IPSEC road warrior config help
RouterOS general discussion

9 posts   •   Page 1 of 1
synthmeme
just joined
 
Posts: 5
Joined: Thu Mar 08, 2007 8:59 am

IPSEC road warrior config help

by synthmeme » Thu Apr 05, 2007 8:47 pm

How are people managing mobile/road warrior IPSEC inbound connections to RouterOS? I have a few users who need access to their local networks via IPSEC to which they'll be connecting from laptops anywhere, generally NAT'd behind something.

So, scenario would look something like this:


client (192.168.1.50) -> NAT gateway -> public Internet -> (fixed or dynamic IP) Mikrotik Router -> NAT'd local network (192.168.2.0/24)

NOTE that the client's IP will be dynamic, hence the road warrior label.

Clients would be a mix of Macs and linux clients capable of doing NAT-T.

Can RouterOS be configured for unique PSKs for each remote user?

Any config examples would be great - the wiki doesn't cover this.

Thanks.

User avatar
andrewluck
Forum Veteran
Forum Veteran
 
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

by andrewluck » Mon Apr 09, 2007 9:47 pm

RouterOS 2.9 does not handle NAT-T.

Otherwise, for dynamic IP clients use 'generate-policy'=yes in /ip policy peer.

Regards

Andrew

megajuras
just joined
 
Posts: 14
Joined: Fri Jan 13, 2012 9:42 am

Re: IPSEC road warrior config help

by megajuras » Fri Feb 17, 2012 3:39 pm

How about now in version 5.13.

I'm interested to do a roadwarrior to my LAN.
What I (requirement from my customers - as said, they are already using it to many different locations) wanted to do is to use software client (preferred GreenBow VPN client).

The LAN is 192.168.0./24 and I wanted to have one of the LANs IP to be used for connected PC (i.e. 192.168.0.222).

I configured IPSEC on MT and GB client and the tunnel is establishing very well.

I can ping the LAN gateway IP. I can ping .222 from MT using local (internal) interface.
One of the problems is that when I try to ping one of internal PC (lets say it's 192.168.0.100) the PC does not know the MAC of .222 and enabling proxy-arp on the interface is not working. PC .100 is sending ARP requests but noone is answering.

Please advise.

megajuras
just joined
 
Posts: 14
Joined: Fri Jan 13, 2012 9:42 am

Re: IPSEC road warrior config help

by megajuras » Wed Feb 22, 2012 4:16 pm

To make da question simple:

How to make MT to answer for ARP-reqests about .222 (the warrior) to LAN?
(When I only add static ARP entry on the PC everything starts working but that is bad solution)

Enabling proxy-arp is not enough.

Please...

rjickity
Member Candidate
Member Candidate
 
Posts: 190
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: IPSEC road warrior config help

by rjickity » Wed Feb 22, 2012 4:28 pm

Could you post your config ? i've not had any success with roadwarrior ipsec on mt either.

megajuras
just joined
 
Posts: 14
Joined: Fri Jan 13, 2012 9:42 am

Re: IPSEC road warrior config help

by megajuras » Fri Mar 02, 2012 12:57 am

My config is almost default:

In IP -> IPsec -> Peers:
Address: 0.0.0.0/0
Port: 500
Auth: PSK
ExchangeMode: Main
Send ini. contact: yes
NAT-T: yes
My ID User FQDN: <empty>
Proposal Check: obey
Hash: sha
Enc.: 3des
DH: modp2048
GeneratePolicy: yes

If your warrior's "local" IP is for example 1.1.1.1 you need to add an exception for masquarading - before the masquerading rule in Firewall -> NAT place a rule that says: " if src IP = your LAN and dst IP = 1.1.1.1 then take action: ACCEPT (do nothing, or do not masquarade it).

And that's it on MT side. On your VPN client app you need to set the same things...

I didn't play with different Peer configuration because I'm waiting for some answer on my question from previous posts.

megajuras
just joined
 
Posts: 14
Joined: Fri Jan 13, 2012 9:42 am

Re: IPSEC road warrior config help

by megajuras » Fri Mar 02, 2012 12:58 am

Forgot to mention that I didn't test how it works from NATed client.

megajuras
just joined
 
Posts: 14
Joined: Fri Jan 13, 2012 9:42 am

Re: IPSEC road warrior config help

by megajuras » Wed Aug 29, 2012 11:42 am

Anybody?

jaytcsd
Member Candidate
Member Candidate
 
Posts: 145
Joined: Wed Dec 29, 2004 10:50 am
Location: Birdseye IN

Re: IPSEC road warrior config help

by jaytcsd » Thu Sep 20, 2012 6:09 pm

I did screen prints for my Win 7 netbook connecting to a routerboard 133.

http://mikrotik.patokatech.com/

9 posts   •   Page 1 of 1

Who is online

Users browsing this forum: athlonxp78, Bing [Bot] and 25 guests

It is currently Mon Nov 24, 2014 7:45 am