Community discussions

Search found 17 matches

by Farseer
Sat Jul 06, 2019 4:18 pm
Forum: General
Topic: IPSec VPN tunnels not working when upgraded to 6.45.1
Replies: 3
Views: 1506

Re: IPSec VPN tunnels not working when upgraded to 6.45.1

Alright so I managed to get it to work. I was basically playing around with the settings and found that : 1) 0.0.0.0 on SA SRC address is not an issue, if phase2 connects the tunnel will work. 2) I went into IPSec > Peers and set Local Address as first, the ip of the router on that end of the tunnel...
by Farseer
Sat Jul 06, 2019 3:23 pm
Forum: General
Topic: IPSec VPN tunnels not working when upgraded to 6.45.1
Replies: 3
Views: 1506

IPSec VPN tunnels not working when upgraded to 6.45.1

Hi, So I have 1 HO, and 2 branches and previously these devices were on 6.43.12 and connected from the individual branch to the HO via IPSec VPN. Had almost no issues for a long time but with occasional hiccups. Today I upgraded all the devices to 6.45.1. Here is what I did and what happened : 1) Up...
by Farseer
Sun May 26, 2019 6:40 pm
Forum: General
Topic: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Replies: 9
Views: 685

Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.

Thanks Sindy. I set the nat-traversal to yes in ip > ipsec > peer profile on all 3 devices. Seems to be working but i only recently stopped the pinging from the main branch to the branches. Let me see how it goes. In regards to the firewall, I keep Winbox open as that is how I access the devices sin...
by Farseer
Sun May 26, 2019 5:08 pm
Forum: General
Topic: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Replies: 9
Views: 685

Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.

Hi @sindy , here is the code for the export on the main branch : /export hide-sensitive # may/26/2019 HIDDEN by RouterOS 6.43.12 # software id = SMRR-9LV5 # # model = 951G-2HnD # serial number = HIDDEN /interface bridge add admin-mac=HIDDEN auto-mac=no comment=defconf name=bridge /interface wireless...
by Farseer
Sun May 26, 2019 1:08 pm
Forum: General
Topic: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Replies: 9
Views: 685

Re: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.

Hi @sindy , Thanks for the reply and sorry about the lack of information and misinterpretation from my side. To answer your questions : 1) All 3 devices are Mikrotik devices on the same firmware and the same model. 2) There is a NAT on the main branch (a different device from the ISP on its own sepa...
by Farseer
Sun May 26, 2019 12:20 pm
Forum: General
Topic: Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.
Replies: 9
Views: 685

Trying to change IPSEC Peers from main to aggressive, getting an error I dont understand.

Hi, I have IPSec VPN tunnels going from 2 branches to a main branch. The exchange mode is set as Main, and whilst this works, there is an issue that if there is no connection from the Main Branch to any of the branches, then those branches cannot ping or access anything on the main branch. So my sol...
by Farseer
Fri Mar 29, 2019 8:04 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

@emils

Is the scenario sufficient for IPSec sa-dst/src-address hostname name usage?
by Farseer
Mon Mar 18, 2019 3:18 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated. In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostnam...
by Farseer
Mon Mar 18, 2019 2:15 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71029

Re: v6.45beta [testing] is released!

For this patch, could you allow sa-dst-address and sa-src-address in IPSec to accept DDNS names? It's great and all to create scripts and to put it on a scheduler to resolve the ip's and update those fields, but can't it just accept the ddns name/cloud host name instead?
by Farseer
Fri Feb 22, 2019 6:31 pm
Forum: General
Topic: Accidentally updated router firmware to long term 6.42.12
Replies: 2
Views: 378

Accidentally updated router firmware to long term 6.42.12

Hello. So I decided to update the firmware on a couple of Mikrotik devices to the latest stable 6.43.12. I opened multiple WinBOX sessions, 1 to each site, and started the firmware update process. Accidentally, one of the sites was set on long term channel, and the router "updated" to a long term 6....
by Farseer
Wed Feb 20, 2019 4:07 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 11
Views: 2481

Re: IPSEC dynamic peer ip

Ok I did not look into the script exactly, but AFAIK it is not implemented in RouterOS to connect with a remote that has a dynamic IP (identify it via remote ID or certificate) and then use that association without fixup via some script. Using DDNS is kind of a workaround for that problem, but it w...
by Farseer
Wed Feb 20, 2019 3:13 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 11
Views: 2481

Re: IPSEC dynamic peer ip

Thank you for your answer and script, I will check it. Does someone know how then dynamic policy works with ipsec? With that script running with a scheduler, every minute it will check for the DDNS names you entered and update the SA SRC and DST addresses. in IPsec > Peer, just set the address as t...
by Farseer
Wed Feb 20, 2019 1:37 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 11
Views: 2481

Re: IPSEC dynamic peer ip

Hi, As far as I know, RouterOS doesn't have a way to update the SA Src. Address and SA Dst. Address if any of the sites is on Dynamic IP. The solution to this is to create a script, test it out manually, and if its fine, put it on a scheduler to run every minute. Here is a script that I used, can be...
by Farseer
Sat Feb 16, 2019 11:10 am
Forum: General
Topic: Routing L2TP/IPSEC
Replies: 4
Views: 454

Re: Routing L2TP/IPSEC

Can you clarify a bit more if possible : 1) is the VPN already established between the hexes? 2) is your question specifically about routing traffic between them or getting the VPN to setup properly? I managed to get the following up and running for one of my clients via IPSec to site A : https://im...
by Farseer
Mon Feb 11, 2019 7:02 pm
Forum: General
Topic: Need a bit of help with VPN + additional info/question
Replies: 3
Views: 382

Re: Need a bit of help with VPN + additional info/question

If one of the routers lacks a public IP... connect that one using L2TP then setup a encryption inside that connection. Hi, Thanks for the reply. None of the Routers at Site A or B or C lack a public IP, the issue is that the public IP changes for 1 or more of the sites based on the WAN connectivity...
by Farseer
Mon Feb 11, 2019 5:55 pm
Forum: General
Topic: Need a bit of help with VPN + additional info/question
Replies: 3
Views: 382

Need a bit of help with VPN + additional info/question

Hello, first time poster here. I apologize in advance, this will be a bit long with lots of info, and will have some god awful practices being applied which I hope to correct. Hoping to get some help here so I can learn to do things right. Started using Mikrotik devices recently and they are very go...