Community discussions

MikroTik App
 
User avatar
Deunan
just joined
Topic Author
Posts: 12
Joined: Sun Oct 29, 2017 4:28 pm

Ipsec Site to Site, again...

Sun Oct 29, 2017 6:07 pm

Hello everyone,
i'm trying to setup a Site to Site IPSEC VPN between 2 Mikrotik routers. RB2011 on my side at home and a RB3011 at work. Both are on 6.40.4 and both have pubblic IPs. At home with PPOE and at work the address set in the interface.
192.168.1.0/24 is office subnet and 192.168.0.0/24 is home subnet.

I can establish a tunnel between them, i see th SA Installed but i can't ping the remote ends.

If i do a traceroute i see the packet being routed trough the nat masquerade to work ISP
Nat by-pass rule has been set before 0.
This happens on both sides, so i just report one, wich is also the less complicated setup.


[admin@work] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 1.1.1.2 1
1 ADC 1.1.1.1/30 1.1.1.1 ether1 0
2 ADC 192.168.1.0/24 192.168.1.99 ether2 0

[admin@work] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=yes
log-prefix="prima di masquerade"

1 chain=srcnat action=masquerade out-interface=ether1

2 chain=dstnat action=dst-nat to-addresses=192.168.1.100 to-ports=80 protocol=tcp dst-address=1.1.1.1
src-port="" dst-port=8888 log=no log-prefix="Nat 8888"

3 chain=dstnat action=dst-nat to-addresses=192.168.1.100 to-ports=80 protocol=tcp dst-address=1.1.1.1
src-port="" dst-port=80 log=no log-prefix="porta 80 nat"

4 chain=dstnat action=dst-nat to-addresses=192.168.1.220 to-ports=443 protocol=tcp in-interface=ether1
src-port="" dst-port=444 log=no log-prefix=""

5 chain=dstnat action=dst-nat to-addresses=192.168.1.221 to-ports=8080 protocol=tcp in-interface=ether1
src-port="" dst-port=8080 log=no log-prefix=""

6 chain=dstnat action=dst-nat to-addresses=192.168.1.220 to-ports=10001 protocol=tcp in-interface=ether1
src-port="" dst-port=10001 log=no log-prefix=""

7 chain=dstnat action=dst-nat to-addresses=192.168.1.220 to-ports=5588 protocol=tcp in-interface=ether1
src-port="" dst-port=5588 log=no log-prefix=""

8 chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=443 protocol=tcp in-interface=ether1
src-port="" dst-port=10443 log=no log-prefix=""

9 chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=5632 protocol=tcp in-interface=ether1
src-port="" dst-port=5632 log=no log-prefix=""
[admin@work] >

[admin@work] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=tcp in-interface=ether1 dst-port=8291 log=no log-prefix="Winbox"

1 chain=input action=accept protocol=udp in-interface=ether1 dst-port=500 log=no log-prefix="500 UDP"

2 chain=input action=accept protocol=udp in-interface=ether1 dst-port=4500 log=yes log-prefix="4500 UDP"

11 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=yes log-prefix="test"

12 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

13 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

15 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

16 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

17 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

18 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

19 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

20 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN



[admin@work] > ip ipsec peer
add comment disable edit enable export find move print remove set
[admin@work] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R address=2.2.2.2/32 passive=yes auth-method=pre-shared-key secret="Test1234" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
[admin@work] >

[admin@work] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

1 A src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=deunanph2 ph2-count=1
[admin@work] >

[admin@work] > ip ipsec remote-peers prin
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 R established 2.2.2.2 59m8s


[admin@work] > ping 192.168.0.1
SEQ HOST SIZE TTL TIME STATUS
0 10.255.30.1 56 253 18ms host unreachable
1 192.168.0.1 timeout
2 192.168.0.1 timeout
3 192.168.0.1 timeout
4 192.168.0.1 timeout
5 192.168.0.1 timeout
sent=6 received=0 packet-loss=100%

and then repeat lines with 10.55 and 192.168

I really not understand where i made the error.
Thanks in advance for the help.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Ipsec Site to Site, again...

Sun Oct 29, 2017 10:03 pm

Joining the question.
 
User avatar
matiaszon
Member
Member
Posts: 320
Joined: Mon Jul 09, 2012 9:26 am

Re: Ipsec Site to Site, again...

Sun Oct 29, 2017 11:49 pm

I can't see any rules/ that would point both routers what to do, when devices want to access other LAN network, so you should add few lines.

At the home router
/ip firewall filter add action=accept chain=forward connection-state=established,related,new dst-address=192.168.0.0/24 src-address=192.168.1.0/24
/ip firewall nat add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.0.0/24
At the office router
/ip firewall filter add action=accept chain=forward connection-state=established,related,new dst-address=192.168.1.0/24 src-address=192.168.0.0/24
/ip firewall nat add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.1.0/24
You have to place them above denying rules. I would just put them on top.
 
User avatar
Deunan
just joined
Topic Author
Posts: 12
Joined: Sun Oct 29, 2017 4:28 pm

Re: Ipsec Site to Site, again...

Mon Oct 30, 2017 12:42 am

Hello Matiaszon,
i added both line on both routers but i'm having the same problem.
This is the last ping from work router to home gives me this:

1380 10.255.30.1 56 253 19ms host unreachable
1381 192.168.0.1 timeout
1382 10.255.30.1 56 253 19ms host unreachable
1383 192.168.0.1 timeout
1384 10.255.30.1 56 253 18ms host unreachable
1385 192.168.0.1 timeout
1386 10.255.30.1 56 253 19ms host unreachable
1387 10.255.30.1 56 253 24ms host unreachable
1388 10.255.30.1 56 253 18ms host unreachable
1389 10.255.30.1 56 253 18ms host unreachable
1390 10.255.30.1 56 253 18ms host unreachable.

10.255.30.1 it's currently a responsive hop from the isp, i see that ip in a normal traceroute to google for example so i start to think the packets for 192.168.0.1 are routed trought the "normal" connection and not in the IPSEC tunnel.
Do i need to add a route somwhere?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1389
Joined: Tue Jun 23, 2015 2:35 pm

Re: Ipsec Site to Site, again...

Mon Oct 30, 2017 6:27 am

ipsec is dynamic protocol if you will add route just you will complicate the provlem.
 
tomfisk
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Ipsec Site to Site, again...

Mon Oct 30, 2017 9:43 am

I have a similar setup and I think all you need to do is add an address for the IPIP tunnel:
add address=10.0.0.2/30 interface=IPIP_Plainview network=10.0.0.0

Now add route to the remote address range, pointing at the address for the tunnel:
add check-gateway=ping comment="Route to Plainview" distance=1 dst-address=192.168.2.0/24 gateway=10.0.0.1

Do the same on the other end, pointing to the remote address range.
 
User avatar
Deunan
just joined
Topic Author
Posts: 12
Joined: Sun Oct 29, 2017 4:28 pm

Re: Ipsec Site to Site, again...

Mon Oct 30, 2017 7:38 pm

This evening i will try with the route test and keep you updated.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: Ipsec Site to Site, again...

Mon Oct 30, 2017 8:31 pm

I Could say that everyone so far have missed the real question.

What do you want?
IF you want traffic from both network should route with out any nat. (Then add routes, rules and make nat rules tighter so they only trigger on wan destined traffic and not ipsec tunnel traffic)
IF you want an office ip for your home this can be done with L2 Arp on office side, rules on both sides and nat in your home.... (or even better with ethernet over ip over ipsec depending on what you want to accomplish.)
IF you want to do any other set up please explain.

think of the router in layers interfaces, routing, firewalling take one step at a time the solve the problem. a tunnel is only another interface but the traffic after encapsulation is subject to the firewall again. Lock att the wiki and study the packet flow diagram and all will be clear.
 
User avatar
Deunan
just joined
Topic Author
Posts: 12
Joined: Sun Oct 29, 2017 4:28 pm

Re: Ipsec Site to Site, again...

Mon Oct 30, 2017 10:50 pm

Hello JimmyNyholm,
i want to be able to reach the subnet 192.168.1.0/24 that we use at work from my subnet 192.168.0.0/24 at home and viceversa.
From my pc i would like to be able to reach the server at work and from work i would reach my devices at home.
I followed and read some tutorials like https://mivilisnet.wordpress.com/2016/1 ... ec-tunnel/
https://www.youtube.com/watch?v=UZ2pIC0EuHs
They "simply" set ip on wan and lan inferfaces, set policy, peer and proposal and make the nap bypass et voila', site to site is up and running and they can ping both subnets.
My tunnel is active but... ok, that's really strange.
While i was writing this post i tried to ping the remote server at work again and ... it works!!! This time i pinged it from my pc, not the terminal into mikrotik.
So i double cheked it. if from the terminal i ping the same address i get the error. But works from my pc. RDP on server at work and ping back to my network/router works too.
That's really strange. And it's working without routes.
Now i'm even more interested in understanding why from pc works and from terminal not. Any idea where i can check?
The only thing i can think is: from terminal in mikrotik the ping is sent from the WAN interface and that's why i see the hops like a traceroute to a normal site.
I'm on the right way?
Deunan.
You do not have the required permissions to view the files attached to this post.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sun May 03, 2015 5:22 pm

Re: Ipsec Site to Site, again...

Tue Oct 31, 2017 12:23 am

Hallo,

All wrong. You have a fasttrack rules in your filter table.
Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), IP accounting, IPSec, hotspot universal client, VRF assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration;
So what you can do is disable the fasttrack rule. This has the consequence that the CPU is charged more but if you need for example queues, you need to disable it anyway.
Secend options is to exclude the ipsec tunnel traffic form the fastrack rule.
The third option is to use the raw table to disable connection tracking for the ipsec tunnel traffic but you will lose the ability to firewall those connections.

Greetings
 
User avatar
Deunan
just joined
Topic Author
Posts: 12
Joined: Sun Oct 29, 2017 4:28 pm

Re: Ipsec Site to Site, again...

Tue Oct 31, 2017 10:07 am

Hallo,

All wrong. You have a fasttrack rules in your filter table.
Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), IP accounting, IPSec, hotspot universal client, VRF assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration;
So what you can do is disable the fasttrack rule. This has the consequence that the CPU is charged more but if you need for example queues, you need to disable it anyway.
Secend options is to exclude the ipsec tunnel traffic form the fastrack rule.
The third option is to use the raw table to disable connection tracking for the ipsec tunnel traffic but you will lose the ability to firewall those connections.

Greetings
If you are talking about line 17 in my first post it's disabled. There is the X to disable it.
17 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

And in IP->Settings: Allow fast path is not checked.
Fast path and fast track are the same things?

Deunan.
 
tomfisk
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Thu Sep 01, 2016 7:44 am

Re: Ipsec Site to Site, again...

Tue Oct 31, 2017 11:11 am

From your attachments, you are trying to route to a specific address and not the tunnel. I can't see your interface list window...but like I said before, my take is that you need to assign an address to the tunnel, and then route to that address, not the public address of the remote end. See my config for the tunnel and route from one end.
Hello JimmyNyholm,
i want to be able to reach the subnet 192.168.1.0/24 that we use at work from my subnet 192.168.0.0/24 at home and viceversa.
From my pc i would like to be able to reach the server at work and from work i would reach my devices at home.
I followed and read some tutorials like https://mivilisnet.wordpress.com/2016/1 ... ec-tunnel/
https://www.youtube.com/watch?v=UZ2pIC0EuHs
They "simply" set ip on wan and lan inferfaces, set policy, peer and proposal and make the nap bypass et voila', site to site is up and running and they can ping both subnets.
My tunnel is active but... ok, that's really strange.
While i was writing this post i tried to ping the remote server at work again and ... it works!!! This time i pinged it from my pc, not the terminal into mikrotik.
So i double cheked it. if from the terminal i ping the same address i get the error. But works from my pc. RDP on server at work and ping back to my network/router works too.
That's really strange. And it's working without routes.
Now i'm even more interested in understanding why from pc works and from terminal not. Any idea where i can check?
The only thing i can think is: from terminal in mikrotik the ping is sent from the WAN interface and that's why i see the hops like a traceroute to a normal site.
I'm on the right way?
Deunan.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Ipsec Site to Site, again...

Tue Oct 31, 2017 2:18 pm

These rules

15 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

16 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

won't work, because the traffic is forwarded, wich means it's not router's traffic.

I can't see any other wrong configs, so you need to check the config of other side.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sun May 03, 2015 5:22 pm

Re: Ipsec Site to Site, again...

Tue Oct 31, 2017 9:44 pm

Oh. I mist the "X". But i had the same problem in the past where fasttrack was introduced.

To be able to ping from the rooter to the other subnet you need the add a static route.

Here is an example. dst-address is your remote subnet and gateway is your interface with the local subnet attached.
/ip route
add distance=1 dst-address=192.168.70.0/24 gateway=ether2-lan
And can you please post a 'export hide-sensitive'

Greetings
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: Ipsec Site to Site, again...

Wed Nov 01, 2017 12:28 am

The only thing i can think is: from terminal in mikrotik the ping is sent from the WAN interface and that's why i see the hops like a traceroute to a normal site.
I'm on the right way?
Deunan.
Yes, you're close. You will probably find that if you add src-address=<LAN IP> to your ping command, it works.

Who is online

Users browsing this forum: CGGXANNX, sindy and 25 guests