Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

IPSec site-to-site connects but no traffic is routed

Locked
 
andlil
just joined
Topic Author
Posts: 13
Joined: Sat Oct 08, 2016 7:38 pm
Location: Sweden

IPSec site-to-site connects but no traffic is routed

Sun Jan 29, 2017 3:59 pm

First time, bear with me...

I have an RB2011 at home with public dynamic ip and want to connect to my SXTLTE which has public fixed IP.

I have managed to configure policies (with sa-src and sa-dst) and peers on both, I have active connection between both (remote peers) and I have installed SAs on both which mirrors each other. RB2011 is initiator and SXTLTE is responder.

In policy on my RB2011 I have 192.168.4.0/24 as src and 192.168.39.0/24 as dst and on SXTLTE the policy is the other way around.

I have added an accept in srcnat at the top containing the above src and dst, and of course the other way around on the SXTLTE.

Now for the beginners question; I can't reach anything in the 192.168.39.0/24 from my 192.168.4.107 (or from anywhere else), is there something blatantly obvious that I have missed?

Thanks in advance
//A
Top
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec site-to-site connects but no traffic is routed

Sun Jan 29, 2017 4:37 pm

IPsec is so complex it's almost impossible to guess what might be wrong without even seeing your current configuration.

One obvious thing to blame, though, is fasttrack. Do you have it enabled?
Top
 
andlil
just joined
Topic Author
Posts: 13
Joined: Sat Oct 08, 2016 7:38 pm
Location: Sweden

Re: IPSec site-to-site connects but no traffic is routed

Sun Jan 29, 2017 5:41 pm

I understand, fasttrack is not enabled since I thought it would interfere.

This is the RB2011
Code: Select all
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 lifetime=8h pfs-group=none

/ip ipsec peer
add address=nnn.nnn.128.166/32 nat-traversal=no secret=test

/ip ipsec policy
add dst-address=192.168.39.0/24 priority=1 sa-dst-address=nnn.nnn.128.166 sa-src-address=mmm.mmm.86.61 src-address=192.168.4.0/24 tunnel=yes

/ip address
add address=192.168.4.254/24 comment="default configuration" interface=ether2-master-local network=192.168.4.0

/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input comment=L2TP/IPSec dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.39.0/24 src-address=192.168.4.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
And this is the SXTLTE
Code: Select all
/interface lte
set [ find ] add-default-route=yes apn=static.tre.se band=7 default-route-distance=1 ip-type=ipv4 ipv6-interface=none mac-address=\
    00:0A:3B:F0:00:00 name=lte1 network-mode=lte

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 pfs-group=none

/ip address
add address=192.168.39.254/24 comment="default configuration" interface=ether1 network=192.168.39.0

/ip firewall address-list
add address=xxx.xxx.232.7 list=Trusted

/ip firewall filter
add action=accept chain=input in-interface=lte1 protocol=icmp
add action=accept chain=input connection-state=established,related in-interface=lte1
add action=accept chain=input comment=Trusted in-interface=lte1 protocol=tcp src-address-list=Trusted
add action=accept chain=input comment=IPSec dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=IPSec protocol=ipsec-esp
add action=drop chain=input in-interface=lte1
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=lte1

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=192.168.39.0/24
add action=masquerade chain=srcnat out-interface=lte1
add action=dst-nat chain=dstnat dst-port=1234 in-interface=lte1 protocol=tcp to-addresses=192.168.39.1 to-ports=5900

/ip ipsec peer
add address=mmm.mmm.86.61/32 nat-traversal=no secret=test send-initial-contact=no

/ip ipsec policy
add dst-address=192.168.4.0/24 priority=1 sa-dst-address=mmm.mmm.86.61 sa-src-address=nnn.nnn.128.166 src-address=192.168.39.0/24 tunnel=yes
Any ideas?

//A
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1392
Joined: Tue Jun 23, 2015 2:35 pm

Re: IPSec site-to-site connects but no traffic is routed

Mon Jan 30, 2017 7:26 am

Just folow mikrotik tutorial about that, and you will do.
Top
Locked

Who is online

Users browsing this forum: No registered users and 18 guests
  4. RouterOS
  5. Beginner Basics