Attempting to setup an IPSec Roadwarrior VPN connection. I have managed to get the Shrew Soft client to connect but am unable to ping through the tunnel. I can see the ping request reach the router but it doesn’t respond. I imagine I must be missing a firewall rule or something.
Post the config of your MikroTik and client OS. We’ll get you squared away.
/export hide-sensitive
# jul/13/2017 09:35:03 by RouterOS 6.36.1
# software id = WG30-UITK
#
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=0s
/ip pool
add name=dhcp ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master name=\
defconf
/ip ipsec mode-config
add address-pool=dhcp name=RW-cfg split-include=192.168.20.0/24
/ip address
add address=192.168.20.1/24 comment=defconf interface=\
ether2-master network=192.168.20.0
add address=184.68.241.98/30 interface=ether1 network=\
184.68.241.96
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=\
ether1
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=64.59.184.13,64.59.190.242
/ip dns static
add address=192.168.20.1 name=router
/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 \
src-address=192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 \
src-address=192.168.20.0/24
add action=accept chain=forward packet-mark=vpn
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=udp src-port=500
add action=accept chain=forward in-interface=ether1 protocol=udp \
src-port=4500
add action=accept chain=input protocol=udp src-port=1701
add action=accept chain=input comment="defconf: accept ICMP" \
protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related" connection-state=\
established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new \
in-interface=ether1
/ip firewall mangle
add action=mark-packet chain=input dst-port=4500 \
new-packet-mark=vpn protocol=udp
add action=mark-packet chain=input new-packet-mark=vpn protocol=\
ipsec-esp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.30.0/24 \
src-address=192.168.20.0/24
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp \
to-addresses=192.168.20.10 to-ports=3389
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
/ip ipsec peer
add address=184.68.241.102/32 dpd-interval=1m \
dpd-maximum-failures=1 enc-algorithm=aes-256 \
generate-policy=port-override hash-algorithm=md5 \
local-address=0.0.0.0
add auth-method=pre-shared-key-xauth generate-policy=\
port-override mode-config=RW-cfg passive=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=192.168.20.0/24
add dst-address=192.168.30.0/24 sa-dst-address=184.68.241.102 \
sa-src-address=184.68.241.98 src-address=192.168.20.0/24 \
tunnel=yes
/ip ipsec user
add name=val
/ip route
add distance=1 gateway=184.68.241.97
/system clock
set time-zone-name=America/Edmonton
/system routerboard settings
set memory-frequency=1200DDR protected-routerboot=disabled
/system scheduler
add interval=1m name=schedule1 on-event="IPSec Keep Alive" \
policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-time=startup
/system script
add name="IPSec Keep Alive" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive \
source=" ping interface=ether2-master count=2 192.168.30.1"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
There is also a site-to-site IPSec VPN configured between another Mikrotik router that is currently working.
So, it looks like you are using the same pool for the IPSec clients. This is likely a hold-over from how a lot of L2TP based deployments are setup. Don’t do it, it requires proxy ARP to work.
- Create a new pool with an IP range not in use anywhere else in your LAN.
- Edit the IPSec Mode-Config to use the new pool. Leave the split-include set to 192.168.20.0/24, that value should reflect the networks.
That should get us moving in the right direction.
# jul/13/2017 11:11:38 by RouterOS 6.36.1
# software id = WG30-UITK
#
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=0s
/ip pool
add name=dhcp ranges=192.168.20.100-192.168.20.254
add name=ipsec-RW ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master name=\
defconf
/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=\
192.168.20.0/24
/ip address
add address=192.168.20.1/24 comment=defconf interface=\
ether2-master network=192.168.20.0
add address=184.68.241.98/30 interface=ether1 network=\
184.68.241.96
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=\
ether1
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=64.59.184.13,64.59.190.242
/ip dns static
add address=192.168.20.1 name=router
/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 \
src-address=192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 \
src-address=192.168.20.0/24
add action=accept chain=forward packet-mark=vpn
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=udp src-port=500
add action=accept chain=input in-interface=ether1 protocol=udp \
src-port=4500
add action=accept chain=input protocol=udp src-port=1701
add action=accept chain=input comment="defconf: accept ICMP" \
protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related" connection-state=\
established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new \
in-interface=ether1
/ip firewall mangle
add action=mark-packet chain=input dst-port=4500 \
new-packet-mark=vpn protocol=udp
add action=mark-packet chain=input new-packet-mark=vpn protocol=\
ipsec-esp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.30.0/24 \
src-address=192.168.20.0/24
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp \
to-addresses=192.168.20.10 to-ports=3389
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
/ip ipsec peer
add address=184.68.241.102/32 dpd-interval=1m \
dpd-maximum-failures=1 enc-algorithm=aes-256 \
generate-policy=port-override hash-algorithm=md5 \
local-address=0.0.0.0
add auth-method=pre-shared-key-xauth generate-policy=port-strict \
mode-config=RW-cfg passive=yes policy-template-group=\
RoadWarrior
/ip ipsec policy
set 0 dst-address=192.168.50.0/24 group=RoadWarrior src-address=\
192.168.20.0/24
add dst-address=192.168.30.0/24 src-address=192.168.20.0/24 \
template=yes
/ip ipsec user
add name=val
/ip route
add distance=1 gateway=184.68.241.97
/system clock
set time-zone-name=America/Edmonton
/system routerboard settings
set memory-frequency=1200DDR protected-routerboot=disabled
/system scheduler
add interval=1m name=schedule1 on-event="IPSec Keep Alive" \
policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-time=startup
/system script
add name="IPSec Keep Alive" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive \
source=" ping interface=ether2-master count=2 192.168.30.1"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
I have added the new IP Pool and associated it with the Mode Config.
Upon connecting to the VPN, I am assigned an address from the new pool but am still unable to ping through.
If you are trying to ping a Windows host on the LAN, the Windows firewall could block the ping. By default the firewall blocks connections from different subnets.
The local firewall is disabled on the Windows host. I know it allows connections because the site-to-site vpn (using two subnets) allows network traffic to flow through without any issues. The roadwarrior VPN doesn’t even respond to pings sent to the router itself.