Community discussions

MikroTik App
 
User avatar
Husky
just joined
Topic Author
Posts: 8
Joined: Sat Apr 24, 2021 5:37 pm

IPsec tunnel not passing traffic

Sat Apr 24, 2021 11:16 pm

Hi everybody,

I have set up an IPsec site-to-site tunnel between two sites. Both routers were reset to default configuration, then I followed the guide from the official MikroTik documentation for the IPsec site-to-site tunnel.

Both sites have dynamically-assigned public IP addresses through PPPoE from my ISP. Both sites have a DDNS name. Site A has a MikroTik RB2011iL-RM using LAN subnet 192.168.1.0/24 and Site B has a MikroTik hAP ac^2 using LAN subnet 192.168.11.0/24. Both routers are running RouterOS 6.47.9 long-term.

Here's the situation:
If I start a ping from A to B, it won't work, it times out. But if I start a ping from B back to A while the other ping from A to B is still running, then suddenly the traffic starts passing through the tunnel and both sides can ping and everything works. Then, if I stop the ping and leave the tunnel alone for a few minutes, or reboot either router, it breaks again and I cannot pass traffic or ping until I ping from both sides at the same time, then it works again.

In addition, when the tunnel is in the broken state, and I try ping from one of the routers, then I see on the other router that the firewall filter rule for "defconf: drop all not coming from LAN" is incrementing the packet count. As soon as I disable that rule, then the tunnel is working and pings work on either side. Even after a reboot of both routers, traffic is working perfectly fine. But I don't want to disable that rule because then the router is open to the outside.

I think my issue lies with my firewall configuration, I am not sure. I made some modifications to the firewall to try and fix the issue with help from the official MikroTik documentation, however it did not solve the issue.

Any help would be greatly appreciated!


Here is my config for both routers:
# apr/24/2021 21:35:13 by RouterOS 6.47.9
#
# ROUTER A
#
# model = 2011iL

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0

/ip cloud
set ddns-enabled=yes

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike1-siteB

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike1-siteB pfs-group=modp2048

/ip ipsec peer
add address=siteB.sn.mynetname.net name=ike1-siteB profile=ike1-siteB

/ip ipsec identity
add peer=ike1-siteB secret=SomeVeryStrongSecret

/ip ipsec policy
add dst-address=192.168.11.0/24 peer=ike1-siteB proposal=ike1-siteB src-address=192.168.1.0/24 tunnel=yes

/ip route
add distance=1 dst-address=192.168.11.0/24 gateway=bridge

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.11.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.11.0/24 src-address=192.168.1.0/24
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.11.0/24
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"

# apr/24/2021 21:36:26 by RouterOS 6.47.9
#
# ROUTER B
#
# model = RBD52G-5HacD2HnD

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN

/ip address
add address=192.168.11.1/24 comment=defconf interface=bridge network=192.168.11.0

/ip cloud
set ddns-enabled=yes

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike1-siteA

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike1-siteA pfs-group=modp2048

/ip ipsec peer
add address=siteA.sn.mynetname.net name=ike1-siteA profile=ike1-siteA

/ip ipsec identity
add peer=ike1-siteA secret=SomeVeryStrongSecret

/ip ipsec policy
add dst-address=192.168.1.0/24 peer=ike1-siteA proposal=ike1-siteA src-address=192.168.11.0/24 tunnel=yes

/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=bridge

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.11.0/24
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.11.0/24
add action=notrack chain=prerouting dst-address=192.168.11.0/24 src-address=192.168.1.0/24
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
 
User avatar
Husky
just joined
Topic Author
Posts: 8
Joined: Sat Apr 24, 2021 5:37 pm

Re: IPsec tunnel not passing traffic

Mon Jun 28, 2021 4:07 pm

Hi everyone,

I resolved the issue. I am just making this post to document what resolved the issue for me so that if anyone else has this issue, they can potentially solve it.

I had to add a firewall rule to allow "ipsec-esp" protocol. Like so:
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
Make sure this rule is above the default "defconf: drop all coming from LAN" rule (or any other similar rules). You can also specify the source address of the other router to further tighten security. It could also work with DDNS name but I haven't tested it. But this is not strictly necessary, I left it blank and used the rule exactly as typed above.

I believe the reason this is required is because MikroTik RouterOS uses policy-based IPsec VPN which does not create an interface. Therefore all traffic coming from the other router is seen as regular traffic coming from outside WAN coming in on the WAN interface of the router, therefore it gets blocked just like all other WAN traffic.

Hopefully this helps someone!
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11266
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec tunnel not passing traffic

Tue Jun 29, 2021 10:07 pm

Your solution is correct, the reasons are slightly different. It doesn't matter whether IPsec creates a virtual interface or not; the thing is that the traffic to be delivered using IPsec is encapsulated into the ESP packets, and ESP packets are only sent when there is any payload to be transported. So if you send traffic only from one side, the firewall at the other side doesn't let the ESP packets through unless you add the rule you've suggested above., so the other side receives no payload to respond to. The dropping of the transport packets would happen even if the payload traffic decapsulated from them would be delivered via a virtual interface.

When there is NAT between the IPsec peers, the ESP gets itself encapsulated into UDP packets sharing a common stream with the IKE(v2) control "session", so this issue doesn't exist.
 
torrington
just joined
Posts: 22
Joined: Mon Sep 04, 2017 7:05 pm

Re: IPsec tunnel not passing traffic

Sun Oct 23, 2022 6:22 am

Hi everyone,

I resolved the issue. I am just making this post to document what resolved the issue for me so that if anyone else has this issue, they can potentially solve it.

I had to add a firewall rule to allow "ipsec-esp" protocol. Like so:
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
Make sure this rule is above the default "defconf: drop all coming from LAN" rule (or any other similar rules). You can also specify the source address of the other router to further tighten security. It could also work with DDNS name but I haven't tested it. But this is not strictly necessary, I left it blank and used the rule exactly as typed above.

I believe the reason this is required is because MikroTik RouterOS uses policy-based IPsec VPN which does not create an interface. Therefore all traffic coming from the other router is seen as regular traffic coming from outside WAN coming in on the WAN interface of the router, therefore it gets blocked just like all other WAN traffic.

Hopefully this helps someone!
Indeed it helped me. Thank you very much.