MikroTik

Posted: **Tue Jan 21, 2014 8:15 pm**

i have voip ipsec device with is behind mikrotik home router
traffic of with is redirected to other mikrotik router with pptp and again 2 more times
device <> mt750 <pptp> mtx86 <pptp> mtx86 <pptp> mtx86<> ipsec server
all working

now I reduce to only one pptp tunel
and not working

in moment
device <> mt750 <pptp> mtx86 <> ipsec server

... 
18:25:56 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.179:500->IPSEC-SERVER:500, len 368  
18:26:09 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.179:500->IPSEC-SERVER:500, len 368  
18:26:24 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.179:500->IPSEC-SERVER:500, len 368  
18:26:30 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.179:500->IPSEC-SERVER:500, NAT (192.168.100.179:500->5.172.196.41:500)->94.143.176.176:500, len 368  
18:26:36 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.179:500->IPSEC-SERVER:500, NAT (192.168.100.179:500->5.172.196.41:500)->94.143.176.176:500, len 368  
18:26:45 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.179:500->IPSEC-SERVER:500, NAT (192.168.100.179:500->5.172.196.41:500)->94.143.176.176:500, len 368 
...

this 6 message repeat continuously

Posted: **Wed Jan 22, 2014 9:56 am**

Could you please give some more informations?
e.g. Subnets, your IPSec config and Routes are needed to answer your question.

Regards,

redflag347

Posted: **Wed Jan 22, 2014 12:01 pm**

/rb750
client 192.168.88.0/24
route to pptp via marking
/x86
pptp 192.168.100.10-192.168.120 for local
pptp 192.168.100.130-240 for remote
lan public ip
routing via gateway

ipsec setting, please read first post no such settings
nated client is initiator of ipsec connection

when i connect pc on rb750 i see public ip of x86 on http://myip.dk

anything else

Posted: **Wed Jan 22, 2014 1:57 pm**

Hi,

Okay as i understood, situation now is:
- Public IP of your RB750 has now changed due to this direct pptp tunnel stuff
- IPSec Server IP hasn't changed.

As usual for IPSec needs, there is a Policy defined somewhere, which tells Traffic from x to y to allow for transport.
Find it and change it to your new public ip, thats all.

Furthermore, please traceroute your IPSec Server from your RB750 and double-check the right route packets to take, then also run traceroute from your IPSec Server to your RB750. Ping Ends from both sides. Is the right route taken? Then please give the external and internal IP of RB750 and IPSec Server, together with your IPSec config. The mistake should be somewhere there in this case.

regards

Posted: **Wed Jan 22, 2014 2:10 pm**

Hi,

Okay as i understood, situation now is:
- Public IP of your RB750 has now changed due to this direct pptp tunnel stuff
- IPSec Server IP hasn't changed.

As usual for IPSec needs, there is a Policy defined somewhere, which tells Traffic from x to y to allow for transport.
Find it and change it to your new public ip, thats all.

Furthermore, please traceroute your IPSec Server from your RB750 and double-check the right route packets to take, then also run traceroute from your IPSec Server to your RB750. Ping Ends from both sides. Is the right route taken? Then please give the external and internal IP of RB750 and IPSec Server, together with your IPSec config. The mistake should be somewhere there in this case.

regards

Not exactly
im interested to get public ip of x86 mikrotik easy and done

but you don't understand my ipsec situation
device behind rb750 take dhcp addres and check for connection to ipsec server
then initialise connection
step 1 send on :500 authorisation request
step 2 get authorisation
step 3 connect to :4500 and all ok

but it stop on steps one or two

ipsec server and client is not mikrotik devices and is not accessible by me

Posted: **Wed Jan 22, 2014 2:54 pm**

Hi,

Okay as i understood, situation now is:
- Public IP of your RB750 has now changed due to this direct pptp tunnel stuff
- IPSec Server IP hasn't changed.

As usual for IPSec needs, there is a Policy defined somewhere, which tells Traffic from x to y to allow for transport.
Find it and change it to your new public ip, thats all.

Furthermore, please traceroute your IPSec Server from your RB750 and double-check the right route packets to take, then also run traceroute from your IPSec Server to your RB750. Ping Ends from both sides. Is the right route taken? Then please give the external and internal IP of RB750 and IPSec Server, together with your IPSec config. The mistake should be somewhere there in this case.

regards
Not exactly
im interested to get public ip of x86 mikrotik easy and done

but you don't understand my ipsec situation
device behind rb750 take dhcp addres and check for connection to ipsec server
then initialise connection
step 1 send on :500 authorisation request
step 2 get authorisation
step 3 connect to :4500 and all ok

but it stop on steps one or two

ipsec server and client is not mikrotik devices and is not accessible by me

My Idea was, that maybe RB750 takes the new Route, but the x86 one takes the old route. Results in different public IPs in front of NAT. Results in IPSec fails. Please check this first, if the "old" route is still existing.

Second, question: Is the IPSec stuff maybe somehow locked to the "old" Public IP your device had in back obthese 3 PPTP Tunnels? Or is this IPSec Server just an service provider, who gave you some network credentials for your IP phone?

Is the tunnel up and working correctly? Is the MTU setting the same as the old one? Is the Firewall setting the same as for the old Tunnel?

Posted: **Wed Jan 22, 2014 5:18 pm**

no its not 100% checked

16:02:14 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:1->ipsec-server:500, len 368 
16:02:27 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:500->ipsec-server:500, len 368 
16:02:29 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:1->ipsec-server:500, len 368 
16:02:31 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:1->ipsec-server:500, NAT (192.168.100.198:1->pub-ip:1)->ipsec-server:500, len 368 
16:02:38 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:1->ipsec-server:500, NAT (192.168.100.198:1->pub-ip:1)->ipsec-server:500, len 368 
16:02:42 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:500->ipsec-server:500, len 368 
16:02:47 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:1->ipsec-server:500, NAT (192.168.100.198:1->pub-ip:1)->ipsec-server:500, len 368 
16:02:47 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:500->ipsec-server:500, NAT (192.168.100.198:500->pub-ip:500)->ipsec-server:500, len 368 
16:02:54 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:500->ipsec-server:500, NAT (192.168.100.198:500->pub-ip:500)->ipsec-server:500, len 368 
16:02:58 firewall,info forward: in:pptp out:ether1, proto UDP, 192.168.100.198:1->ipsec-server:500, len 368

start to thing that hosting company block something

Posted: **Wed Jan 22, 2014 6:03 pm**

Hi,

I really don't unterstand your answers. Could you write more than 3 words, please?
Write in your native language if you think it's better - i can use Google Translator.

If it behaves live the normal IPSec that i know, Packets are dropped, if the ISAKMP/SA cannot find any matching Pair of IP Adresses. This can be the very first of my answers.

Could you please verify, that you
- checked route from rb750 to x86
- checked route from x86 to rb750
- can ping x86 from rb750
- can ping rb750 from x86
- can ping IPSec Server (maybe will not respond)
- MTU of new PPTP matches old PPTPs' MTU value
- the port-forward nat rule is set correctly (port 500 and 4500 UDP)
- no IPSec is enabled on the RB750 itself

Please check all Points, then maybe someone is able to help you. Thank you.

Posted: **Wed Jan 22, 2014 6:44 pm**

Hi,

I really don't unterstand your answers. Could you write more than 3 words, please?
Write in your native language if you think it's better - i can use Google Translator.

If it behaves live the normal IPSec that i know, Packets are dropped, if the ISAKMP/SA cannot find any matching Pair of IP Adresses. This can be the very first of my answers.

Could you please verify, that you
- checked route from rb750 to x86
- checked route from x86 to rb750
- can ping x86 from rb750
- can ping rb750 from x86
- can ping IPSec Server (maybe will not respond)
- MTU of new PPTP matches old PPTPs' MTU value
- the port-forward nat rule is set correctly (port 500 and 4500 UDP)
- no IPSec is enabled on the RB750 itself

Please check all Points, then maybe someone is able to help you. Thank you.

- checked route from rb750 to x86
checked traceroute go from to x86
I'm using

/ip firewall mangle
add action=mark-routing chain=prerouting comment=L2TP disabled=no dst-address-list="!Local subnet" new-routing-mark=\
    VPN passthrough=yes src-address=192.168.100.0/24

to mark traffic from clients
then masquerade with

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT VPN" disabled=yes out-interface=ovpn-HMA routing-mark=VPN

to work I add also

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-up routing-mark=VPN scope=30 target-scope=10

- checked route from x86 to rb750
rb750 is vpn client of x86 no route need
also is nated via WAN interface of x86

- can ping x86 from rb750
yes, but what is point my traffic go in vpn tunnel?

- can ping IPSec Server (maybe will not respond)
yes it work 24/7/365 on corporate level

- MTU of new PPTP matches old PPTPs' MTU value
newer is even bigger but tested with old values no result

- the port-forward nat rule is set correctly (port 500 and 4500 UDP)
behind NAT/masquerade, do I have to have nat for any port /rhetorical question/
even in /ip firewall fillter I open this ports to be sure that they work

- no IPSec is enabled on the RB750 itself
no, client of rb750 initialise an connection.
rb750 just nat client to pptp connection

Am still thing that this is a firewall in hosting company where is x86 mikrotik hosted,
coz it's impossible to send IKE request to :500 of IPSEC server with can be seen on Torch
and not to receive answers.

Posted: **Sat Feb 01, 2014 5:21 pm**

Almost found problem "clear DF" option,
but how to implement correct rule in my case?

MikroTik

IPSec behind few NATed network's

IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's

Re: IPSec behind few NATed network's