Comrades,

I'm running an RB-1200 with version 6.30 and attempting to selectively forward traffic using IPSEC to a cloud service (Zscaler). My IKE negotiation is successful and a tunnel is created when I hit the policy. However, no traffic is ever forwarded.

The client is an RFC-1918 subnet behind an IP masquerade. Ideally, I want to forward all internet-bound traffic from the selected hosts over IPSEC (to Zscaler), but I can't even get very specific policies to forward correctly. The router simply NATs the traffic and sends it through the internet link as if the IPSEC configuration was not there, although it does not establish the Phase 2 connection until it sees traffic that matches the policy (which in the below case is just a specific web site I'm using for testing).

What am I doing wrong?


[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 ;;; Unsafe configuration, suggestion to use certificates address=199.168.151.112/32 local-address=x.x.x.x passive=no port=500 auth-method=pre-shared-key secret="mysecret" generate-policy=no
policy-template-group=default exchange-mode=aggressive send-initial-contact=yes nat-traversal=yes my-id=user-fqdn:gozer@zuul.com
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=5s dpd-maximum-failures=5
[admin@MikroTik] /ip ipsec peer> .. policy
[admin@MikroTik] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 src-address=192.168.1.0/24 src-port=any dst-address=162.144.87.85/32 dst-port=80 protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=x.x.x.x sa-dst-address=199.168.151.112 proposal=zscaler priority=300

1 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
[admin@MikroTik] /ip ipsec policy> .. proposal
[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

1 name="zscaler" auth-algorithms=md5,sha1,sha256,sha512,null enc-algorithms=null lifetime=4h pfs-group=modp1024
[admin@MikroTik] /ip ipsec proposal> .. policy print stats
0 ph2-state=established

1

[admin@MikroTik] /ip ipsec proposal> .. installed-sa print
Flags: A - AH, E - ESP
0 E spi=0xDFFA18E src-address=199.168.151.112 dst-address=x.x.x.x state=mature auth-algorithm=md5 enc-algorithm=null
auth-key="1facfb6128b08a7371f583ba3acd6529" enc-key="" add-lifetime=3h12m/4h replay=128

1 E spi=0x8BB4521 src-address=x.x.x.x dst-address=199.168.151.112 state=mature auth-algorithm=md5 enc-algorithm=null
auth-key="532a766b5cae9e391c2ccac6cac536cb" enc-key="" add-lifetime=3h12m/4h replay=128
[admin@MikroTik] /ip ipsec proposal>
[admin@MikroTik] /ip ipsec proposal> .. remote-peers print
0 local-address=x.x.x.x remote-address=199.168.151.112 state=established side=initiator established=6h3m32s
[admin@MikroTik] /ip ipsec proposal>
~
~
~

Sounds like you might need a NAT bypass to prevent the source and destination traffic from hitting your Internet NAT. It's just a rule in NAT that accepts rather than masquerades traffic based on the criteria you set to match. Once the source/destination are excluded from NAT, it will hit the IPSEC rules properly.


Example here:

http://wiki.mikrotik.com/wiki/Manual:IP ... NAT_Bypass

I have tried that. It causes the NAT to be bypassed, but it still does not cause the flow to go via the tunnel.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=162.144.87.0/24 log=no log-prefix=""

2 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=internet log=no log-prefix=""

did you add the firewall rules in the filter?

Try to get useful logs by enabling ipsec logging:

/system logging add topics=ipsec

Bizarrely, this started working suddenly two weeks after I initially set it up. I didn't change anything.

Making things even stranger, the policy "0" below was enabled, and it is what started working, without any changes, after not working for two weeks. I wanted to swap to policy "1", which is the actual policy I want to be effective, so I disabled policy "0" and enabled policy "1".

But no matter what I do, policy "0" remains in effect, and policy "1" does not work -- even after multiple reboots of the router!


[admin@MikroTik] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 X src-address=192.168.1.0/24 src-port=any dst-address=162.144.87.85/32 dst-port=80 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=a.b.c.d sa-dst-address=e.f.g.h proposal=zscaler priority=300

1 src-address=192.168.1.102/32 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=a.b.c.d
sa-dst-address=e.f.g.h proposal=zscaler priority=500

I have now even deleted the policy that started randomly working altogether, to replace it with the other policy (to forward all port, all protocols to my IPSEC peer). I've also upgraded to 6.30.2.

Same situation, somehow artifacts from the old policy remain in the system, and it continues to work, but the only remaining policy that should actually be effective is ignored.

I enabled IPSEC logging, but all that's telling me is when my phase I and II complete and when the heartbeat is sent and received. Those work fine, so IPSEC logging is not helpful in solving this problem.