MikroTik

Community discussions
https://forum.mikrotik.com/

Site2Site IPsec problems

https://forum.mikrotik.com/viewtopic.php?t=102458

Page 1 of 1

Site2Site IPsec problems

Posted: Mon Nov 23, 2015 5:35 pm
by porli
Hello again,

first of all, i'm not a pro in network things, but i think my knowledge is quit "ok".

Since some time, i'm using mikrotik and now i'm just trying to connect 2 mikrotiks via site2site ipsec vpn.
Its not my first time, so normaly, i should know how it works, however, with this 2, the connections is working,
everything seems to be fine, but no byte is passing the tunnel.
There must be a mistake in firewall rules.

so Here is my Config:

Both Locations having RB2011


Location A:
version: 6.21.1
Local IP Range: 192.168.0.0/24
External IP: 80.123.98.xxx/30

Location B:
version: 6.27
Local IP Range: 192.168.1.0/24
External IP: 80.121.239.xxx/30

LocA ipSec Output:
Code: Select all
# nov/23/2015 15:25:52 by RouterOS 6.21.1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip ipsec peer
add address=80.121.239.xxx/32 enc-algorithm=aes-256 secret=\
    mysecretkey send-initial-contact=no
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=80.121.239.78 sa-src-address=\
    80.123.98.xxx src-address=192.168.0.0/24 tunnel=yes
LocA Firewall output
Code: Select all
/ip firewall filter
add chain=input disabled=yes src-address=80.121.239.xxx
add chain=forward disabled=yes dst-address=192.168.0.0/24 src-address=\
    192.168.1.0/24
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="sstp - vpn " dst-port=1723 in-interface=ether1-gateway \
    protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add chain=input comment=Winbox dst-port=8291 log=yes protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
/ip firewall nat
add chain=srcnat comment="NAT BypassRule VPN" dst-address=192.168.0.0/24 \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq vpn traffic" src-address=\
    192.168.3.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=8006 in-interface=ether1-gateway \
    protocol=tcp src-address-list=snwat to-addresses=192.168.0.10 to-ports=8006
add action=dst-nat chain=dstnat dst-port=8022 protocol=tcp src-address-list=\
    snwat to-addresses=192.168.0.10 to-ports=22

LocB IpSec:
Code: Select all
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip ipsec peer
add address=80.123.98.xxx/32 enc-algorithm=aes-128,aes-256 nat-traversal=no \
    secret=mysecretkey
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=80.123.98.xxx sa-src-address=\
    80.121.239.xxx src-address=192.168.1.0/24 tunnel=yes
LocB Firewall:
Code: Select all
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
/ip firewall nat
add chain=srcnat comment="NAT BypassRule VPN" dst-address=192.168.1.0/24 log=\
    yes src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes src-address=192.168.0.0/24
So remote peer is running, also SAs are installed, but no byte is crossing.

any help?

Re: Site2Site IPsec problems

Posted: Mon Nov 23, 2015 5:54 pm
by mrz
In input chain you must accept esp and UDP/500. I doubt that with your current firewall configuration have established phase1 not to mention phase2.

Re: Site2Site IPsec problems

Posted: Mon Nov 23, 2015 8:35 pm
by porli
nope, still every ping a timeout

Re: Site2Site IPsec problems

Posted: Wed Nov 25, 2015 10:42 am
by cdiedrich
Swap src- and dst-address space in each location in the first NAT "VPN bypass rule".
-Chris

Re: Site2Site IPsec problems

Posted: Wed Nov 25, 2015 10:04 pm
by Rudios
I agree with cdiedrich

Re: Site2Site IPsec problems

Posted: Thu Nov 26, 2015 4:18 pm
by downther0ad
Hi,

I was able to do IPSec with this:

Location A
Code: Select all
/ip ipsec policy> add src-address=192.168.0.0/24 dst-address=192.168.1.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.123.98.xxx sa-dst-address=80.121.239.xxx proposal=default priority=0
/ip ipsec peer> add address=80.121.239.xxx port=500 auth-method=pre-shared-key secret="prueba" exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 dpd-interval=120 dpd-maximum-failures=5
/ip firewall nat> add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.1.0/24 action=accept disabled=no
Location B
Code: Select all
/ip ipsec policy> add src-address=192.168.1.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.121.239.xxx sa-dst-address=80.123.98.xxx proposal=default priority=0
/ip ipsec peer> add address=80.123.98.xxx port=500 auth-method=pre-shared-key secret="prueba" exchange-mode=main send-initial-contact=yes  proposal-check=obey hash-algorithm=md5 enc-algorithm=3des  dh-group=modp1024 dpd-interval=120  dpd-maximum-failures=5
/ip firewall nat> add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.0.0/24 action=accept
Regards

Re: Site2Site IPsec problems

Posted: Sun Nov 29, 2015 5:15 pm
by porli
i'm sorry, i don't understand it. it is not working.

first try to swap nat rules, not changing.

no i resetet all ipsec config, tried the expamle from downther0ad, still same result.

what i am making wrong?!

Re: Site2Site IPsec problems

Posted: Mon Nov 30, 2015 12:02 pm
by cdiedrich
Really strange - as it should work perfectly with those settings.
enable ipsec debug log and post results here, we can than try to figure out what's going wrong.
-Chris
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/