Ipsec not traffic passing

cyon · Fri Nov 27, 2020 2:31 pm

Hello all.

I have set up the IPsec and I don't get the traffic passing. I have done Firewall Nat and no luck.
Please can you help me what am I missing?

Thank you

Router 2

/ip ipsec> export
# nov/27/2020 13:49:56 by RouterOS 6.47.8
#
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 local-address=2.2.2.2 name=Router2
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s enc-algorithm=aes-256 hash-algorithm=sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-override notrack-chain=output peer=Router2 secret="*********"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.59.10.0/24 peer=Router2 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.1.0/24 tunnel=yes

/ip firewall nat
add action=accept chain=srcnat dst-address=10.59.10.0/24 src-address=192.168.1.0/24

Router1

[code]
ip ipsec export
# nov/27/2020 14:11:18 by RouterOS 6.47.8
#
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 local-address=1.1.1.1 name=Router1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorithm=sha512 proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-override notrack-chain=output peer=Router1 secret="`secret"
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=Router1 sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=10.59.10.0/24 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 log-prefix=ipsec-nat src-address=10.59.10.0/24

erkexzcx · Fri Nov 27, 2020 2:52 pm

Check my guide: viewtopic.php?f=23&t=169538

I think you are missing bridge/interface for VPN server as well as NAT rule for internal networks. I've mentioned everything there.

cyon · Fri Nov 27, 2020 2:58 pm

Check my guide: viewtopic.php?f=23&t=169538

I think you are missing bridge/interface for VPN server as well as NAT rule for internal networks. I've mentioned everything there.

I have followed the guys setup. https://www.informaticar.net/how-to-est ... k-routers/

erkexzcx · Fri Nov 27, 2020 3:19 pm

Try again. At least you are missing NAT rule.

cyon · Fri Nov 27, 2020 3:50 pm

I did add the nat rule, ?

cyon · Fri Nov 27, 2020 9:07 pm

Check my guide: viewtopic.php?f=23&t=169538

I think you are missing bridge/interface for VPN server as well as NAT rule for internal networks. I've mentioned everything there.

Not Working!

erkexzcx · Fri Nov 27, 2020 9:08 pm

Not Working!

So what logs say? Enable ipsec logging and show the logs. What is happening in overall?

cyon · Sun Nov 29, 2020 5:47 pm

Hey, I got it working, Thank you.

so Noob question: Router A is 192.168.1.0/24 and Router is 10.59.10.0/24. if I add the Nat I can't ping the Linux box on 192.168.1.18 from 10.59.10.40.
How do I go about this with the IPsec?

sindy · Sun Nov 29, 2020 7:27 pm

What NAT are you talking about? The action=accept chain=srcnat rules you've posted in the config excerpts shown in the OP? These are intended to make sure that the traffic between the LAN subnets will not be handled by the subsequent action=src-nat or action=masquerade rules. Without seeing the configuration which does not work, it is hard to guess what is wrong.

cyon · Mon Nov 30, 2020 8:57 am

Hope the log will help.

cyon · Mon Nov 30, 2020 9:30 am

Router A

@*****VM > export         
# nov/30/2020 09:00:04 by RouterOS 6.47.8
# software id = 
#
#
#
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment=MirotikSW-Router disable-running-check=no name=ether1-external
set [ find default-name=ether3 ] comment=ISSA-VM disable-running-check=no name="ether2- iscar"
set [ find default-name=ether2 ] disable-running-check=no disabled=yes name=ether3
set [ find default-name=ether4 ] comment=MikrotikSW-Lan disable-running-check=no name="ether4 - Lan"
/interface eoip
add !keepalive local-address=10.22.22.1 mac-address=******name="My EoIP" remote-address=10.22.22.2 tunnel-id=0
/interface list
add name=WAM
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=10.22.22.2 name="My mc" split-include=10.22.22.1/32 system-dns=no
/ip ipsec policy group
add name="My group"
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s enc-algorithm=aes-256 hash-algorithm=sha512
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer
add address=*****/32 exchange-mode=ike2 local-address=1***** name="My server" passive=yes profile="My profile"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="ether4 - Lan" name=dhcp1
/system logging action
add disk-file-name=ipsec name=action1 target=disk
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=!none
/interface list member
add interface=ether1-external list=WAM
add list=LAN
/ip address
add address=192.168.1.1/24 interface="ether4 - Lan" network=192.168.1.0
add address=******/29 interface=ether1-external network=********
add address=10.22.22.1/24 interface=loopback network=10.22.22.0
/ip dhcp-client
add add-default-route=no disabled=no interface="ether2- iscar" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=10.22.22.2
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=yes
/ip firewall mangle
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=10.59.10.0/24
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1
add action=masquerade chain=srcnat
add action=accept chain=srcnat disabled=yes dst-address=10.22.22.0/24 src-address=10.59.10.0/24
/ip ipsec identity
add auth-method=digital-signature certificate="My server" generate-policy=port-strict mode-config="My mc" peer="My server" policy-template-group="My group" remote-id=ignore
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.2/32 level=unique peer="My server" proposal="My proposal" sa-dst-address=***** sa-src-address=******** src-address=10.22.22.1/32 tunnel=yes
/ip route
add distance=1 gateway=*****
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24,10.59.0.0/24
set api disabled=yes
set winbox address=10.59.0.0/24,169.1.234.50/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Skynet-VM
/system logging
add action=action1 prefix=IPsec topics=ipsec
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Router B

**@****-hEXs > export
# nov/30/2020 09:23:51 by RouterOS 6.47.8
# software id = 
#
# model = 
# serial number = 
/interface ethernet
set [ find default-name=ether1 ] name=ether1_Afrihost speed=100Mbps
set [ find default-name=ether2 ] disabled=yes name=ether2_ECT speed=100Mbps
set [ find default-name=ether3 ] disabled=yes name="ether3 - Laptop" speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=sfp1 ] name=sfp1_Fiberlink
/interface eoip
add !keepalive local-address=10.22.22.2 mac-address=FE:81:E1:E0:86:AB name="My EoIP" remote-address=10.22.22.1 tunnel-id=0
/interface vlan
add disabled=yes interface=sfp1_Fiberlink name=vlan_IoT vlan-id=60
add disabled=yes interface=sfp1_Fiberlink name=vlan_Security vlan-id=80
add interface=sfp1_Fiberlink name=vlan_SkyNetSW vlan-id=50
add interface=ether2_ECT name=vlan_Skynet vlan-id=20
add interface=ether2_ECT name=vlan_WAM2 vlan-id=40
/interface list
add name=IoT
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group
add name="My group"
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorithm=sha512 proposal-check=strict
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer
add address=*****/32 exchange-mode=ike2 local-address=***** name="My peer" profile="My profile"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip kid-control
add fri="" mon="" name=kid1 sat="" sun="" thu="" tue="" wed=""
/ip pool
add name=SkyNet_Pool ranges=10.59.10.20-10.59.10.100
add name=IPSec_Pool ranges=10.59.11.5-10.59.11.10
add name=IoT_Pool ranges=10.59.12.100-10.59.12.150
add name=Homesec_Pool ranges=10.59.13.5-10.59.13.10
/ip dhcp-server
add address-pool=SkyNet_Pool disabled=no interface=vlan_SkyNetSW lease-time=8h name=Skynet_DHCP
add address-pool=SkyNet_Pool interface=vlan_Skynet name=server1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1_Afrihost list=WAN
add list=LAN
add list=IoT
add interface=vlan_WAM2 list=WAN
/ip address
add address=10.59.10.1/24 interface=vlan_SkyNetSW network=10.59.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1_Afrihost use-peer-ntp=no
add add-default-route=no disabled=no interface=vlan_WAM2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.59.10.40 client-id=1:b8:27: mac-address=B8:27:EB:D server=Skynet_DHCP
/ip dhcp-server network
add address=10.59.10.0/24 dns-server=10.59.10.1 gateway=10.59.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=176.103.130.130,176.103.130.131,1.1.1.1,9.9.9.9
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.2
add action=masquerade chain=srcnat
/ip ipsec identity
add auth-method=digital-signature certificate="My client" mode-config="My mc" peer="My peer" policy-template-group="My group" remote-id=ignore
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" sa-dst-address=***** sa-src-address=***** src-address=10.22.22.2/32 \
    tunnel=yes
/ip ipsec settings
set accounting=no
/ip route
add comment="Cloud update" disabled=yes distance=1 gateway=***** routing-mark=via-gw1
add disabled=yes distance=1 gateway=**** routing-mark=to_wlan1
add disabled=yes distance=1 gateway=ether1_Afrihost routing-mark=VPN_Traffic
add check-gateway=ping disabled=yes distance=1 gateway=*******
/ip service
set telnet disabled=yes
set ftp address=10.59.10.0/24 disabled=yes
set www disabled=yes
set ssh address=10.59.10.0/24,******/32,10.59.11.0/24,192.168.1.0/24 port=22020
set api disabled=yes
set winbox address=*******/32,10.59.11.0/24,10.59.10.0/24,192.168.1.0/24 port=26030
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=****-hEXs
/system logging
add prefix=IPSEC topics=ipsec
add prefix=Firewall topics=firewall

****-hEXs >

sindy · Mon Nov 30, 2020 6:53 pm

on Router A, the action=accept rule in chain srcnat of /ip firewall nat is after the action=masquerade one, so the packet it would match never reach it. Order of rules matters, they are evaluated first to last until first match.
the log shows that only a policy for the peers' addresses is established (initiator selector: 10.22.22.2, responder selector: 10.22.22.1), which is in accord with the currently published configuration.

So if you want the subnets to talk to each other transparently, you have to add again the policies with those subnets as src-address and dst-address, and move the action=accept rule before (above) the action=masquerade one.

Currently, the first (action=src-nat) rule in srcnat chain of Router A makes connections from Router A to Router B's address 10.22.22.2 look as if sent from 10.22.22.1, but that doesn't make it possible to connect to LAN subnet of router B unless you'd use port forwarding at Router B.

cyon · Tue Dec 01, 2020 8:40 am

Apologies, but I'm lost now.
I have fixed the nat rules,

Router A

/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1
add action=masquerade chain=srcnat

/ip ipsec policy group
add name="My group"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.2/32 level=unique peer="My server" proposal="My proposal" sa-dst-address="Router B" sa-src-address="Router A" src-address=10.22.22.1/32 tunnel=yes
add dst-address=192.168.1.0/24 peer="My server" proposal="My proposal" sa-dst-address="Router B" sa-src-address="Router A" src-address=10.59.10.0/24 tunnel=yes

Router B


/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addre
add action=masquerade chain=srcnat

/ip ipsec policy group
add name="My group"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" sa-dst-address="Router A"  sa-src-address= "Router B"  src-address=10.22.22.2/32 tunnel=yes
add dst-address=10.59.10.0/24 peer="My peer" proposal="My proposal" sa-dst-address="Router A"  sa-src-address= "Router B"  src-address=192.168.1.0/24 tunnel=yes

sindy · Tue Dec 01, 2020 10:02 am

You're halfway there. You have properly added the policies for 10.59.10.0/24 <=> 192.168.1.0/24 traffic, but you haven't excluded this traffic from being src-nated to the WAN IP of each machine. So when the packet from (e.g.) 10.59.10.3 is sent to (e.g) 192.168.1.17, it is routed via WAN
(as there is only the default route) and gets src-nated to the IP of the outgoing interface chosen by regular routing, thanks to the action=masquerade rule, hence it becomes invisible to the IPsec policy, as its source address doesn't fit into 10.59.10.0/24 anymore.

Hence you need to add the chain=srcnat action=accept src-address=10.59.10.0/24 dst-address=192.168.1.0/24 rule before (above) the action=masquerade one, to prevent the above from happening.

cyon · Wed Dec 02, 2020 1:25 pm

I have done that and no winnings. I miss something, I have played with nat and Routes.

router.PNG

sindy · Wed Dec 02, 2020 1:33 pm

Post both current configuration exports, I'll give you some commands to make it possible for the client to reach the server.

cyon · Wed Dec 02, 2020 2:03 pm

Here is the config of eash router

sindy · Wed Dec 02, 2020 3:42 pm

Here is the config of eash router

OK, so you've attempted to use an EoIP tunnel to connect the sites rather than using an IPsec policy to directly match the traffic. This is also a possible approach (which costs a couple of bytes per packet more), but as EoIP is an L2 tunnel, you cannot use the tunnel name as a gateway of a route, plus you have misunderstood the role of local-address and remote-address in the EoIP tunnel configuration.

So tell me whether the use of EoIP is the preferred way or whether you've tried that just out of desperation and you actually prefer the bare IPsec with traffic matching to a policy.

cyon · Wed Dec 02, 2020 3:44 pm

[/quote]
OK, so you've attempted to use an EoIP tunnel to connect the sites rather than using an IPsec policy to directly match the traffic. This is also a possible approach (which costs a couple of bytes per packet more), but as EoIP is an L2 tunnel, you cannot use the tunnel name as a gateway of a route, plus you have misunderstood the role of local-address and remote-address in the EoIP tunnel configuration.

So tell me whether the use of EoIP is the preferred way or whether you've tried that just out of desperation and you actually prefer the bare IPsec with traffic matching to a policy.
[/quote]

I prefer to use bare Ipsec!

sindy · Wed Dec 02, 2020 4:43 pm

I prefer to use bare Ipsec!

WARNING: your firewalls are basically non-existent. So if the routers are connected to the internet using public IPs (as seems to be the case) and there is no firewall between each of them and the internet, chances are high that both are malware zombies by now. The filth from the net is incredibly quick to squat in, sometimes minutes of exposure are enough. So I would highly recommend to netinstall both of them (which will also create a decent set of firewall rules) and then use the configuration exports to recreate the necessary configurations line by line. I wouldn't even bother to export the certificates and would start from scratch with them as well, as they may be compromised too. If you used one of the devices as a certification authority, you should remove it from the list of trusted CAs everywhere.

You may think I am paranoid, however the sad truth is that even if no one may be interested in your data and network in particular, botnets crawl the net automatically and try to seize every device they find.

Back to the topic, here's how to modify the existing configuration:

Router A:
/ip route remove [find gateway~"My EOIP"]
/interface eoip remove [find name~"My EOIP"]
/ip firewall nat remove [find !(action~"masquerade")]
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=10.59.10.0/24 action=accept place-before=[find action~"masquerade"]
/ip ipsec policy remove [find peer~"My server"]
/ip ipsec policy add src-address=192.168.1.0/24 peer="My server" proposal="My proposal" dst-address=10.59.10.0/24 tunnel=yes
/ip firewall mangle remove [find action~"accept" chain~"forward" dst-address~"192.168.1.0/24" src-address~"10.59.10.0/24"
/ip ipsec identity set [find certificate~"My server" generate-policy=no mode-config=none]

Router B:
/ip route remove [find gateway~"My EoIP"]
/interface eoip remove [find name~"My EOIP"]
/ip firewall nat remove [find !(action~"masquerade")]
/ip firewall nat add action=accept chain=srcnat src-address=10.59.10.0/24 dst-address=192.168.1.0/24 place-before=[find action~"masquerade"]
/ip ipsec policy remove [find peer~"My peer"]
/ip ipsec policy add src-address=10.59.10.0/24 peer="My peer" proposal="My proposal" dst-address=192.168.1.0/24 tunnel=yes
/ip ipsec identity set [find certificate~"My client"] mode-config=none

If you follow the security advice above, the order of steps would be to apply these sets of command line commands to the existing configurations, export the resulting configurations and download the export files outside the devices, netinstall both devices, and re-create the configurations using the new exports. After that, you'll likely have to add some permissive rules to the default firewall to allow the IPsec tunnel to work, I haven't checked how the default firewall of 6.47.8 in particular looks like but typically IPsec traffic is not permitted in default firewall settings.

cyon · Thu Dec 03, 2020 5:30 pm

/ip firewall nat remove [find !(action~"masquerade")]

why remove this>?

sindy · Thu Dec 03, 2020 8:31 pm

Because it is a one-step removal of all rules in the table except the masquerade one (there is the ! sign, inverting the match).

cyon · Fri Dec 04, 2020 6:16 am

ok, Now I learned alot. Thank you

cyon · Fri Dec 04, 2020 7:06 am

You may think I am paranoid, however the sad truth is that even if no one may be interested in your data and network in particular, botnets crawl the net automatically and try to seize every device they find.

Can you send some good firewall rules?

cyon · Tue Dec 08, 2020 4:25 pm

Going to start over!
Is it the new version that is causing not to get the traffic passing trough the nat? as I did all the steps that you sent.

sindy · Tue Dec 08, 2020 4:28 pm

Too much time has elapsed and too much changes have been done during that time. Post the current configurations.

cyon · Tue Dec 08, 2020 4:31 pm

Too much time has elapsed and too much changes have been done during that time. Post the current configurations.

I delete everything and starting from the beginning. Will post everything when done.

cyon · Thu Sep 09, 2021 9:35 am

Hi.

I have tried again and following the https://wiki.mikrotik.com/wiki/Manual:I ... ed_traffic. IPsec connects but no luck on the traffic. I have added a nat rule and still no pings.

sindy · Thu Sep 09, 2021 11:12 am

I can do nothing but repeat again - post the current configurations, not a reference to a manual. A single typo can break everything, so no point in reading the manual, all we need are the current actual configurations.

cyon · Thu Sep 09, 2021 10:08 pm

I made a lab on eve-ng and the same problem. maybe your eyes see something..?

R1


/interface ethernet
set  find default-name=ether3  disabled=yes
set  find default-name=ether4  disabled=yes
/interface wireless security-profiles
set  find default=yes  supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2
/ip ipsec peer
add address=10.59.0.54/32 name=ike1-site2 profile=ike1-site2
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.1.10-192.168.1.100
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.59.100.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=ike1-site2 secret=DosAbc3^fb
/ip ipsec policy
add dst-address=10.59.100.0/24 peer=ike1-site2 proposal=ike1-site2 src-address=192.168.0.0/24 tunnel=yes
admin@MikroTik> ip ipsec policy print detail 
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1      peer=ike1-site2 tunnel=yes src-address=192.168.0.0/24 src-port=any dst-address=10.59.100.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=10.59.0.36 
        sa-dst-address=10.59.0.54 proposal=ike1-site2 ph2-count=0 
admin@MikroTik > ip ipsec 
IP security supports secure (encrypted) communications over IP networks

.. -- go up to ip
active-peers -- 
export -- Print or save an export script that can be used to restore configuration
identity -- 
installed-sa -- Currently installed security associations
key -- 
mode-config -- 
peer -- IKE peer configuration
policy -- Security policies
profile -- 
proposal -- phase2 IKE proposal settings
settings -- 
statistics -- 


admin@MikroTik > ip ipsec active-peers print 
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                                                                DYNAMIC-ADDRESS                                      
 0                         established        1m51s                     10.59.0.54                                                                   
 1 R                       established        1m47s                     10.59.0.54                                                                   
admin@MikroTik > ip ipsec active-peers print detail 
Flags: R - responder, N - natt-peer 
 0    local-address=10.59.0.36 remote-address=10.59.0.54 state=established side=initiator uptime=2m7s last-seen=7s spii="83bbf7bda6302e50" spir="b28f158177afbee3" 

 1 R  local-address=10.59.0.36 remote-address=10.59.0.54 state=established side=responder uptime=2m3s last-seen=3s spii="8067792e710949b4" spir="a45617825dbd546e" 
admin@MikroTik > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=10.59.100.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 
admin@MikroTik > ping 10.59.100.1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                       
    0 10.59.100.1                                             timeout                                                                                                                                      
    1 10.59.100.1                                             timeout                                                                                                                                      
    2 10.59.0.36                                 84  64 971ms host unreachable                                                                                                                             
    sent=3 received=0 packet-loss=100%

R2

admin@MikroTik > export
# sep/09/2021 18:57:05 by RouterOS 6.48.4
# software id = 
#
#
#
/interface wireless security-profiles
set  find default=yes  supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1
/ip ipsec peer
add address=10.59.0.36/32 name=ike1-site1 profile=ike1-site1
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
/ip pool
add name=pool1 ranges=10.59.100.1-10.59.100.22
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether2 name=server1
/ip address
add address=10.59.100.1 interface=ether2 network=10.59.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.59.100.0/32 gateway=10.59.100.1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=10.59.100.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=ike1-site1 secret=DosAbc3^fb
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=ike1-site1 proposal=ike1-site1 src-address=10.59.10.0/24 tunnel=yes
admin@MikroTik >  ip ipsec active-peers print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                         
 0                         established        2m18s                     10.59.0.36                             
 1 R                       established        2m23s                     10.59.0.36                             
admin@MikroTik > ping 192.168.1.1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                         
    0 192.168.1.1                                             timeout                                                        
    1 192.168.1.1                                             timeout                                                        
    2 10.59.0.54                                 84  64 975ms host unreachable                                               
    3 192.168.1.1                                             timeout                                                        
    4 192.168.1.1                                             timeout                                                        
    5 10.59.0.54                                 84  64 977ms host unreachable                                               
    sent=6 received=0 packet-loss=100% 

admin@MikroTik > ip firewall nat 
admin@MikroTik /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.59.100.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 
admin@MikroTik /ip firewall nat>

sindy · Thu Sep 09, 2021 10:48 pm

In the output of /ip ipsec active-peers print, the PH2-TOTAL column indicates the number of active policies towards the remote peer; since it is empty, it means the SA could not be negotiated successfully. The fact that there is no A in the status column of the /ip ipsec policy print confirms that. There may be two reasons why the policies don't become active, a proposal mismatch or a traffic selector mismatch.

The contents of the proposals is identical at both routers, but at R1, there is dst-address=10.59.100.0/24 in both the policy and srcnat rule; at R2, there is src-address=10.59.10.0/24 in the policy and src-address=10.59.100.0/24 in the srcnat rule.

So I guess the typo is the 10 in the policy at R2, not the 100 everywhere else?

cyon · Fri Sep 10, 2021 3:14 pm

Thank you.

so I got it working, but what is funny, I can't ping the router1 from router2 but I can ping pc1 on network2 from pc2 on network1

sindy · Fri Sep 10, 2021 3:32 pm

When sending a packet, the router first finds a route based on the destination address, and only then chooses the local IP address based on the route.

So on R1: since there is no dedicated route to 10.59.100.0/24, the packet gets the router's address attached to the interface through which the gateway IP of the default route is accessible, and thus the traffic selector of the policy doesn't match the packet.

To fix this, you can

add a dedicated route dst-address=10.59.100.0/24 gateway=ether2, or
set the same gateway to this route like the default route uses but set pref-src to 192.168.1.1, or
put a srcnat rule dst-address=10.59.100.0/24 src-address-type=local action=src-nat to-addresses=192.168.1.1 before the action=masquerade one.

And symmetrically on R2.

cyon · Fri Sep 10, 2021 3:42 pm

Thank you.

I'm now so happy it works.

Ipsec not traffic passing

Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing

Re: Ipsec not traffic passing