Page 1 of 1
IPsec tunnel doesn't come up
Posted: Fri May 29, 2015 2:39 am
by TLN
Hi.
I'm new to Mikrotik and using it for a couple of weeks.
I got two sites, using 951G model. Both Mikrotiks are behind NAT, but I can manage both sides. Scheme are:
Mikrotik A--- Router A ===INTERNET===Router B--- Mikrotik B
NAT HERE NAT HERE
I'm using a port forwaring on one router and implemented IPSEC site-to-site tunnel. It works fine, but if I reboot remote router B it doesn't come up.
Routers use dynamic public IPs, and I can overcome this with scripting and dyndns.
And interestingly, I didn't found a solution to this, but reset the routers. I don't have extensive configuration and it's easy to get everyhing back, but it's quite annoying.
So:
1. Clear mikrotiks.
2. Set up IPSec - works great. (not really satisfied with speed, but anyways)
3. Reboot Router B.
4. Correct ipsec peer and ipsec policy data accordingly.
5. Doesn't work.
6. Reset, setup from a scratch - works fine.
What might be a problem and how do I solve it?
Re: IPsec tunnel doesn't come up
Posted: Sat May 30, 2015 12:51 am
by TLN
Anyone??
One side:
[admin@Mikrotik] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=aa.aa.aa.187/32 local-address=0.0.0.0 passive=no port=501 auth-method=pre-shared-key
secret="xxxxxxxxxx" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@Mikrotik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=192.168.0.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=aa.aa.aa.187
proposal=default priority=0
[admin@Mikrotik] > ip ipsec remote-peers print
0 local-address=10.0.0.2 remote-address=aa.aa.aa.187 port=501 state=established side=initiator established=5m33s
Other side:
[admin@Mikrotik] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=bb.bb.bb.107/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
secret="xxxxxxxxx" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@Mikrotik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=bb.bb.bb.107
proposal=default priority=0
[admin@Mikrotik] > ip ipsec remote-peers print
0 local-address=192.168.1.22 remote-address=bb.bb.bb.107 port=3 state=established side=responder established=7m52s
Firewall on one side:
ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add chain=input comment="default configuration = changed" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=\
ether1-gateway
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
The most strange thing is that it works if I set it up from empty config. Traffic goes fine until one side get's new public IP. After I change(manually or with script) peer IP it doesn't come up. IPsec peer is there, ipsec installed-sa shows connection is established, but I cannot ping another network.
Re: IPsec tunnel doesn't come up
Posted: Sat May 30, 2015 3:46 am
by mocando
TLN,
Try with
dpd-interval= disable DPD
dpd-maximum-failures=1
In both sides...
Re: IPsec tunnel doesn't come up
Posted: Sat May 30, 2015 4:48 am
by TLN
I've tried this before and it didn't work. And I've tried this right now - does not work.
as I understand it forms ipsec successully, but traffic doesn't go through it:
ip ipse remote peers print shows remote peer, state established.
ip ipsec installed-sa shows it correct on both sides.
Does ipsec uses some ports besides 500?
It feels like something with NAT on one side. I might put microtik as DMZ on one of the routers and see if it helps.
Here's statistics from one side:
ip ipsec statistics print
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 0
in-state-protocol-errors: 0
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 0
in-template-mismatches: 0
in-no-policies: 0
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 5578
out-state-protocol-errors: 120
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 120
out-policy-blocked: 0
out-policy-dead: 0
out-policy-errors: 0
What does out-no-states and out-state-protocol-errors means?
Re: IPsec tunnel doesn't come up
Posted: Sun May 31, 2015 9:41 pm
by TLN
Anyone?
Re: IPsec tunnel doesn't come up
Posted: Mon Jun 01, 2015 8:45 am
by kburzyns
At the very beginning You should enable NAT Traversal. It uses UDP port 4500.
Re: IPsec tunnel doesn't come up
Posted: Mon Jun 01, 2015 8:51 pm
by TLN
Why do I need this?
I mean if it does work without NAT-T option in the beginning.
And I got port forwarding set on router.
Re: IPsec tunnel doesn't come up
Posted: Wed Jun 03, 2015 6:55 am
by mocando
TLN,
Did you solve the issue?
Re: IPsec tunnel doesn't come up
Posted: Thu Jun 04, 2015 1:31 am
by TLN
Nope.
I have reset remote side router, then forwarder 4500 port to mikrotik.
Strange thing happen, that after I do "ip ipsec remote-peers kill-connection" on both sides it establishes connection very fast(1-5 sec and a bit more for SA to show up) but traffic doesn't work. I've checked it in an hour - everything works. But it works until remote side get's new IP within 24hr.
I think to set up DMZ on my side and point it to mikrotik. I'd prefer to forward only some ports, but comcast router doesn't allow me to do that.
Re: IPsec tunnel doesn't come up
Posted: Fri Jun 05, 2015 3:21 am
by TLN
Ok, I have set DMZ on one router to point to mikrotik and reset both routers once more.
Now it works fine, but I guess it will fail down in 24hrs.
Here what I did to make it work:
[admin@BBBBBBBBBb] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=aa.aa.aa.107/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key
secret="aaaaaaaaaaaaa" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@BBBBBBBBBb] > ip ipsec
installed-sa key mode-config peer policy proposal remote-peers statistics user export
[admin@BBBBBBBBBb] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=aa.aa.aa.107
proposal=default priority=0
[admin@BBBBBBBBBb] > ip firewall na print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
[admin@BBBBBBBBBb] >
anoher side:
[admin@AAAAAAAAAA] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=BB.BB.BB.81/32 local-address=0.0.0.0 passive=no port=501 auth-method=pre-shared-key
secret="aaaaaaaa" generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@AAAAAAAAAA] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=192.168.0.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=BB.BB.BB.81
proposal=default priority=0
[admin@AAAAAAAAAA] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
1 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""
[admin@AAAAAAAAAA] >
Should be pretty much the same, as I posted earlier. And now with that config it works.
What logs do I need to enable to get needed info before it fails?
Re: IPsec tunnel doesn't come up
Posted: Wed Jun 10, 2015 5:11 am
by TLN
Looks like my ipsec tunnel and scripts works. It's up for 5 days, and one side definaly have several dynamic IPs through that time.
Ive just put mikrotik as DMZ and it was ok.
PM me if anyone have questions.