Need help with IPSec setup....
Posted: Mon Jul 04, 2016 7:07 am
I'm looking at replacing a Cisco router with a MikroTik, problem at the moment is the VPN tunnel that clients need. I've set up how I 'think' it should work on the MikroTik but its just not working... It looks like the IPSec tunnel is up, but I can't ping anything on the other side. I'm not an expert in IPSec so i'm not entirely sure how to diagnose the issue or see whats wrong
Here is the information I have been given
VPN IP Address: xxx.12.184.237
Shared Secret: *HIDDEN*
Private IP Address: 172.29.43.237
Server IP Address: 172.27.1.91
Here is how i've configured the MikroTik in a way that I 'think' should work (but doesn't):
The IPSec tunnel looks to be up. I can see the remote peer in the status window. Have turned on IPSec debugging and can't see a problem, but neither the router nor any clients can ping the server at 172.27.1.91
Here is the existing Cisco router config (Using slightly different credentials) that does work fine
Any help????
There are a lot of additional options in the MikroTik that i'm not sure of, don't know if they are required. For instance i'm pretty rusty and not sure if the Cisco config is running tunnel or transport mode (I would imagine tunnel). I've just tried to essentially mirror things the best I can on the Mikrotik side but alas, no ping responses
I'm not sure if i'm supposed to even use a bridge interface for the VPN or simply assign the IP to the existing outbound interface, i'm not sure if I need manual ip route commands or if the policy configured under IP->IPsec will take care of it. I don't normally do IPSec whatsoever...
Here is the information I have been given
VPN IP Address: xxx.12.184.237
Shared Secret: *HIDDEN*
Private IP Address: 172.29.43.237
Server IP Address: 172.27.1.91
Here is how i've configured the MikroTik in a way that I 'think' should work (but doesn't):
Code: Select all
/interface bridge
add name=IPSEC_VPN protocol-mode=none
/ip address
add address=172.29.43.237 interface=IPSEC_VPN network=172.29.43.237
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether7
add action=masquerade chain=srcnat out-interface=IPSEC_VPN
/ip ipsec peer
add address=xxx.12.184.237/32 enc-algorithm=3des hash-algorithm=md5 local-address=172.29.43.237 nat-traversal=no secret=*HIDDEN*
/ip ipsec policy
add dst-address=172.27.1.0/24 proposal=proposal1 sa-dst-address=xxx.12.184.237 sa-src-address=172.29.43.237 src-address=0.0.0.0/0 tunnel=yes
/ip route
add distance=1 dst-address=172.27.1.0/24 gateway=IPSEC_VPN
The IPSec tunnel looks to be up. I can see the remote peer in the status window. Have turned on IPSec debugging and can't see a problem, but neither the router nor any clients can ping the server at 172.27.1.91
Here is the existing Cisco router config (Using slightly different credentials) that does work fine
Code: Select all
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key address xxx.12.184.137
!
crypto ipsec transform-set VPNExchangetrans esp-3des esp-md5-hmac
!
crypto map VPNExchangevpn 10 ipsec-isakmp
set peer xxx.12.184.137
set transform-set VPNExchangetrans
match address 101
!
interface Loopback1
ip address 172.29.73.187 255.255.255.255
interface [OUTSIDE INTERFACE]
ip nat outside
no ip route-cache
crypto map VPNExchangevpn
interface [LOCAL VLAN]
ip nat inside
!
ip nat inside source route-map VPNExchangenat interface Loopback1
overload
ip nat inside source route-map internetnat interface [OUTSIDE INTERFACE] overload
!
access-list 101 remark packets to VPN
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.27.1.0 0.0.0.255
access-list 101 permit ip host 172.29.xx.yy 172.27.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.125.0.0 0.0.255.255
access-list 101 permit ip host 172.29.xx.yy 10.125.0.0 0.0.255.255
!
route-map VPNExchangenat permit 10
match ip address 101
!
There are a lot of additional options in the MikroTik that i'm not sure of, don't know if they are required. For instance i'm pretty rusty and not sure if the Cisco config is running tunnel or transport mode (I would imagine tunnel). I've just tried to essentially mirror things the best I can on the Mikrotik side but alas, no ping responses
I'm not sure if i'm supposed to even use a bridge interface for the VPN or simply assign the IP to the existing outbound interface, i'm not sure if I need manual ip route commands or if the policy configured under IP->IPsec will take care of it. I don't normally do IPSec whatsoever...