Need help configuring Site-to-Site IPsec when one of the peers is behind a NAT
Posted: Sat Jan 21, 2017 9:55 pm
Hello.
(...I'm relatively new to networking, so please bear with me...)
I am trying to build an IPsec (no L2TP) tunnel between two networks with Mikrotik routers in NAT mode. One of the routers ("main") has a public IP, while the other one ("remote") is behind a carrier NAT itself.
My first problem is that I cannot create a policy template in tunnel mode: the tunnel checkbox gets reset to "no". But I do not even know if that's the right way.
So, here is "main" configuration (LAN subnet is is 10.159.230.0/24, WAN address is 77.41.63.43):
Here is the "remote" configuration (LAN subnet is 10.167.15.0/24, nvm two addresses for ovpn1 — this is a workaround for a bug in ovpn-client):
The firewalls are configured as per wiki: http://wiki.mikrotik.com/wiki/Manual:IP ... ack_Bypass (ipsec-esp and udp 500,4500 are also allowed on both peers).
Basically, in this setup the remote peer appears in the "Remote Peers" list, but nothing happens afterwards.
Thanks for any help and attention.
(...I'm relatively new to networking, so please bear with me...)
I am trying to build an IPsec (no L2TP) tunnel between two networks with Mikrotik routers in NAT mode. One of the routers ("main") has a public IP, while the other one ("remote") is behind a carrier NAT itself.
My first problem is that I cannot create a policy template in tunnel mode: the tunnel checkbox gets reset to "no". But I do not even know if that's the right way.
So, here is "main" configuration (LAN subnet is is 10.159.230.0/24, WAN address is 77.41.63.43):
Code: Select all
[admin@main] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.159.230.1/24 10.159.230.0 bridge-eth
1 D 77.41.63.43/20 77.41.48.0 ether1-gateway
[admin@main] > /ip ipsec export
# jan/21/2017 22:46:47 by RouterOS 6.39rc15
# software id = NUGB-0ZRG
#
/ip ipsec policy group
add name=site2site
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec peer
add address=0.0.0.0/0 comment="peer for remote" enc-algorithm=aes-128 generate-policy=port-strict passive=yes policy-template-group=site2site secret=XXXX
/ip ipsec policy
set 0 disabled=yes
add comment="from main to remote" dst-address=10.167.15.0/24 group=site2site src-address=10.159.230.0/24 template=yes
Code: Select all
[admin@remote] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.167.15.1/24 10.167.15.0 wlan1
1 10.159.231.4/24 10.159.231.0 ovpn1
2 D 100.64.211.102/32 10.112.112.132 3g
3 D 10.159.231.4/32 10.159.231.1 ovpn1
[admin@remote] > /ip ipsec export
# jan/21/2017 22:50:17 by RouterOS 6.39rc15
# software id = IDVP-LT14
#
/ip ipsec policy group
add name=site2site
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=77.41.63.43/32 comment=main enc-algorithm=aes-128 exchange-mode=aggressive generate-policy=port-strict secret=XXXX
/ip ipsec policy
set 0 disabled=yes
add comment="remote to main" dst-address=10.159.230.0/24 group=site2site src-address=10.167.15.0/24 template=yes
Basically, in this setup the remote peer appears in the "Remote Peers" list, but nothing happens afterwards.
Thanks for any help and attention.