After update to ver. 6.45.2 i have issue with ipsec

RouterOS General
1

Hello everyone,
I have 2 router and need to join by IPSEC between them, So when i need to finish all step before the last one i cant see :
SA Src. Address
SA Dst. Address
In ip>ipsec>policies>Action
And you can see the result in photos below:
Untitled1.jpg
But in ver. 6.37.2 :
SA Src. Address
SA Dst. Address
In ip>ipsec>policies>Action
Include that.
Untitled22.jpg
Where can i find this in ver. 6.45.2

THANKS

2

SA Src/Dst Address was where you put the same addresses as in peer config. Now you select peer on General tab and they are taken from there automatically.

3

Thank you for your replay,
I will try soon and replay you here.
Thank you

4

After show in log i have the error below
Untitled223.jpg
What is the problem and how to solve it?
since that the ipsec policies “PH2 State” no phase 2
Untitled2332.png

5

Phase 1 depends on peer config, it’s before policies. Is this just a local test? Because private address for remote peer would not be very useful otherwise.

6

If i need to connect 2 router local without internet
Using IPsec site to site and have devices for test..
Not pass the lab you mean?

7

If it’s local and you know it, it’s ok.

You get timeout on phase 1, so first thing to check out is connectivity between 192.168.80.2 and 192.168.70.2. Can they reach each other? Doesn’t firewall block port 500? Can you ping between those addresses (if you don’t block ping with firewall)?

8

I tested to ping from new termainal by 2 routers
router 1>ping 192.168.80.2 or 192.168.80.1 the result timeout or host unreachable
Untitled77.png
note that i connected the tunnel direct by utp cable from router 1 to router 2 by (ether 1) in 2 In both cases.
So i added the static route in both router and show below:
Untitled44.png
Untitled55.png
and the rule firewall added in 2 routers:
Untitled66.png
in this time i can’t ping by 2 routers from 192.168.80.2/30 and 192.168.70.2/30!
how can solve the big problem.
THANKS

9

It looks like you may be doing something a little different than I thought. Try to share more info about addresses and subnets, these and any other you have on routers. How exactly is everything connected, on what interface is each address, etc.

10

[admin@Office 1] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.70.2/30 192.168.70.0 ether1
1 10.10.11.1/24 10.10.11.0 wlan1

[admin@Office 1] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 src-address=10.10.11.0/24 src-port=any dst-address=10.10.12.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.70.2
sa-dst-address=192.168.80.2 proposal=default priority=0

[admin@Office 1] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 src-address=10.10.11.0/24 src-port=any dst-address=10.10.12.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.70.2
sa-dst-address=192.168.80.2 proposal=default priority=0
[admin@Office 1] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=md5 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

[admin@Office 1] /ip ipsec> peer print
Flags: X - disabled, D - dynamic
0 address=192.168.80.2/32 local-address=:: passive=yes port=500
auth-method=pre-shared-key secret=“123456” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp1024 lifetime=30m lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=5


ROUTER 2
[admin@Office 2] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.80.2/30 192.168.80.0 ether1
1 10.10.12.1/24 10.10.12.0 wlan1

[admin@Office 2] /ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder
0 name=“peer1” address=192.168.70.2/32 profile=default exchange-mode=main
send-initial-contact=yes

[admin@Office 2] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,

    • default

TUN SRC-ADDRESS

0 TX* ::/0
1 yes 10.10.12.0/24

[admin@Office 2] /ip ipsec> proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=md5 enc-algorithms=“” lifetime=30m
pfs-group=modp1024

[admin@Office 2] /ip ipsec> identity print
Flags: D - dynamic, X - disabled
0 peer=peer1 auth-method=pre-shared-key secret=“123456” generate-policy=no

[admin@Office 2] /ip ipsec> profile print
Flags: * - default
0 * name=“default” hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024
lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd

11

If you have direct connection between ether1 on first router and ether1 on second, it can’t work like this, because there’s no routing between them. You added routes, but there’s no 192.168.80.1 or 192.168.70.1 anywhere.

You need to have same subnet on both ether1s, e.g. 192.168.70.1/30 on one router and 192.168.70.2/30 on the other. Then use these addresses for remote peers and it will connects. BUT such config is not good for testing IPSec tunnels, because traffic between internal subnets will flow even when tunnel doesn’t establish. You’d need to do extra config changes to prevent that, but it could interfere with your testing.

It’s better to put third router in the middle to simulate internet. Keep your current addresses and add 192.168.80.1/30 and 192.168.70.1/30 to interfaces on this third device. Then either block routing between those internal subnet, or just don’t add any routes at all and it will have the same effect.

12

“If you have direct connection between ether1 on first router and ether1 on second, it can’t work like this, because there’s no routing between them. You added routes, but there’s no 192.168.80.1 or 192.168.70.1 anywhere.”
Answer
Yes iam connected 2 routers in direct.
Ok now I understand from you in this case not work.
“You need to have same subnet on both ether1s, e.g. 192.168.70.1/30 on one router and 192.168.70.2/30 on the other. Then use these addresses for remote peers and it will connects. BUT such config is not good for testing IPSec tunnels, because traffic between internal subnets will flow even when tunnel doesn’t establish. You’d need to do extra config changes to prevent that, but it could interfere with your testing.”
Answer
In this case the tunnel ipsec not working or not achieved.. because the tunnel work as like lan 2 lan “neighbor”.
It’s better to put third router in the middle to simulate internet. Keep your current addresses and add 192.168.80.1/30 and 192.168.70.1/30 to interfaces on this third device. Then either block routing between those internal subnet, or just don’t add any routes at all and it will have the same effect.
Answer
In this case the router 3 in middle between router 1 and router 2
router 3 how can config to pass the ipsec site to site between router 1 and router 2?
Is the router middle apply dhcp like in ether 3 to go router 1 and after that in router 1 add dhcp client with ether come from port router middle !
And router middle apply dhcp like in ether 4 to go router 2 and after that in router 2 add dhcp client with ether come from port router middle !
Or what i doing to pass true lab?

13

All you need on third router are only two addresses and nothing else:

/ip address
add address=192.168.70.1/30 interface=ether1
add address=192.168.80.1/30 interface=ether2

Then connect R1-ether1 with R3-ether1 and R3-ether2 with R2-ether1. Add default routes on R1 and R2 (same as you tried before). Do not add any routes on R3, so the only two subnets it will know about will be 192.168.70.0/30 and 192.168.80.0/30. Or if you want to be really sure that nothing else will go through, you can use additional:

/ip firewall filter
add action=accept chain=forward dst-address=192.168.80.2 src-address=192.168.70.2
add action=accept chain=forward dst-address=192.168.70.2 src-address=192.168.80.2
add action=reject chain=forward reject-with=icmp-network-unreachable
14

I will try it as soon, What your advice me for i haven’t third mikrotik router but i have other brand like tplink,
You agree! if i connect router 1 and router 2 to give ip from third router by lan’s when i connect to (R1 and R2) direct and apply dhcp client on mikrotik !

15

You see it’s very simple config, it should be possible to do using almost anything. Although some home routers are so limited that they may not support it.