Hi!
I have two mikrotik devices: one – RB951G with 6.34.2, and second older one with 6.24
and need ipsec vpn between each of those devices and kerio connect.
Scheme is:
192.168.200.0 – kerio – internet – mikrotik (6.34)192.168.1.0
192.168.200.0 – kerio – internet – mikrotik (6.24) 192.168.99.0
Second one (6.24) works perfect: vpn established and networks see each other… but with first (6.34) vpn connected (Polices generated, installed SAs), but there are no ping.
Settings are the same
/ip ipsec peer add address=x.x.x.x/32 dh-group=modp1536 exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 passive=yes secret=xxxxxx
/ip firewall nat add chain=srcnat dst-address=192.168.200.0/24 src-address=192.168.1.0/24
When I try to ping 192.168.200.x from 192.168.1.x I don’t see any counters on rule witch excludes this networks from NAT. And of cause it placed on top before main nat rule.
What can I try to resolve this?
Thanks in advance.
Re: IPSEC VPN
Do you use fasttrack? In case you do make sure inner-tunnel traffic is not fasttracked.
Re: IPSEC VPN
Thanks for answer.
I disabled fastrack rule in firewall and rebooted router...
now I can ping from 192.168.200.x to 192.168.1.x but can't from 192.168.1.x to 192.168.200.x
still doesn't see any trafic on rule witch excluds VPN networks trafic from NAT in mikrotik
I disabled fastrack rule in firewall and rebooted router...
now I can ping from 192.168.200.x to 192.168.1.x but can't from 192.168.1.x to 192.168.200.x
still doesn't see any trafic on rule witch excluds VPN networks trafic from NAT in mikrotik
Last edited by okrug on Thu Jul 07, 2016 11:20 am, edited 1 time in total.
Re: IPSEC VPN
Are these two routers alternately used on the same connection?
Or do you have two different sites, one that works and one that does not, and you are chasing the reason why?
What you see can be explained by a block of ESP traffic somewhere along the line.
In that case the connection will not establish at all without NAT-T, and with NAT-T it will establish but will drop all packets.
Or do you have two different sites, one that works and one that does not, and you are chasing the reason why?
What you see can be explained by a block of ESP traffic somewhere along the line.
In that case the connection will not establish at all without NAT-T, and with NAT-T it will establish but will drop all packets.
Re: IPSEC VPN
pe1chl, I edited my post while you wrote an answer, sorry, and thanks for quick answeres.
For now I have one side ping, as wroted in previous post.
and have vpn without NAT-T option checked.
and yes, I have two different sites
For now I have one side ping, as wroted in previous post.
and have vpn without NAT-T option checked.
and yes, I have two different sites
Re: IPSEC VPN
so, for now config is:
scheme:
192.168.200.0 Kerio ---Internet ---- Mikrotik 192.168.1.0
ping from 192.168.200.0 to 192.168.1.0 is OK
ping from 192.168.1.0 to 192.168.200.0 Fail
There are no traffic on rule:
any ideas?
Thanks
Code: Select all
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des pfs-group=none
/ip ipsec peer
add address=x.x.x.x/32 dh-group=modp1536 exchange-mode=main-l2tp generate-policy=port-override nat-traversal=no passive=yes secret=x.x.x.x
[size=100]/ip firewall filter[/size]
[size=100]add chain=input comment="Allow IKE" dst-port=500 protocol=udp[/size]
add chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add chain=srcnat dst-address=192.168.200.0/24 src-address=192.168.1.0/24192.168.200.0 Kerio ---Internet ---- Mikrotik 192.168.1.0
ping from 192.168.200.0 to 192.168.1.0 is OK
ping from 192.168.1.0 to 192.168.200.0 Fail
There are no traffic on rule:
Code: Select all
/ip firewall nat add chain=srcnat dst-address=192.168.200.0/24 src-address=192.168.1.0/24any ideas?
Thanks
Re: IPSEC VPN
fixed.
Rule was up, but have #7...
so, vpn works for now.
Thanks all for answeres and I hope this story helps someone.
Rule was up, but have #7...
so, vpn works for now.
Thanks all for answeres and I hope this story helps someone.