Page 1 of 1
[SOLVED] IPSec problem
Posted: Mon Jul 09, 2012 11:56 am
by evince
Hi all,
I have an IPsec tunnel between 2 Mikrotik RB751G. The tunnel is UP, i can ping the devices from both sites, by the way i cannot access the shared folders, the websites hosted in the remote site.
I have tested with a Sonicwall, and i have full acces.
Can you help me please?
Sorry for my bad english.
Bests Regards,
Vincent.
Re: IPSec problem
Posted: Mon Jul 09, 2012 12:27 pm
by antkamidiv
Hello!
1. First of all check Your policy settings. It might affects inaccessibility of resources.
2. Do You have any rules in a nat table to access your site?
3. How do You access shared folders? For example, if You are trying to open it through windows networking environment You should create specifiŅ rules in a firewall for port 445 .
Re: IPSec problem
Posted: Mon Jul 09, 2012 1:08 pm
by evince
Dear,
Thank you for your reply.
Here is my NAT rule : 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.
Do i have to create : 2 chain=input action=accept protocol=tcp src-address=192.168.88.0/24 dst-port=445 ?
Thank you in advance.
Re: IPSec problem
Posted: Mon Jul 09, 2012 4:06 pm
by antkamidiv
Ok. It will be easier if you describe an entire scheme of Your networks on both sites: LAN addresses, IPSec addresses and etc.
Re: IPSec problem
Posted: Mon Jul 09, 2012 4:28 pm
by evince
Here you are :
Site 1 :
LAN : 10.5.0.0/24
ETH2 : 10.5.0.254/24
VLAN15 : 10.15.0.0/24
# jul/09/2012 15:25:07 by RouterOS 5.18
# software id = 9V5C-CE34
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name="to lu" pfs-group=modp1024
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=****** \
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.88.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
proposal="to lu" protocol=all sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=10.0.0.0/8 \
src-port=any tunnel=yes
add action=encrypt disabled=yes dst-address=10.10.10.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
proposal=default protocol=all sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=10.5.0.0/24 \
src-port=any tunnel=yes
Site 2 :
LAN : 192.168.88.0/24
ETH2 : 192.168.88.1/24
jan/05/1970 04:41:13 by RouterOS 5.18
# software id = 3EFE-FKCD
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=\
"to vince" pfs-group=modp1024
/ip ipsec peer
add address=yyy.yyy.yyy.yyy/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 \
proposal-check=obey secret=****** send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=yes dst-address=10.0.0.0/8 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal="to vince" \
protocol=all sa-dst-address=yyy.yyy.yyy.yyy sa-src-address=21xxx.xxx.xxx.xxx \
src-address=192.168.88.0/24 src-port=any tunnel=yes
Thak you for your help
Re: IPSec problem
Posted: Mon Jul 09, 2012 5:08 pm
by antkamidiv
Well, all settings are correct. PC's are be accessible by IP. How do You try to access shared folders?
Re: IPSec problem
Posted: Mon Jul 09, 2012 5:33 pm
by evince
I try with \\10.5.0.11 and via
http://10.5.0.11/mywebsite.
Thank you
Re: IPSec problem
Posted: Mon Jul 09, 2012 5:49 pm
by antkamidiv
Do You have such rules?
Site 1: 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.
Site 2: 0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=10.0.0.0/8.
Re: IPSec problem
Posted: Mon Jul 09, 2012 5:52 pm
by antkamidiv
Oh, This is a stupid question. Of course, You do have these rules.
I don't understand. You can ping 10.5.0.11?
The only suggestion is that firewall filter rules block port 445. Enable this port on both sites.
Re: IPSec problem
Posted: Mon Jul 09, 2012 6:07 pm
by evince
Yes, i can ping my entire network, the only problem is shared folder and http access to my nas (both of them)
It should have a problem in the SITE 2 because when i plug a Sonicwall i do not have any problem.
Re: IPSec problem
Posted: Mon Jul 09, 2012 6:15 pm
by evince
I just made a test. I tried to connect to my remote website, the page can display, by the way the pictures are not showed and i do not have any error message.
Strange...
Re: IPSec problem
Posted: Mon Jul 09, 2012 6:21 pm
by andriys
I just made a test. I tried to connect to my remote website, the page can display, by the way the pictures are not showed and i do not have any error message.
Strange...
Sounds like a possible PMTUD problem. Do you happen to block any of the ICMP messages?
Re: IPSec problem
Posted: Mon Jul 09, 2012 6:25 pm
by evince
I don't know yet what is PMTUD but i don't block anything at the moment
Re: IPSec problem
Posted: Tue Jul 10, 2012 2:43 am
by jandafields
Maybe your ISP is blocking 445 or other file sharing ports.
Maybe the sonicwall is using ipsec over l2tp so it works because it doens't use those ports, while you are using straight ipsec (not over l2tp) which will require those 445/file sharing ports...
Re: IPSec problem
Posted: Tue Jul 10, 2012 9:29 am
by evince
Thank you for your reply. My ISP does not block the port 445 as i work for my ISP
What is strange, is that i can not display the pictures of my remote website.
Thank you all for your help, i'm lost
Re: IPSec problem
Posted: Wed Jul 11, 2012 5:31 pm
by evince
Sounds like a possible PMTUD problem. Do you happen to block any of the ICMP messages?
Problem solved, i have reduced the MTU
Thank you very much.