Page 1 of 1
IPSec tunnel connects, but unable to ping or connect to remote network [SOLVED]
Posted: Tue Jan 26, 2016 11:19 pm
by Desjani
I have installed a MikroTik CRS125-24G-1S-RM on both sites, and I am trying to set up a Site-to-Site VPN between them.
Configuration is as follows:
[admin@OFFICE] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=208.53.41.100/32 local-address=:: passive=no port=500 auth-method=pre-shared-key
secret="!sa4Domain#" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
[admin@OFFICE] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=0.0.0.0/24 src-port=any dst-address=0.0.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=ah-esp tunnel=yes sa-src-address=173.10.26.100
sa-dst-address=208.53.41.100 proposal=default priority=0
[admin@DATACENTER] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=173.10.26.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
secret="!sa4Domain#" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
[admin@DATACENTER] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=0.0.0.0/24 src-port=any dst-address=0.0.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=ah-esp tunnel=yes sa-src-address=208.53.41.100
sa-dst-address=173.10.26.100 proposal=default priority=0
Looking at the IPSec logs on both sides, the connection is active and stable (all R-U-THEREs get ACKed). However, machines on one network cannot ping or otherwise connect to machines on the other, and vice versa.
Pinging each gateway from the other, returns time out.
Am I missing something? This is my first time working with RouterOS.
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Wed Jan 27, 2016 11:29 am
by evince
Hello,
Can you post your NAT rules? YOu need at least one on the top.
Take a look at this great guide :
http://gregsowell.com/?p=787
Regards,
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Wed Jan 27, 2016 12:20 pm
by mrz
Not sure what you wanted to achieve with such ipsec policies, but obviously src-address=0.0.0.0/24 dst-address=0.0.0.0/24 is not going to work.
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Wed Jan 27, 2016 10:34 pm
by Desjani
Hello,
Can you post your NAT rules? YOu need at least one on the top.
Take a look at this great guide :
http://gregsowell.com/?p=787
Regards,
[admin@DATACENTER] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.0.2.0/24 dst-address=10.0.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix=""
2 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=10.0.2.2 to-ports=21 protocol=tcp in-interface=ether1-master-local
dst-port=21 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=10.0.2.2 to-ports=52500-52600 protocol=tcp
in-interface=ether1-master-local dst-port=52500-52600 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=10.0.2.102 to-ports=80 protocol=tcp dst-port=1102 log=no
log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=10.0.2.101 to-ports=7001 protocol=tcp dst-port=7001 log=no
log-prefix=""
7 chain=dstnat action=dst-nat to-addresses=10.0.2.101 to-ports=8080 protocol=tcp dst-port=8080 log=no
log-prefix=""
[admin@OFFICE] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.0.0.0/24 dst-address=10.0.2.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix=""
2 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=10.0.0.0/24 log=no log-prefix=""
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Wed Jan 27, 2016 10:36 pm
by Desjani
Not sure what you wanted to achieve with such ipsec policies, but obviously src-address=0.0.0.0/24 dst-address=0.0.0.0/24 is not going to work.
I was following this video guide, and he used 0.0.0.0/24
https://www.youtube.com/watch?v=y68Dx8iPikA
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Thu Jan 28, 2016 8:29 am
by jaytcsd
I had problems with IPsec tunnels but got EOIP with IPsec working very easily.
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Thu Jan 28, 2016 5:12 pm
by evince
Did you change your encryption domain in your IPSec policy?
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Fri Jan 29, 2016 4:02 am
by jaytcsd
Site 1 is the opposite of 2, too lazy to post it's rules.
site 2
/interface eoip> pr
Flags: X - disabled, R - running
0 R name="to site 1" mtu=auto actual-mtu=1396 l2mtu=65535
mac-address=02:xxxxx arp=enabled local-address=(site 2 WAN IP)
remote-address=(site 1 WAN IP) tunnel-id=0 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no ipsec-secret="PISSOFF" allow-fast-path=no
/ip ipsec policy> pr
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 T group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all
proposal=default template=yes
2 D ;;; to SITE 1
src-address=(site 2 WAN IP) src-port=any dst-address=(site 1 WAN IP)
dst-port=any protocol=gre action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=(site 2 WAN IP)
sa-dst-address=(site 1 WAN IP) priority=0
Can't figure out the terminal command for bridging, my EOIP tunnel is bridged to my LAN port.
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Fri Feb 05, 2016 5:51 pm
by Desjani
Okay I've gone through the suggested guides and recreated the settings as follows:
[admin@OFFICE] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=10.0.0.0/24 src-port=any dst-address=10.0.2.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=173.10.26.100 sa-dst-address=208.53.41.100
proposal=default priority=0
[admin@OFFICE] /ip ipsec> peer print
Flags: X - disabled, D - dynamic
0 address=208.53.41.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
secret="FOO" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
[admin@OFFICE] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
[admin@OFFICE] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
1 chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
2 chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=""
[admin@OFFICE] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.0.0.0/24 dst-address=10.0.2.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix=""
[admin@DATACENTER] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=10.0.2.0/24 src-port=any dst-address=10.0.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=208.53.41.100 sa-dst-address=173.10.26.100
proposal=default priority=0
[admin@DATACENTER] /ip ipsec> peer print
Flags: X - disabled, D - dynamic
0 address=173.10.26.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
secret="FOO" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
[admin@DATACENTER] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
[admin@DATACENTER] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
1 chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
2 chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=""
[admin@DATACENTER] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.0.2.0/24 dst-address=10.0.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix=""
The tunnel appears to connect, but I still cannot ping or connect through it.
I am seeing interesting entries on the ipsec log:
DPD R-U-There-Ack recieved
Recieved an R-U-THERE-ACK
1 times of 1 bytes message will be sent to 208.53.41.100[4500]
ff
ignore because do not listen on source address: 173.10.26.100
Any thoughts?
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Sun Feb 07, 2016 8:36 am
by jaytcsd
I could not ping from inside one tunnel to inside the other using IPsec tunnels, but could ping in the reverse direction, ie 192.168.100.20 could ping 192.168.200.20 but not from 200.20 to 100.20.
I don't think EOIP helped that either, spent a long time experimenting to get this working and forgot all the steps I went through.
I changed my 200.0/24 network at site 2 to 100.0/24 and renumbered the PCs with duplicate addresses.
My only NAT rule is a masquerade.
My site 2 router is 192.168.100.10, I use that gateway for site 2 PCs but use dhcp from 100.1 at site 1. I only have a few PCs using dhcp.
I don't know if there are any performance issues with using EOIP vs IPsec tunnel but for my small personal network I don't care. My CPU is running 3-6% while copying a 3 gig file between the sites, ping times are over 500 ms but drop to under 100 with little or no traffic.
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Tue Feb 23, 2016 5:44 pm
by Desjani
Thanks all, but it appears simply organizing for the routers to BOTH be rebooted at near-same time made it work. Odd, but I'll take it.
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Tue Feb 23, 2016 8:47 pm
by gotsprings
Thanks all, but it appears simply organizing for the routers to BOTH be rebooted at near-same time made it work. Odd, but I'll take it.
Thats actually in the tutorial. That you have to clear all the connections to get the packets to hit that first NAT rule.
Re: IPSec tunnel connects, but unable to ping or connect to remote network
Posted: Wed Feb 24, 2016 10:04 am
by jaytcsd
@ Desjani
Do you want to mark this topic Solved in the subject in case someone else is looking for a solution?