Community discussions

MikroTik App
  4. RouterOS
  5. General

Creating a VPN - Whats Missing ??? Misssing Lan2Lan connection

Post Reply
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Creating a VPN - Whats Missing ??? Misssing Lan2Lan connection

Mon Jul 18, 2016 8:23 am

Hey Forum
Building my first system with Mikrotik Routers - and trying to get the foillowing up and running. 
HQ - 192.168.201.0/24 - Public IP 78.111.168.100
BO - 192.168.202.0/24 - Public IP 78.111.168.210
network.png
-------------------------------------------------------------------------------------------
Actually I think I've got the actual tunnel running - from what I can see in the logfile: 
Code: Select all
DPD R-U-There-Ack- recieved
Recieved an R-U-ThereACK
On HQ I've got the following created ruled: 
Code: Select all
Filter Rules:
 1    chain=input action=accept src-address=192.168.201.0/24 in-interface=WAN log=yes log-prefix="VPN"
NAT RULES:
 0    ;;; Nat to Gannebro
      chain=srcnat action=accept to-addresses=0.0.0.0 src-address=192.168.201.0/24 dst-address=192.168.202.0/24 log=yes log-prefix="VPN" 

 1    ;;; Nat From Gannebro
      chain=dstnat action=dst-nat to-addresses=192.168.201.0/24 src-address=192.168.202.0/24 dst-address=192.168.201.0/24 log=yes log-prefix="From Gannebro" 
VPN PEER:
 0    address=78.111.168.210/30 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="*********" generate-policy=no 
      policy-template-group=default exchange-mode=main send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=
VPN POLICY:
src-address=192.168.201.0/24 src-port=any dst-address=192.168.202.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp 

       tunnel=yes sa-src-address=78.111.168.100 sa-dst-address=78.111.168.210 proposal=default priority=0
VPN Proposal:
 name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=non
ROUTE:
 3 A S  192.168.202.0/24                   WAN                       1
On my BO I've got : 
Code: Select all
Filter Rules:
 1    ;;; Incoming NAT FROM HQ

      chain=input action=accept src-address=192.168.201.0/24 log=yes log-prefix="VPN" 
NAT Rules:
 0    ;;; Nat To HQ
      chain=srcnat action=accept src-address=192.168.202.0/24 dst-address=192.168.201.0/24 log=no log-prefix="" 

 1    ;;; Nat From HQ
      chain=dstnat action=dst-nat to-addresses=192.168.202.0/24 src-address=192.168.201.0/24 dst-address=192.168.202.0/24 log=no log-prefix="FromHQ" 

VPN PEER: 
 0    address=78.111.168.100/30 local-address=:: passive=no port=500 auth-method=pre-shared-key secret="******" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 
VPN POLICY: 
1     src-address=192.168.202.0/24 src-port=any dst-address=192.168.201.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=78.111.168.210 sa-dst-address=78.111.168.100 proposal=default priority=0
Proposal
1     name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none 
ROUTE:
2 A S  192.168.201.0/24                   WAN
but when trying to ping from one office to another directly from each Mikrotik I'm getting a time out - the same when trying to reach any rdp or something

I've allso tried to create some route on each But cannot get any connection between the 2 different locations - Can anyone se what am I missing here ! 
You do not have the required permissions to view the files attached to this post.
Last edited by Peque on Wed Jul 27, 2016 9:43 am, edited 1 time in total.
Top
 
magchiel
Member Candidate
Member Candidate
Posts: 133
Joined: Mon Jan 06, 2014 2:13 pm

Re: Creating a VPN - Whats Missing ???

Mon Jul 18, 2016 4:26 pm

First check if SA's are properly installed.
Secondly, I just don't understand your dstnat rules. Disable them and add a filter rule on the forward chain to accept traffic. Also, do you have fasttrack disabled?

EDIT: spelling
Top
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Re: Creating a VPN - Whats Missing ???

Tue Jul 26, 2016 8:53 am

Sorry for a late answer - had a emergency travel to England ! 

Under IP-sec - Installed SA - No SA installed here. So that Could be the problem - How to fix this ? How do I install these SA since they are not shown 

Deleted the Dst rules - and only created the FIlter Rule - On HQ
Code: Select all
 1    chain=forward action=accept src-address=192.168.202.0/24 

      dst-address=192.168.201.0/24 log=no log-prefix="" 
ON BO 
Code: Select all
 1    chain=forward action=accept src-address=192.168.202.0/24 

      dst-address=192.168.201.0/24 log=no log-prefix="" 
I've actually used this guide http://gregsowell.com/?p=787&cpage=1
but am not able tyo connect from A to B
Top
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Re: Creating a VPN - Whats Missing ???

Tue Jul 26, 2016 11:42 am

So far so Good. 
I've now got the installed SA up and running allso - but still no way to ping from One Lan to Another LAN
Was using this guide: http://gregsowell.com/?p=787&cpage=1

Rules on Router 1: 192.168.201.0/24
Code: Select all
Filter Rules: 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 
 1    chain=input action=accept src-address=192.168.200.0/21 dst-address=192.168.201.0/24 in-interface=ether1 log=no log-prefix="" 
 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 
 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 
 4    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 
 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 
 6    ;;; defconf:  drop all from WAN not DSTNATed

NAT Rules: 
 0    chain=srcnat action=accept src-address=192.168.200.0/21 dst-address=192.168.201.0/24 log=no log-prefix="" 
 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 
Rules On Router 2 192.168.202.0/24
Code: Select all
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 
 1    chain=input action=accept src-address=192.168.200.0/21 dst-address=192.168.202.0/24 in-interface=WAN log=no 
      log-prefix="" 
 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 
 3    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 
 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 
 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 
 6    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=no 
      log-prefix="" 

NAT Rules
 0    chain=srcnat action=accept src-address=192.168.200.0/21 dst-address=192.168.202.0/24 log=no log-prefix=""
 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=WAN log=no log-prefix="" 
I actually think I've tried all settings and had a whole on a time - But now I cannot get it working. 
I was able to ping from router to router - but not router to Subnet

What is the right rules for this 
Top
Post Reply
  4. RouterOS
  5. General