Help with Site to Site VPN

Narf23 · January 7, 2013, 10:45pm

I have been struggling for several days trying to get an IPSec VPN working between two offices and hoping someone can point me in the right direction.

I have been using resources from http://gregsowell.com/?p=1290

Note: Public IPs shown not actual IPs - both DSL Router set DMZ to MikroTiks IPs

Example I am using.

# Site 1 - Head Office
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=1.1.2.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=\
    no dpd-interval=disable-dpd dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
    obey secret=mysecret send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=1.1.2.1 sa-src-address=192.168.10.254 src-address=\
    192.168.1.0/24 src-port=any tunnel=yes

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.2.0/24 \
    src-address=192.168.1.0/24


# Site 2 - Remote Office
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=\
    no dpd-interval=disable-dpd dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
    obey secret=mysecret send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=1.1.1.1 sa-src-address=192.168.9.254 src-address=\
    192.168.2.0/24 src-port=any tunnel=yes

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.1.0/24 \
    src-address=192.168.2.0/24

I think I’ve made a mistake on the NATed DSL routers side.
Is IPsec recommended for this type of setup?

mixig · January 8, 2013, 7:25am

What excatly is not working? Did you allow UDP 500 and esp protocol on both side on mkt firewall (input chain)? What the log says (you can turn on ipsec log, System-Logging section)?

andriys · January 8, 2013, 11:26am

IPsec will not work with this setup. For Site-to-Site to work properly both VPN end-points should have real IP addresses assigned to them. Placing your VPN end-points to DMZ is not enough. Switch your DSL routers to bridge mode, terminate PPPoE on your Mikrotik devices, and then try to setup IPsec again.

Narf23 · January 8, 2013, 6:53pm

Did you allow UDP 500 and esp protocol on both side on mkt firewall (input chain)?

I have not allowed, I will give it a try.

Narf23 · January 8, 2013, 6:55pm

Unfortunately terminate PPPoE on my Mikrotik devices is not possible as the ISP has provided the DSL Routers which provide static public IPs. Is there a recommended site to site VPN when MikroTik’s only have a default gateway connecting to Internet?

andriys · January 10, 2013, 10:07am

I don’t see any problem here. Currently your DSL Router should be terminating PPPoE for you. Ask your ISP for the PPPoE username/password, configure DSL Router to work as a bridge, create PPPoE client interface on Mikrotik with the above mentioned username and password and you will have the same static IP address on your Mikrotik device as you have on your DLS router right now.

tomaskir · January 10, 2013, 10:56am

The problem is you have NAT Traversal disabled, yet you are connecting through NAT.

Make sure the DLS routers forward all L4 protocols to the mikrotiks, not just TCP/UDP. I have seen an issue like this with cheap dsl routers. IPSec works with its own protocol on L4, “IPSec ESP”.
Make sure you allow IPSec ESP, UDP 500 and UDP 4500 on both mikrotiks in the firewall input chain.
Make sure you enable NAT-T in both mikrotiks Peer config.

It should work no problem then.

andriys · January 10, 2013, 12:38pm

No it should not. In a typical site-to-site IPsec setup, phase 1 uses external VPN endpoint IP as its ID, so validation of the remote peer will be failing constantly on the responder device.

tomaskir · January 10, 2013, 1:07pm

And that is what NAT-T is for. NAT-T makes it possible to use IPSec through NAT and it will work.
That is why NAT-T is configured in Phase 1 config; “/ip ipsec peer”.

http://en.wikipedia.org/wiki/NAT_traversal#NAT_traversal_and_IPsec

True enough that I personally have NOT tried getting it working with both ends of the tunnel behind NAT, but we regularly deploy IPSec when one of the endpoints is behind NAT, and it works no problem.

andriys · January 10, 2013, 1:34pm

NAT-T is a standard mechanism to encapsulate encrypted payload into a UDP datagram, instead of the ESP packet, nothing more.

Sure it works, provided only initiator is behind NAT. Which is, obviously, not the case in the situation TS described above.