Community discussions

Search found 38 matches

by frontdist
Mon Nov 12, 2018 9:25 pm
Forum: General
Topic: Mangle not working - Link Balanced BGP
Replies: 1
Views: 402

Re: Mangle not working - Link Balanced BGP

Am I the only one that has had this issue?
by frontdist
Tue Nov 06, 2018 6:58 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2453

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

Thanks for the explanation... It seems to be working now, but I have come across some other unexplainable behaviour now. Because it is not related to IPSec itself, I have created a new post here: https://forum.mikrotik.com/viewtopic.php?f=2&t=141275 Essentially something is breaking with the multipa...
by frontdist
Tue Nov 06, 2018 6:50 pm
Forum: General
Topic: Mangle not working - Link Balanced BGP
Replies: 1
Views: 402

Mangle not working - Link Balanced BGP

Hello, Setting up a ECMP link balance with BGP as per the below configuration guide with both interfaces being GRE tunnels... https://wiki.mikrotik.com/wiki/Manual:BGP_Load_Balancing_with_two_interfaces Right now, I have the configuration working however I have noticed some weird behaviour. Before I...
by frontdist
Mon Nov 05, 2018 10:31 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2453

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

One more question to add to this situation... Now that I have two initiators and two responders set up, I created two GRE tunnels (one over each connection), and then followed the iBGP load balancing configuration guide here: https://wiki.mikrotik.com/wiki/Manual:BGP_Load_Balancing_with_two_interfac...
by frontdist
Mon Nov 05, 2018 9:42 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2453

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

Most likely the second connection is dropped because the router receives initial-contact from the same address. Try setting "send-initial-contact" to "no" on both initiator peers. That seemed to do the trick. I was under the impression that send initial contact was required on the client side becau...
by frontdist
Tue Oct 30, 2018 2:07 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2453

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

"This peer is unreachable" messages in 6.43.4 are a little misleading. The second peer should still be working fine. As I said, these messages are completely fixed in the latest beta version. I have tried this, but the client will NOT connect to the second address... Server: Flags: X - disabled, D ...
by frontdist
Mon Oct 29, 2018 4:24 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2453

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

So what are you actually trying to do? Or what is not working? Can you authenticate to each peer? As you can see from the output, when the second responder is enabled, it gets the "This entry is unreachable" error. Both of those IP addresses are on the same interface (WAN) if it matters... What I a...
by frontdist
Mon Oct 29, 2018 3:27 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2453

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

What version are you using? Try the latest testing version (v6.44beta28) or at least current stable version (v6.43.4). You should be able to create multiple peers with different local-addresses on latest versions. Also we have plans to add peer ID matching which would allow to send different mode-c...
by frontdist
Mon Oct 29, 2018 4:03 am
Forum: General
Topic: BGP Default Originate - Traffic Selector
Replies: 0
Views: 321

BGP Default Originate - Traffic Selector

I would like to be able to (in the case where I am using iBGP), originate a "default" route for a peer, and have it installed in their routing table in cases where I want to send all traffic over the GRE tunnel that was created to allow the BGP connection. Currently with static routing, I am able to...
by frontdist
Sun Oct 28, 2018 11:44 pm
Forum: General
Topic: Tunnel between 2 MT where on one there is no public IP
Replies: 3
Views: 349

Re: Tunnel between 2 MT where on one there is no public IP

If you're using anything with HW encryption do a initiator-responder setup with IPSec IKEv2... It's not the MOST straightforward setup in the world, but will likely produce better throughput than any other solution on these devices. See my thread here and ask if you have any questions: https://forum...
by frontdist
Sat Oct 27, 2018 5:09 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2453

Multiple IPSec Responders - Same Exchange Mode [SOLVED]

Hi all, I am trying to find out if there is a way to approach this that I am not thinking of or am missing somehow. I will first give an explanation of the situation, then my proposed solution. I am in the middle of setting up a IPSEC IKEv2 VPN solution to be able to provide a static IP from my publ...
by frontdist
Sat Oct 27, 2018 4:43 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Hi Sindy, There was a transposition error in a most critical area... One of the src-nat rules had an extra "0" in it which ruled it ineffective, once that was corrected and the connection tracking table cleared, things worked properly on a consistent basis. I think the biggest lesson here was about ...
by frontdist
Fri Oct 26, 2018 11:35 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Output: [admin@MikroTik] > ip firewall nat export # oct/26/2018 13:34:22 by RouterOS 6.43.4 # software id = # # model = RouterBOARD 1100x4 # serial number = /ip firewall nat add action=accept chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=192.168.89.0/24 add action=accept chain=sr...
by frontdist
Fri Oct 26, 2018 11:19 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Show me /ip firewall connection print detail where protocol=gre from the server side (Ctrl-F for the public address before posting). Output: [admin@MikroTik] > ip firewall connection print detail where protocol=gre Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fast...
by frontdist
Fri Oct 26, 2018 11:04 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Tried to downgrade to 6.43.2 and it refuses to work. Was hoping to try that as a solution, but I can't get a downgrade to work at all...
by frontdist
Fri Oct 26, 2018 10:25 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

I configured a 6th unit while we were going back and forth with this. The 6th unit could NOT receive traffic back (SA counter 0) despite establishing phase2, when it was behind the same NAT as the other 4 working units, however when I gave it a unique public IP it COULD connect and pass traffic with...
by frontdist
Fri Oct 26, 2018 10:16 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

I added that src-nat rule, cleared the connection tracker and rebooted the router. Still no luck. The masquerade rule already had the ipsec-policy=out,none attached to it. What is so frustrating is that sometimes it works, sometimes it doesn't - and I can power down every single unit, reboot the ser...
by frontdist
Fri Oct 26, 2018 9:13 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Server Side: The 50. IP address is real, but dynamic so I don't care... [admin@MikroTik] > ip ipsec policy print  Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 1 TX...
by frontdist
Fri Oct 26, 2018 8:27 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Here are the configs... Server # oct/26/2018 10:21:46 by RouterOS 6.43.4 # software id = # # model = RouterBOARD 1100x4 # serial number = /interface bridge add fast-forward=no name=bri-5E5DCB add fast-forward=no name=bri-62EC5B add fast-forward=no name=bri-658B9B add fast-forward=no name=bri-658C27 ...
by frontdist
Fri Oct 26, 2018 8:17 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Give me 5 minutes and I'll post server, working client and non-working client.
by frontdist
Fri Oct 26, 2018 8:05 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

PFS is set to none on every device... all devices on 6.43.4 One of the weird things that tends to happen when I am setting this up is something I see in my routes... I have two routes I add to the client side: 0.0.0.0/0 gateway (concentrator side of GRE interface) with routing mark GRE and Distance ...
by frontdist
Fri Oct 26, 2018 4:39 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Back at it again and I'm still having problems with multiple clients for some reason. There doesn't seem to be any rhyme or reason as to why it works sometimes and not others. I have 5 Hex units, configured identically (except for IP parameters and IPSec user credentials), and sometimes they work an...
by frontdist
Tue Oct 16, 2018 10:46 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

NEVERMIND.... I have thought about this for 24 hours, and 5 minutes after I posted my comment I figured it all out. Once again, thanks goes to Sindy for the help. I re-built the tunnels, this time instead of using the GRE interfaces as the IPSEC SA endpoints, I created bridge interfaces with the sam...
by frontdist
Tue Oct 16, 2018 10:27 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

And some more to the story now, as I was trying a different approach to the GRE tunnels and having an issue with it. Right now, and in the example config above for my GRE tunnel, I am using non-coincident addresses. In this config it is 10.0.10.1 on the "concentrator" side, and 10.0.11.1 on the "cli...
by frontdist
Tue Oct 16, 2018 2:42 am
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Disregard the note about remote management... There was a bit of a NAT routing issue.... I realized I could do it one of two ways, either a static route to the management computer/winbox subnet, or a mangle rule applied to the output chain, with a routing mark that sent it via the GRE tunnel the sam...
by frontdist
Tue Oct 16, 2018 12:15 am
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Setup critique... *apologies in advance, the [ c o d e ] tag isn't working for the second set for some reason???* Here is what I have working so far... In most cases I will put a /30 on the LAN interface of the "client" router and simply provide a single address that goes through a src-nat at the "s...
by frontdist
Sun Oct 14, 2018 5:32 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

You're a saint... So, first with the fasttrack... When I said I had the firewall stuff disabled, I meant the block entries. I disabled fasttrack and all of a sudden I am getting almost line speed. I'll see what happens when I turn encryption back on now. I didn't mean making the default gateway of t...
by frontdist
Sun Oct 14, 2018 4:04 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

I do expect some gaps in coverage, but it is better than the current situation, which is that the cameras are visible for 30 mins to a few hours after they are booted, then disappear until something is done. Yes, I could set them up on an automatic reboot scheduler, but they take a while to come up,...
by frontdist
Sun Oct 14, 2018 2:08 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Thanks Sindy, I see what you mean now and it make a lot more sense to me... In the case of avoiding GRE, part of the problem is that I don't know how to make the client camera use the IPSEC address and tunnel as its default gateway for outbound connections... The cameras we use have an "automatic NA...
by frontdist
Sun Oct 14, 2018 3:40 am
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

I am able to occasionally get both connected at the same time, but it is inconsistent, and I am seeing this warning as well:
Unreachable.jpg
by frontdist
Sun Oct 14, 2018 2:07 am
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Client # oct/13/2018 18:51:18 by RouterOS 6.43.2 # software id = # # model = RouterBOARD 750G r3 # serial number = /interface ethernet set [ find default-name=ether1 ] speed=100Mbps set [ find default-name=ether2 ] speed=100Mbps set [ find default-name=ether3 ] disabled=yes speed=100Mbps set [ find ...
by frontdist
Sun Oct 14, 2018 2:07 am
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

I have run into an additional issue here and am looking for help getting around it. I have posted the configs below for two of the routers (one client, one server) and am running into an issue when I have more than one client behind the same IP address. I am getting phase1 to come up between both cl...
by frontdist
Sat Oct 13, 2018 8:09 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

I have a version of it working... it's incredibly slow, but it's working. Will post the configs when I have a chance to see if it can be further diagnosed. The "client" end will have a /30 on a LAN port, and the security camera NVR will be connected to that. I am using mangle to force the client IP ...
by frontdist
Sat Oct 13, 2018 2:56 am
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

This is incredible information, thank you for the time you put into your response.

I have been too busy with other projects this week, but I am going to lab this tomorrow and see where I get.

Once I do, I will post relevant configs and results for everyone to take a look at.

Thanks!
by frontdist
Wed Oct 10, 2018 6:46 am
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

You need to assign unique private addresses to the client routers (best attached to a bridge with no member ports) and set the GRE tunnels between an address on the server router and these addresses, using the IPsec in tunnel mode. So the IPsec policy transports GRE between the private address at t...
by frontdist
Mon Oct 08, 2018 11:56 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

Re: IKEv2 - Road Warrior (NAT Workaround)

Using pure IPsec (IKEv2), you can use /ip ipsec user to configure username, "password" and IP address in a similar way as with /ppp secret for ppp interfaces if you use pre-shared key & xauth authentication mode (it doesn't work with certificates). However, there is no script you could associate wi...
by frontdist
Sun Oct 07, 2018 1:00 am
Forum: General
Topic: Roadwarrior Ipsec Ikev2 + Gre
Replies: 1
Views: 363

Re: Roadwarrior Ipsec Ikev2 + Gre

Would you mind posting the rest of your config? I am looking to do EXACTLY the same thing and it would appear you are much further along than I am...
by frontdist
Sat Oct 06, 2018 11:29 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6659

IKEv2 - Road Warrior (NAT Workaround)

Hello, I am looking for some feedback from the community to see if I am totally out to lunch or not with something that I am trying to work out... Here is the situation: I do some work for a security contractor, and they have a number of clients who are looking to get access to their IP cameras but ...