chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=80
protocol=tcp in-interface=WAN dst-port=880 log=yes log-prefix=""
4 ;;; GYM AP
chain=dstnat action=dst-nat to-addresses=192.168.2.4 to-ports=80
protocol=tcp in-interface=WAN dst-port=882 log=yes log-prefix=""
5 ;;; DVR
chain=dstnat action=dst-nat to-addresses=192.168.2.5 to-ports=80
protocol=tcp in-interface=WAN dst-port=883 log=yes log-prefix=""
6 chain=srcnat action=accept src-address=192.168.2.0/24
dst-address=192.168.88.0/24 log=no log-prefix=""
Configuration (Branch office)
-------------------------------------------
ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=118.179.161.242/32 local-address=118.179.47.56
auth-method=pre-shared-key secret="1234" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024
1 name="proposal1" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=none
ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 A src-address=192.168.88.0/24 src-port=any dst-address=192.168.2.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=118.179.47.56
sa-dst-address=118.179.161.242 proposal=proposal1 ph2-count=1
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.88.0/24
dst-address=192.168.2.0/24 log=no log-prefix=""
Re: IPSEC VPN
Rules in each chain are processed in order. If you want to exclude IPSec traffic from main NAT, the accept rule needs to go before main masquerade rule.
Re: IPSEC VPN
The accept rule is now before main masquerade rule but still same does not work it.
Re: IPSEC VPN
On both routers?
And on second look, head office has ph2-count=0, did that eventually go up?
And on second look, head office has ph2-count=0, did that eventually go up?
Re: IPSEC VPN
Yeah I've change my accept rule position on both router. Now there are PH2 state shows established on both router. There are also shows in peer both router (unsafe configuration, suggestion to use certificate). Now our both router is updated and I've got ping response from branch office to head office. But did not get head office to branch office.
Head office router :
routerboard: yes
model: 450G
serial-number: 72520805A918
firmware-type: ar7100
factory-firmware: 3.41
current-firmware: 6.43.1
upgrade-firmware: 6.43.1
Branch office router:
routerboard: yes
model: 951G-2HnD
serial-number: 846708B186BC
firmware-type: ar9344
factory-firmware: 3.41
current-firmware: 6.43.2
upgrade-firmware: 6.43.2
Ping status from Head office router:
ping 192.168.88.1 src-address=192.168.2.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.1 timeout
1 192.168.88.1 timeout
2 192.168.88.1 timeout
3 192.168.88.1 timeout
4 192.168.88.1 timeout
5 192.168.88.1 timeout
6 192.168.88.1 timeout
sent=7 received=0 packet-loss=100%
Ping status from Branch office router:
ping 192.168.2.1 src-address=192.168.88.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.2.1 56 64 3ms
1 192.168.2.1 56 64 4ms
2 192.168.2.1 56 64 4ms
3 192.168.2.1 56 64 3ms
4 192.168.2.1 56 64 6ms
5 192.168.2.1 56 64 4ms
6 192.168.2.1 56 64 2ms
7 192.168.2.1 56 64 3ms
8 192.168.2.1 56 64 4ms
9 192.168.2.1 56 64 3ms
10 192.168.2.1 56 64 5ms
11 192.168.2.1 56 64 2ms
12 192.168.2.1 56 64 4ms
13 192.168.2.1 56 64 3ms
14 192.168.2.1 56 64 4ms
15 192.168.2.1 56 64 4ms
16 192.168.2.1 56 64 3ms
17 192.168.2.1 56 64 4ms
18 192.168.2.1 56 64 7ms
19 192.168.2.1 56 64 3ms
sent=20 received=20 packet-loss=0% min-rtt=2ms avg-rtt=3ms max-rtt=7ms
Head office router :
routerboard: yes
model: 450G
serial-number: 72520805A918
firmware-type: ar7100
factory-firmware: 3.41
current-firmware: 6.43.1
upgrade-firmware: 6.43.1
Branch office router:
routerboard: yes
model: 951G-2HnD
serial-number: 846708B186BC
firmware-type: ar9344
factory-firmware: 3.41
current-firmware: 6.43.2
upgrade-firmware: 6.43.2
Ping status from Head office router:
ping 192.168.88.1 src-address=192.168.2.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.1 timeout
1 192.168.88.1 timeout
2 192.168.88.1 timeout
3 192.168.88.1 timeout
4 192.168.88.1 timeout
5 192.168.88.1 timeout
6 192.168.88.1 timeout
sent=7 received=0 packet-loss=100%
Ping status from Branch office router:
ping 192.168.2.1 src-address=192.168.88.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.2.1 56 64 3ms
1 192.168.2.1 56 64 4ms
2 192.168.2.1 56 64 4ms
3 192.168.2.1 56 64 3ms
4 192.168.2.1 56 64 6ms
5 192.168.2.1 56 64 4ms
6 192.168.2.1 56 64 2ms
7 192.168.2.1 56 64 3ms
8 192.168.2.1 56 64 4ms
9 192.168.2.1 56 64 3ms
10 192.168.2.1 56 64 5ms
11 192.168.2.1 56 64 2ms
12 192.168.2.1 56 64 4ms
13 192.168.2.1 56 64 3ms
14 192.168.2.1 56 64 4ms
15 192.168.2.1 56 64 4ms
16 192.168.2.1 56 64 3ms
17 192.168.2.1 56 64 4ms
18 192.168.2.1 56 64 7ms
19 192.168.2.1 56 64 3ms
sent=20 received=20 packet-loss=0% min-rtt=2ms avg-rtt=3ms max-rtt=7ms
Re: IPSEC VPN
If ping from one side works, tunnel is clearly ok. Check the firewall, maybe you don't accept pings on branch office router?
Re: IPSEC VPN
Now Its working. If I add one more router how do I configure it.
Re: IPSEC VPN
It depends where you add it and what exactly you want it to do. If you just need another branch office and it needs to access only head office, then you just add another tunnel, same like this one. If you'd need also communication between branch offices, you could add another direct tunnel between them, or let them communicate via head office, but for that you'd need to add more policies in branch office routers, to cover all subnets.