Hi,
I have IPSec VPN tunnels going from 2 branches to a main branch. The exchange mode is set as Main, and whilst this works, there is an issue that if there is no connection from the Main Branch to any of the branches, then those branches cannot ping or access anything on the main branch. So my solution for this was to keep a ping window running from a server on the main branch to the other 2 branches with -t parameter. This keeps the tunnel "open" and lets the branches access the main branch network.
I am trying to fix this, and I think it is because of the exchange mode. In previous VPN connections I made on other hardware were in aggressive mode and that would keep the tunnel open 24/7. So I went to IPSec > Peers > picked a peer and tried to change the exchange mode from main to aggressive and applying the change BUT I get an error. The error is : "Couldn't change IPsec Peer <peername> - Only one DH group support in aggresive mode! (6)". I tried checking online for a solution but no results for this specific term of only one DH group.
Any idea what does it mean and how to sort it out? Or at least, am I correct in my assumption that changing the exchange mode will fix the issue I described above?
Thanks.
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Too much information is missing in your post, and too much information is misinterpreted on your side.
Are all three devices involved Mikrotik ones, is there any NAT of firewall box between the central site IPsec peer and the remote site peers or are all three peers running on public IPs (or at least IPs between which there is a transparent routing in the network interconnecting the peers)?
The fact that hosts connected to the "client" peers cannot communicate with hosts connected to the "server" peers indicates that either the security associations created by the ipsec policies are shut down at protocol level when no traffic passes through them, or that there is an aggressive firewall between the peers which quickly closes pinholes letting these security associations pass through. The Mikrotik implementation of IPsec doesn't shut down (or just let expire without attempting to renew them) unused security associations as far as I know, other implementations do; Mikrotik doesn¨t give up re-establishment of the tunnel components if it fails due to temporary network failures, other implementations do.
The bad (or good, it depends) news for you is that the exchange mode chosen has no effect on this. So to get rid of the "Only one DH group supported in aggresive mode" message, it is enough to reduce the dh-group list in /ip ipsec profile to just a single item, but it won't delp you solve your actual issue.
Are all three devices involved Mikrotik ones, is there any NAT of firewall box between the central site IPsec peer and the remote site peers or are all three peers running on public IPs (or at least IPs between which there is a transparent routing in the network interconnecting the peers)?
The fact that hosts connected to the "client" peers cannot communicate with hosts connected to the "server" peers indicates that either the security associations created by the ipsec policies are shut down at protocol level when no traffic passes through them, or that there is an aggressive firewall between the peers which quickly closes pinholes letting these security associations pass through. The Mikrotik implementation of IPsec doesn't shut down (or just let expire without attempting to renew them) unused security associations as far as I know, other implementations do; Mikrotik doesn¨t give up re-establishment of the tunnel components if it fails due to temporary network failures, other implementations do.
The bad (or good, it depends) news for you is that the exchange mode chosen has no effect on this. So to get rid of the "Only one DH group supported in aggresive mode" message, it is enough to reduce the dh-group list in /ip ipsec profile to just a single item, but it won't delp you solve your actual issue.
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Hi @sindy ,
Thanks for the reply and sorry about the lack of information and misinterpretation from my side. To answer your questions :
1) All 3 devices are Mikrotik devices on the same firmware and the same model.
2) There is a NAT on the main branch (a different device from the ISP on its own separate IP range that actually dials the WAN connection and has some firewall/port forwarding rules)
3) The IPSec is done via public IP's on all 3 locations, except the public IPs are dynamic so im using IP > Cloud as the DDNS and a script to resolve the ip from the ddns name on a schedule.
All in all, the entire thing works. I have only noticed the following which im trying to resolve :
a) Main branch is able at any time to ping/send packets/communicate with the branches
b) the branches are not able to ping/send packets/communicate with the main branch until....
c) ... the main branch communicates with the branches first.
Once the main branch stops pinging/communicating, after some time the branches lose their connectivity. Whether if this is due to the NAT box on the main branch or some other reason, I don't know. It's my first Mikrotik VPN network.
I found the dh-group that you mentioned in ip > ipsec > peer profile (just "profile" is not there), I will try it and then attempt the aggressive mode though as you said it won't make a difference. Let's see.
Thanks for the help so far.
Thanks for the reply and sorry about the lack of information and misinterpretation from my side. To answer your questions :
1) All 3 devices are Mikrotik devices on the same firmware and the same model.
2) There is a NAT on the main branch (a different device from the ISP on its own separate IP range that actually dials the WAN connection and has some firewall/port forwarding rules)
3) The IPSec is done via public IP's on all 3 locations, except the public IPs are dynamic so im using IP > Cloud as the DDNS and a script to resolve the ip from the ddns name on a schedule.
All in all, the entire thing works. I have only noticed the following which im trying to resolve :
a) Main branch is able at any time to ping/send packets/communicate with the branches
b) the branches are not able to ping/send packets/communicate with the main branch until....
c) ... the main branch communicates with the branches first.
Once the main branch stops pinging/communicating, after some time the branches lose their connectivity. Whether if this is due to the NAT box on the main branch or some other reason, I don't know. It's my first Mikrotik VPN network.
I found the dh-group that you mentioned in ip > ipsec > peer profile (just "profile" is not there), I will try it and then attempt the aggressive mode though as you said it won't make a difference. Let's see.
Thanks for the help so far.
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
The fact that the Mikrotik at the central site is behind a NAT explains why it can always drill the pinholes in that external NAT&firewall whereas the other two cannot (as they attempt to drill them from outside). But that also means that either the other sites are configured as responders only or the port forwarding at the central site doesn't work properly.
Please follow the hint in my automatic signature, for the central site and one of the other ones, and confirm that the port forwarding on the ISP router is set to forward incoming traffic to UDP ports 500 and 4500 to the internal IP address of the Mikrotik.
Post also the result of /ip ipsec installed-sa print while everything is up and running, obfuscate the public IPs of course. Removal of the ephemeral keys is not necessary but they are not necessary for the analysis either (in this particular case).
Please follow the hint in my automatic signature, for the central site and one of the other ones, and confirm that the port forwarding on the ISP router is set to forward incoming traffic to UDP ports 500 and 4500 to the internal IP address of the Mikrotik.
Post also the result of /ip ipsec installed-sa print while everything is up and running, obfuscate the public IPs of course. Removal of the ephemeral keys is not necessary but they are not necessary for the analysis either (in this particular case).
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Thanks Sindy. I will post the configs a bit later.
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Hi @sindy ,
here is the code for the export on the main branch :
Here is the Ipsec export on Main Branch:
Here is the export for branch 1:
branch 1 ipsec export :
Hopefully I didnt miss hiding any info. In regards to your question, in the main branch on the ISP device, we opened a range of ports from within the device, as before this it would not work. So yes, I can confirm the ip forwarding is correct.
Thanks.
here is the code for the export on the main branch :
Code: Select all
/export hide-sensitive
# may/26/2019 HIDDEN by RouterOS 6.43.12
# software id = SMRR-9LV5
#
# model = 951G-2HnD
# serial number = HIDDEN
/interface bridge
add admin-mac=HIDDEN auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="HIDDEN" disabled=no distance=indoors \
frequency=2427 mode=ap-bridge ssid="HIDDEN" wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes user=HIDDEN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2-master network=192.168.2.0
add address=192.168.1.108/24 interface=ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,HIDDEN
/ip dns static
add address=192.168.2.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
disabled=yes in-interface-list=WAN
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1w3d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
/ip firewall nat
add action=accept chain=srcnat comment="NAT Bypass 1" dst-address=192.168.0.0/24 src-address=192.168.2.0/24
add action=accept chain=srcnat comment="NAT Bypass 2" dst-address=192.168.3.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add address=HIDDEN comment="Branch 1"
add address=HIDDEN comment="Branch 2"
/ip ipsec policy
add comment="Main Branch to Branch 1" dst-address=192.168.3.0/24 sa-dst-address=HIDDEN sa-src-address=192.168.1.108 src-address=\
192.168.2.0/24 tunnel=yes
add comment="Main Branch to Branch 2" dst-address=192.168.0.0/24 sa-dst-address=HIDDEN sa-src-address=192.168.1.108 src-address=\
192.168.2.0/24 tunnel=yes
set 2 disabled=yes
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=HIDDEN
/system identity
set name=MAIN BRANCHCode: Select all
/ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0xC0C2917 src-address=HIDDEN dst-address=192.168.1.108 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="HIDDEN"
enc-key="HIDDEN" addtime=may/26/2019 17:40:28 expires-in=14m41s
add-lifetime=24m/30m current-bytes=54300 current-packets=905 replay=128
1 E spi=0x271439D src-address=192.168.1.108 dst-address=HIDDEN state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="HIDDEN"
enc-key="HIDDEN" addtime=may/26/2019 HIDDEN expires-in=14m41s
add-lifetime=24m/30m current-bytes=54300 current-packets=905 replay=128
2 E spi=0x4502DA4 src-address=HIDDEN dst-address=192.168.1.108 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="HIDDEN"
enc-key="HIDDEN" addtime=may/26/2019 17:40:32 expires-in=14m45s
add-lifetime=24m/30m current-bytes=53700 current-packets=895 replay=128
3 E spi=0x592C1B6 src-address=192.168.1.108 dst-address=HIDDEN state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="HIDDEN"
enc-key="HIDDEN" addtime=may/26/2019 17:40:32 expires-in=14m45s
add-lifetime=24m/30m current-bytes=53820 current-packets=897 replay=128Code: Select all
/export hide-sensitive
# may/26/2019 HIDDEN by RouterOS 6.43.12
# software id = LD3U-NM8Q
#
# model = 951G-2HnD
# serial number = HIDDEN
/interface bridge
add admin-mac=HIDDEN auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="HIDDEN" distance=indoors frequency=auto \
mode=ap-bridge ssid="HIDDEN" wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=HIDDEN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
/ip pool
add name=dhcp ranges=192.168.3.10-192.168.3.254
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=ether2-master list=mactel
add interface=wlan1 list=mactel
add interface=ether2-master list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.3.1/24 comment=defconf interface=ether2-master network=192.168.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.3.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=\
tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=\
tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=\
tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1w3d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat comment="NAT Bypass BRANCH 1 TO MAIN BRANCH" dst-address=192.168.2.0/24 src-address=192.168.3.0/24
/ip ipsec peer
add address=HIDDEN comment="BRANCH 1"
/ip ipsec policy
add comment="BRANCH 1 TO MAIN BRANCH" dst-address=192.168.2.0/24 sa-dst-address=HIDDEN sa-src-address=HIDDEN src-address=192.168.3.0/24 \
tunnel=yes
set 1 disabled=yes
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=HIDDEN
/system identity
set name=HIDDEN
/system package update
set channel=long-term
Code: Select all
/ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0x271439D src-address=Hidden dst-address=Hidden
state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256
auth-key="Hidden"
enc-key="Hidden"
addtime=may/26/2019 17:40:13 expires-in=11m46s add-lifetime=24m/30m
current-bytes=64620 current-packets=1077 replay=128
1 E spi=0xC0C2917 src-address=Hidden dst-address=Hidden
state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256
auth-key="Hidden"
enc-key="Hidden"
addtime=may/26/2019 17:40:13 expires-in=11m46s add-lifetime=24m/30m
current-bytes=64620 current-packets=1077 replay=128
Thanks.
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Setting nat-traversal in /ip ipsec profile on all devices to yes should solve your initial problem (and you can keep exchange-mode=main). When NAT traversal mode is activated, the IPsec stack
However, I am seriously worried about your firewall. Even if you could rely on the firewall of the ISP's box (which is questionnable), where your Mikrotiks have the public IP address directly on themselves, you still only deal with SSH and Telnet in chain=input of /ip firewall filter, but you ignore HTTP, HTTPS, and Winbox which are however not disabled in the /ip service section. The default action in /ip firewall filter is accept, so anything for what a drop rule doesn't exist is accepted.
- uses UDP to encapsulate ESP packets rather than sending them directly (which is not important in your particular scenario), and
- sends keepalive packets periodically in both directions, regardless whether any payload traffic needs to be sent or not, to keep the pinholes in firewalls and NATs on the way open.
However, I am seriously worried about your firewall. Even if you could rely on the firewall of the ISP's box (which is questionnable), where your Mikrotiks have the public IP address directly on themselves, you still only deal with SSH and Telnet in chain=input of /ip firewall filter, but you ignore HTTP, HTTPS, and Winbox which are however not disabled in the /ip service section. The default action in /ip firewall filter is accept, so anything for what a drop rule doesn't exist is accepted.
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Thanks Sindy. I set the nat-traversal to yes in ip > ipsec > peer profile on all 3 devices. Seems to be working but i only recently stopped the pinging from the main branch to the branches. Let me see how it goes.
In regards to the firewall, I keep Winbox open as that is how I access the devices since they are in 3 different cities and I can't visit them quick. In regards to HTTP or HTTPS, I could block it in the firewall, but checking the logs of the devices, no one is banging on that door so to speak. I have secured the devices with strong passwords and I hope that holds. I would like to learn more about using the firewall in a Mikrotik device, but could not find any good material online (or if just learning firewalls in general is the way to go?), I dont know where to start basically.
But I get your point, that anything that does not have a drop rule, will be allowed in. At the moment, only 1 device's public IP can be accessed via a browser, so I should block HTTP/HTTPS in IP > Services on that one.
In regards to the firewall, I keep Winbox open as that is how I access the devices since they are in 3 different cities and I can't visit them quick. In regards to HTTP or HTTPS, I could block it in the firewall, but checking the logs of the devices, no one is banging on that door so to speak. I have secured the devices with strong passwords and I hope that holds. I would like to learn more about using the firewall in a Mikrotik device, but could not find any good material online (or if just learning firewalls in general is the way to go?), I dont know where to start basically.
But I get your point, that anything that does not have a drop rule, will be allowed in. At the moment, only 1 device's public IP can be accessed via a browser, so I should block HTTP/HTTPS in IP > Services on that one.
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
That's what VPNs were invented for.In regards to the firewall, I keep Winbox open as that is how I access the devices since they are in 3 different cities and I can't visit them quick.
The problem is that the job of the bad guys is much simpler than the one of the good guys. For the bad guys it is enough to find a single vulnerability, while the good guys have to patch them all. So if you look to the past year alone, you find there were vulnerabilities (now patched) which allowed the attacker to download the complete list of users and passwords from the MIkrotik without knowing a single pair of these. Other malware seems to be able to prevent Mikrotik from upgrading and only netinstall can kill it. Please note that telnet transports the username and password in plaintext, and you probably use it, as why would you otherwise spend so many firewall rules on it on the machine. So anyone anywhere on the network between you and the Mikrotik to which you connect using telnet can wiretap the communication and learn the IP address aling with the username and password. And that anyone may not be the owner of the hardware which routes your traffic. HTTP (not HTTPS!) is only so much better than that - the password authentication is ciphered but using an algorithm which a distributed multi-processing platform with tens of thousands of CPUs (read: a botnet) can break in hours or less.checking the logs of the devices, no one is banging on that door so to speak. I have secured the devices with strong passwords and I hope that holds.
If you know nothing about how the firewall works, this supercharged firewall intro and explanation of rule syntax may be useful before starting to read the official documentation which concentrates on fine details but expects the reader to understand the basic concept already.I would like to learn more about using the firewall in a Mikrotik device, but could not find any good material online (or if just learning firewalls in general is the way to go?), I dont know where to start basically.
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Re firewall, also ensure you block DNS from outside on input chain