Hello!
I ran into a problem with site to site IPsec tunnels and I hope someone can help me.
In my configuration, I have Branch and Main office. I have an old Cisco ASA in Main office and MikroTik hEX PoE lite+USB lte modem in Branch office.
Here is my branch office MikroTik configuration:
# jan/02/1970 06:22:30 by RouterOS 6.47.4
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-192 name=Tun-to-MO
/ip ipsec peer
add address=40.40.50.40/32 exchange-mode=aggressive local-address=10.186.127.233 name= ASA profile=Tun-to-MO
# I have mode=aggressive because as far as I know with user-grade USB modems you can’t have your white IP address on one of MikroTik’s interfaces i.e. USB modems always work in router mode, not in bridge mode, so you must use mode=aggressive
/ip ipsec proposal
add enc-algorithms=aes-192-cbc name= IPSEC-PROP pfs-group=none
/ip pool
add name=BRANCH ranges=10.186.127.234-10.186.127.238
/interface bridge port
add bridge=Bridge interface=ether1
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether3
add bridge=Bridge interface=ether4
add bridge=Bridge interface=ether5
/ip address
add address=10.186.127.233 interface=Bridge network=10.186.127.232
/ip dhcp-server network
add address=10.186.127.232/29 dns-server=10.186.127.233, 8.8.8.8 gateway=10.186.127.233 netmask=29 ntp-server=10.186.100.50
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=lte1
# I don’t have any other firewall rules. I’ve read that I need “ipsec-policy=out,none” OR a firewall rule for my network to have both ipsec tunnel and internet working at the same time.
/ip ipsec identity
add my-id=fqdn:BRANCH peer=ASA secret="xxxx"
# “BRANCH” need to match with config on ASA iirc with “ipsec-isakmp dynamic BRANCH“ part
/ip ipsec policy
add dst-address= 10.186.0.0/16 level=unique peer=ASA proposal= IPSEC-PROP sa-dst-address=40.40.50.40 sa-src-address=10.186.127.233 src-address=10.186.127.232/29 tunnel=yes
add dst-address=10.182.155.0/24 level=unique peer=ASA proposal=IPSEC-PROP sa-dst-address=40.40.50.40 sa-src-address=10.186.127.233 src-address=10.186.127.232/29 tunnel=yes
# I need “level=unique” because I have two different ipsec policy.
And here is ASA config
object-group network Branch-Network
network-object 10.186.127.232 255.255.255.248
!
access-list TUN-TO-BRANCH extended permit ip object-group Network_For_IPSEC object-group Branch-Network
!
nat (inside,outside) source static Network_For_IPSEC Network_For_IPSEC destination static Branch-Network Branch-Network no-proxy-arp route-lookup
!
crypto dynamic-map BRANCH 40 match address TUN-TO-BRANCH
crypto dynamic-map BRANCH 40 set ikev1 transform-set IPSEC-S2S-CRYPTO
!
tunnel-group BRANCH type ipsec-l2l
tunnel-group BRANCH ipsec-attributes
ikev1 pre-shared-key xxxx
!
crypto map IPSEC_TO_OP 1040 ipsec-isakmp dynamic BRANCH
I have PC1 and PC2 in branch office with IP (configured via DHCP) 10.186.127.237 and 10.186.127.238 and also I have server in my MO with IP 10.186.100.50
This is a working configuration. IPsec is working, I have access to the Internet, I can ping my server (IP 10.186.100.50 inside MO network) from PC1 and PC2, I can ping PC1 from PC2 but I can’t ping MikroTik (10.186.127.233) from PCs. As long as IPsec policy is not enabled, I CAN ping the router, but after I switch them on I lose ping.
If I understand correctly this is happening because of first ip ipsec policy: src-address (10.186.127.237 - 238) is within the range of 10.186.127.232/29 and dst-address is within the range of 10.186.0.0/16
So router encrypts icmp packets and sends them to ASA, ASA match packets with access-list TUN-TO-BRANCH encrypts and sends them back and so on until TTL runs out.
So, may I somehow alter my configuration so I can ping (and actually access it with WEB interface) my router from PCs inside it’s network?
Sorry for my English 