Hi,
I’m going to setup IPSec VPN between Mikrotik hEX (RB750Gr3) and Cisco 2901 router.
Usualy I’m using Cisco routers but this time I’ve tryed to use Mikrotik and got the problem with IPSec VPN
I have read a lot of how-to and other docs relating Mikrotik bu it doesn’t helped.
I have no idea what to do now. Please help.
Vadim
the schema is:
PC1 <----> Cisco <-----> (internet) <—> Mikrotik <—> PC2
PC1 IP: 10.10.4.60/23 (default router: 10.10.5.254)
Cisco internal IP: 10.10.5.254/23
Cisco external IP: 94.228.254.43
Mikrotik external IP: 80.84.114.178
Mikrotik internal IP: 10.9.0.1/23
PC2 IP: 10.9.1.254/23 (default route 10.9.0.1)
Both internal network are behind NAT.
Both sides has upstream channels about 50 Mbps (with load about 10-20%)
Now I have the following:
- IPSec SA installed OK
- Ping is OK from both sides:
- From PC1 to PC2:
- From PC2 to PC1:
- But when I’m trying to use this VPN channel I see packet dropping (both TCP and UDP)
Here is the problem represented by Mikrotik’s btest utility:
- From PC1 (client) to PC2 (server):
(2nd column - test with UDP protocol,3rd - test with TCP protocol, In all cases test stoping by himself after the while with reason “disconnected”)
Decreasing of Local/Remote TX size doesn’t doesn’t changes the results, so seems it’s not a MTU/size problem…
- In addition I have made test using iperf3 (https://iperf.fr/)
The results are also very strange:
From PC1 to PC2 TCP speed about 30Mbps, UDP stream is unstable with speed from 0bps to 26Mbps
From PC2 to PC1 TCP stream (in oposit) is unstable, UDP stream (in oposit) stable but have speed from 4 to 6 Mbps
From PC1 to PC2
PC1 → PC2 TCP
PC1 → PC2 UDP
PC2 → PC1 TCP
PC2 → PC1 UDP
Mikrotik config:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip address
add address=10.9.0.1/23 comment=defconf interface=bridge1 network=10.9.0.0
add address=80.84.114.178/28 interface=ether1 network=80.84.114.176
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward dst-address=10.9.0.0/22 src-address=10.10.4.0/23
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall mangle
add action=change-mss chain=forward dst-address=10.10.4.0/22 new-mss=1250 passthrough=yes protocol=tcp src-address=10.9.0.0/22 tcp-flags=syn tcp-mss=\
!0-1250
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.4.0/22 src-address=10.9.0.0/22
add action=accept chain=srcnat dst-address=10.2.0.0/16 src-address=10.9.0.0/22
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ip ipsec peer
add address=94.228.254.43/32 dh-group=modp1024 enc-algorithm=aes-128 local-address=80.84.114.178 nat-traversal=no secret=********
/ip ipsec policy
add dst-address=10.10.4.0/22 sa-dst-address=94.228.254.43 sa-src-address=80.84.114.178 src-address=10.9.0.0/22 tunnel=yes
/ip route
add distance=1 gateway=80.84.114.177
Cisco router config:
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key *************** address 80.84.114.178 no-xauth
!
!
crypto ipsec transform-set TC_MIKROTIK_HWSEC esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile PROF_VOLTAG
set transform-set TC_VOLTAG
!
crypto map CM_DC_OFFICE 30 ipsec-isakmp
set peer 80.84.114.178
set transform-set TC_MIKROTIK_HWSEC
match address 105
!
!
interface GigabitEthernet0/0.32
ip address 94.228.254.43 255.255.255.0
ip nat outside
no ip virtual-reassembly in
crypto map CM_DC_OFFICE
!
interface GigabitEthernet0/1.4
ip address 10.10.10.254 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http secure-server
!
ip nat inside source route-map NATRULE interface GigabitEthernet0/0.32 overload
ip route 10.9.0.0 255.255.252.0 94.228.254.1 30
!
route-map NATRULE permit 10
match ip address 101
match interface GigabitEthernet0/0.32
!
access-list 101 deny ip 10.10.4.0 0.0.3.255 10.9.0.0 0.0.3.255
access-list 101 permit ip 10.10.4.0 0.0.3.255 any
access-list 105 permit ip 10.10.4.0 0.0.3.255 10.9.0.0 0.0.3.255
access-list 105 permit icmp 10.10.4.0 0.0.3.255 10.9.0.0 0.0.3.255