Community discussions

MikroTik App
  4. RouterOS
  5. General

Forwarded traffic to IPSec web pages not loading  [SOLVED]

Post Reply
 
NGiannis
just joined
Topic Author
Posts: 17
Joined: Sat Feb 06, 2016 1:43 pm

Forwarded traffic to IPSec web pages not loading

Wed Aug 24, 2022 10:51 pm

I have configued an IPSec IKEv2 VPN to a proivder and I am trying to route the internal traffic to the VPN.

I have followed the provider's turorial to configure the VPN and route the traffic.
https://support.surfshark.com/hc/en-us/ ... with-IKEv2

The tunnel is established but when traffic is routed to the VPN web sites are not loading. I can still ping and trace route the web server. The only web site seems to load is https://www.google.com and all http (unenctepted).

When traffinc is not routed to VPN:
Code: Select all
C:\Users\giann>Tracert disney.com

Tracing route to disney.com [130.211.198.204]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  router [192.168.51.1]
  2     2 ms     1 ms     3 ms  192.168.0.1
  3     7 ms     9 ms    17 ms  97e7fe9c.skybroadband.com [151.231.254.156]
  4    14 ms    15 ms    17 ms  02780b96.bb.sky.com [2.120.11.150]
  5     6 ms     7 ms     8 ms  027ff1a3.bb.sky.com [2.127.241.163]
  6   100 ms   142 ms   320 ms  204.198.211.130.bc.googleusercontent.com [130.211.198.204]


When traffic is routed to VPN, I can reach the web servers but the web sites are not loading.
Code: Select all
C:\Users\giann>tracert disney.com

Tracing route to disney.com [130.211.198.204]
over a maximum of 30 hops:

  1    32 ms     3 ms     1 ms  router [192.168.51.1]
  2     6 ms     6 ms     6 ms  90.78.44.185.baremetal.zare.com [185.44.78.90]
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     5 ms     6 ms     6 ms  1.78.44.185.baremetal.zare.com [185.44.78.1]
  7     7 ms     6 ms    12 ms  ae1.rt0-hex.ldn.as25369.net [5.226.136.11]
  8     9 ms    10 ms     9 ms  142.250.169.80
  9   102 ms   103 ms    99 ms  204.198.211.130.bc.googleusercontent.com [130.211.198.204]
I run packet captures and the three way handshake is completed but during the SSL traffic the server is reseting the connection.

Image

The configurations are
Code: Select all
[admin@MikroTik] > export 
# aug/24/2022 19:54:02 by RouterOS 6.48.6
# software id = SSDT-Y18I
#
# model = 2011UiAS-2HnD
# serial number =
/interface bridge
add admin-mac=E4:8D:8C:30:1B:5A auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master-local
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether7-slave-local
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether8-slave-local
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether9-slave-local
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
    ssid=MikroTik-301B63 wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=FRDB responder=no src-address-list=Test
/ip ipsec policy group
add name=FRBD
/ip ipsec profile
add name=FRBD
/ip ipsec peer
add address=uk-lon.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add name=FRBD pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.51.10-192.168.51.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether6-master-local list=mactel
add interface=ether7-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=sfp1 list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/ip address
add address=192.168.51.1/24 comment="default configuration" interface=bridge-local network=192.168.51.0
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.51.0/24 comment="default configuration" gateway=192.168.51.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.51.1 name=router
/ip firewall address-list
add address=192.168.51.0/24 list=Test
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
/ip ipsec identity
add auth-method=eap certificate=Surfshark eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=FRDB password= peer=FRBD policy-template-group=FRBD username=
/ip ipsec policy
add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 template=yes
/ip ssh
set host-key-size=1024
/lcd interface pages
set 0 interfaces=\
    sfp1,ether1-gateway,ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local
/system clock
set time-zone-name=Europe/London
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Any idea why web pages are not loading.
You do not have the required permissions to view the files attached to this post.
Top
 
gabacho4
Member
Member
Posts: 335
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: Forwarded traffic to IPSec web pages not loading  [SOLVED]

Wed Aug 24, 2022 11:31 pm

Sounds like an MTU/MSS issue to me. Have you done any fragmentation testing?
Top
 
NGiannis
just joined
Topic Author
Posts: 17
Joined: Sat Feb 06, 2016 1:43 pm

Re: Forwarded traffic to IPSec web pages not loading

Fri Aug 26, 2022 10:56 am

Thanks gabacho4,

I changed the MSS to 1350 and the issue is resolved. The value 1350 is the minimum, could be used higher values.

In addition to the provider's instructions either of the below command should be used.

If is choosen to route the source IPs then the group should be added as below.
Code: Select all
add action=change-mss chain=forward dst-address-list=AddressList new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1350

If is choosen to route traffic as per destination list should be added the below.
Code: Select all
add action=change-mss chain=forward src-address-list=AddressList new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1350
Top
 
moshepupkin
just joined
Posts: 7
Joined: Sat May 13, 2023 7:05 pm

Re: Forwarded traffic to IPSec web pages not loading

Fri Mar 15, 2024 10:12 pm

Same issue. Changed MSS to no avail. Any other ideas?
Top
Post Reply

Who is online

Users browsing this forum: gotsprings and 45 guests
  4. RouterOS
  5. General