Community discussions

MikroTik App
  4. RouterOS
  5. General

L2TP/IPsec policy autogeneration when both roadwarrior client and RouterOS device behind NAT issue

Post Reply
 
atlanticd
newbie
Topic Author
Posts: 30
Joined: Thu Jun 11, 2015 6:42 pm

L2TP/IPsec policy autogeneration when both roadwarrior client and RouterOS device behind NAT issue

Thu Jun 11, 2015 7:00 pm

Drawing1.png
Hi,

There is a RouterOS device (RB433AH) behind a cable modem, with L2TP/IPsec configuration as seen on the picture below. Peer is configured with NAT traversal, and generate policy is configured. Issue is in case roadwarrior client is behind a NAT device, then an IPsec policy from RouterOS device's private address as source to roadwarrior client's NAT device's public IP address as destination (outgoing direction) must be added manually, only one dynamic policy is generated for the traffic roadwarrior client's NAT device's public IP address -> Cable Modem's public address traffic. (incoming direction)

Is this a bug? Why outgoing direction's policy is not getting generated?

http://forum.mikrotik.com/download/file ... w&id=20823

RouterOS: 6.29.1

Code: Select all
[admin@MikroTik] > ip ipsec peer print 
Flags: X - disabled, D - dynamic 
 0    address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 
      auth-method=pre-shared-key secret="123" generate-policy=port-strict 
      policy-template-group=default exchange-mode=main-l2tp 
      send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 
      enc-algorithm=3des,aes-256 dh-group=modp1024 lifetime=1d dpd-interval=2m 
      dpd-maximum-failures=5
Note: nat-traversal=yes, generate-policy=port-strict
Code: Select all
[admin@MikroTik] > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all 
       proposal=default template=yes

Note: initially only default policy is there


After first try, without manually adding the policy, only 1 dynamic policy is added by RouterOS:
Code: Select all
[admin@MikroTik] > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all 
       proposal=default template=yes 

 1  D  src-address=20.20.20.20/32 src-port=23201 dst-address=30.30.30.30/32 
       dst-port=1701 protocol=udp action=encrypt level=require 
       ipsec-protocols=esp tunnel=no sa-src-address=20.20.20.20 
       sa-dst-address=30.30.30.30 priority=2
Then, I add manually policy:
Code: Select all
	   
/ip ipsec policy add dst-address=20.20.20.20/32 protocol=udp sa-dst-address=20.20.20.20 sa-src-address=192.168.0.253 src-address=192.168.0.253/32

After retry, VPN is establish between client and RouterOS device.
Code: Select all
[admin@MikroTik] > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all 
       proposal=default template=yes 

 1     src-address=192.168.0.253/32 src-port=any dst-address=20.20.20.20/32 
       dst-port=any protocol=udp action=encrypt level=require 
       ipsec-protocols=esp tunnel=no sa-src-address=192.168.0.253 
       sa-dst-address=20.20.20.20 proposal=default priority=0 

 2  D  src-address=20.20.20.20/32 src-port=23201 dst-address=30.30.30.30/32 
       dst-port=1701 protocol=udp action=encrypt level=require 
       ipsec-protocols=esp tunnel=no sa-src-address=20.20.20.20 
       sa-dst-address=30.30.30.30 priority=2


Please note: I changed public IP addresses to dummy.

Any ideas are welcome.

Thank you.

Gabor
You do not have the required permissions to view the files attached to this post.
Top
 
atlanticd
newbie
Topic Author
Posts: 30
Joined: Thu Jun 11, 2015 6:42 pm

[SOLVED] Re: L2TP/IPsec policy autogeneration when both roadwarrior client and RouterOS device behind NAT issue

Fri Jun 12, 2015 3:52 pm

I could solve it. It was necessary to create a policy group 'RW', and added following two policy template to that group, additionally to the default one.
Code: Select all
[admin@MikroTik] > ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1 T   group=RW src-address=192.168.0.253/32 dst-address=0.0.0.0/0 protocol=udp proposal=default template=yes 

 2 T   group=RW src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=udp proposal=default template=yes
also in the peer I assigned RW group to that peer's policy-template-group


After that, dynamic policy came up for the incoming traffic, and for outgoing policies nr. 1-2 were matched. So now everything works as expected, and Mikrotik is able to provide L2TP/IPSec VPN also in scenario when both client and server are behind NAT.
Top
 
atatdotdot
just joined
Posts: 4
Joined: Tue Apr 13, 2010 6:50 pm

Re: L2TP/IPsec policy autogeneration when both roadwarrior client and RouterOS device behind NAT issue

Mon Sep 18, 2017 12:17 pm

Gabor,

I am trying to get this exact same thing to work, but the policy template with the private source address on the server doesn't appear to be overriding the public one, and the policy is still being generated with the public address as the src.

Would you mind sharing your whole configs for both ends, please? Thank you so much.

A
Top
Post Reply
  4. RouterOS
  5. General