Community discussions

MikroTik App
 
synthmeme
just joined
Topic Author
Posts: 5
Joined: Thu Mar 08, 2007 7:59 am

IPSEC road warrior config help

Thu Apr 05, 2007 8:47 pm

How are people managing mobile/road warrior IPSEC inbound connections to RouterOS? I have a few users who need access to their local networks via IPSEC to which they'll be connecting from laptops anywhere, generally NAT'd behind something.

So, scenario would look something like this:


client (192.168.1.50) -> NAT gateway -> public Internet -> (fixed or dynamic IP) Mikrotik Router -> NAT'd local network (192.168.2.0/24)

NOTE that the client's IP will be dynamic, hence the road warrior label.

Clients would be a mix of Macs and linux clients capable of doing NAT-T.

Can RouterOS be configured for unique PSKs for each remote user?

Any config examples would be great - the wiki doesn't cover this.

Thanks.
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Mon Apr 09, 2007 9:47 pm

RouterOS 2.9 does not handle NAT-T.

Otherwise, for dynamic IP clients use 'generate-policy'=yes in /ip policy peer.

Regards

Andrew
 
megajuras
just joined
Posts: 14
Joined: Fri Jan 13, 2012 8:42 am

Re: IPSEC road warrior config help

Fri Feb 17, 2012 2:39 pm

How about now in version 5.13.

I'm interested to do a roadwarrior to my LAN.
What I (requirement from my customers - as said, they are already using it to many different locations) wanted to do is to use software client (preferred GreenBow VPN client).

The LAN is 192.168.0./24 and I wanted to have one of the LANs IP to be used for connected PC (i.e. 192.168.0.222).

I configured IPSEC on MT and GB client and the tunnel is establishing very well.

I can ping the LAN gateway IP. I can ping .222 from MT using local (internal) interface.
One of the problems is that when I try to ping one of internal PC (lets say it's 192.168.0.100) the PC does not know the MAC of .222 and enabling proxy-arp on the interface is not working. PC .100 is sending ARP requests but noone is answering.

Please advise.
 
megajuras
just joined
Posts: 14
Joined: Fri Jan 13, 2012 8:42 am

Re: IPSEC road warrior config help

Wed Feb 22, 2012 3:16 pm

To make da question simple:

How to make MT to answer for ARP-reqests about .222 (the warrior) to LAN?
(When I only add static ARP entry on the PC everything starts working but that is bad solution)

Enabling proxy-arp is not enough.

Please...
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: IPSEC road warrior config help

Wed Feb 22, 2012 3:28 pm

Could you post your config ? i've not had any success with roadwarrior ipsec on mt either.
 
megajuras
just joined
Posts: 14
Joined: Fri Jan 13, 2012 8:42 am

Re: IPSEC road warrior config help

Thu Mar 01, 2012 11:57 pm

My config is almost default:

In IP -> IPsec -> Peers:
Address: 0.0.0.0/0
Port: 500
Auth: PSK
ExchangeMode: Main
Send ini. contact: yes
NAT-T: yes
My ID User FQDN: <empty>
Proposal Check: obey
Hash: sha
Enc.: 3des
DH: modp2048
GeneratePolicy: yes

If your warrior's "local" IP is for example 1.1.1.1 you need to add an exception for masquarading - before the masquerading rule in Firewall -> NAT place a rule that says: " if src IP = your LAN and dst IP = 1.1.1.1 then take action: ACCEPT (do nothing, or do not masquarade it).

And that's it on MT side. On your VPN client app you need to set the same things...

I didn't play with different Peer configuration because I'm waiting for some answer on my question from previous posts.
 
megajuras
just joined
Posts: 14
Joined: Fri Jan 13, 2012 8:42 am

Re: IPSEC road warrior config help

Thu Mar 01, 2012 11:58 pm

Forgot to mention that I didn't test how it works from NATed client.
 
megajuras
just joined
Posts: 14
Joined: Fri Jan 13, 2012 8:42 am

Re: IPSEC road warrior config help

Wed Aug 29, 2012 11:42 am

Anybody?
 
jaytcsd
Member
Member
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSEC road warrior config help

Thu Sep 20, 2012 6:09 pm

I did screen prints for my Win 7 netbook connecting to a routerboard 133.

http://mikrotik.patokatech.com/

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], eworm, Google [Bot] and 87 guests