Can't find problem creating IPSec tunnel

alphalt · August 1, 2009, 11:03am

Hello,

Recently I have bought RB450G and I have problem. I create IPSec tunnel and its just don’t work. I’ve searched forums and nothing helps. Absolutely nothing. Some of support request isn’t answered here. I ask you some help please.
My situation is simple. Two RB450G which need to be configured IPSec tunnel. No configuration is done. Its new and fresh routers. I’ve done everything like said here in this video tutorial:
http://gregsowell.com/?p=790
Nothing is worked. Then I’ve read lots of topics with examples and still nothing works.
http://wirelessconnect.eu/index.php?option=com_content&task=view&id=62&Itemid=454
http://64.132.61.228/manual/IP/IPsec.html

Anyone have any ideas. Maybe someone has some link of setup IPSec tunnel from fresh RouterOS. I’ve done some IPSec tunnels with Linksys and I have same ideas how to do it and how it works, but here I miss something.
I would be greatful if someone could help me setup it.

alphalt · August 1, 2009, 9:26pm

Ok, as I understand I’ll never get answer to such kind of question. I’ll try to be more specific and not just as “nothing works, please help !”.
So, I think IPSec policy and peer settings are ok. I’m worried about firewall. NAT rules mentioned in configuration is ok also I think, but I miss some configuration in firewall filtering.
How it works firewall filtering? If I have no rules set in there, how it will behave ? Will it drop all packets or accept all if there is no rules defined ? If it will drop then I think there is my problem. As long as there is no rules in firewall it drops all packets and they don’t reach router’s IPSec policy. So if I’m right here maybe someone can guide me in setting firewall filtering rules for IPSec. Thanks in advance.

Chupaka · August 3, 2009, 6:59am

default action for firewall filter is ‘accept’, not ‘drop’

alphalt · August 3, 2009, 10:20am

Thanks for reply. Now it seems everything ok with the config, but tunnel isn’t running. I don’t know why.
Coonection shceme is following:

PC(192.168.1.20)<---->RB(192.168.1.254)<—>Public(78.x.x.1)…Public(78.x.x.2)<—>RB(192.168.2.254)<—>PC(192.168.2.20)

There is my config:
ROUTER A

Firewall NAT
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.1.0/24
dst-address=!192.168.2.0/24 out-interface=ether1

IPSec policy
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any protocol=254
action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=78.x.x.1 sa-dst-address=78.x.x.2 proposal=default
priority=0

IPSec peer
Flags: X - disabled
0 address=78.x.x.2/32:500 auth-method=pre-shared-key secret=“darius”
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=claim hash-algorithm=sha1
enc-algorithm=3des dh-group=modp768 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1

ROUTER B

Firewall NAT
0 chain=srcnat action=masquerade src-address=192.168.2.0/24 dst-address=!192.168.1.0/24 out-interface=ether1

IPSec policy
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any protocol=254 action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=78.x.x.2 sa-dst-address=78.x.x.1 proposal=default priority=0

IPSec peer
Flags: X - disabled
0 address=78.x.x.1/32:500 auth-method=pre-shared-key secret=“darius” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=claim hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp768 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

This config should be enough, but its not working. I even get no logs about IPSec or firewall. It seems that no packets comming in or outside of the router so IPSec policy don’t work eiter. I use RouterOS 3.23
I even asked for help some IT proffesionals who created thousand of IPSec on Mikrotik and they said that config is enough for tunnel, but its not working. I’m totally lost. Please help me with some guides. Thanks in advance.

alphalt · August 3, 2009, 12:25pm

Ok, I made it work if someone is interested. There was my error. In IPSec policy configuration there are protocol=254 and it must be 255.

Fadii · August 13, 2009, 5:31pm

It is never get to 255, the Default value is 254 (all)…,

Regards

Fadi

alphalt · August 13, 2009, 7:11pm

You’re wrong. See attachment.

Fadii · August 13, 2009, 7:45pm

Thank you for the Reply, but in my routers it is different as attached.. Today I tried to make the IPSEC Tunnel between two RB433 as the Tutorial in the link http://gregsowell.com/?p=790 but didn’t establish the IPSEC, could you please recommend what shall I change or add to get the IPSEC establish.. Thanks for the support..

Regards

Fadi

Chupaka · August 13, 2009, 8:39pm

change it to 255 =) you may want to upgrade to the latest version before

clarkstyx · August 24, 2009, 8:26am

after doing this configuration, should the computers from the local office be able to access resources or shared folder on remote office and vice versa?