Ip-sec problem. subnets

vasilevv · June 15, 2022, 6:57am

Hello. I have setted up a few ip-sec tunnel. When i’m trying to ping every subnet only one pings correctly but others get timeout exception. What’s the point?

config:

# jun/15/2022 09:52:52 by RouterOS 6.49.6
# software id = 2TA3-2AX8
#
# model = RB3011UiAS

add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 \
    hash-algorithm=sha256 nat-traversal=no
add dh-group=modp1536 enc-algorithm=des name=MPK
add dh-group=modp1536 enc-algorithm=des name=svk-3
add dh-group=modp1536 enc-algorithm=des name=svk-4
add dh-group=modp1536 enc-algorithm=des name=CPK
/ip ipsec peer
add address=93.153.xx.xx/32 local-address=213.189.yy.yy name=SVK-4 \
    profile=svk-4
add address=84.42.1xx.xx/32 local-address=213.189.yy.yy name=MPK profile=MPK
add address=81.3.1xx.2xx/32 local-address=213.189.yy.yy name=SVK-3 profile=\
    svk-3
add address=79.171.xx.xx/32 local-address=213.189.yy.yy name=CPK profile=\
    CPK
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=null pfs-group=none
add enc-algorithms=des lifetime=1d name=MPK pfs-group=modp1536
add enc-algorithms=des lifetime=1d name=svk-3 pfs-group=modp1536
add enc-algorithms=des lifetime=1d name=svk-4 pfs-group=modp1536
add enc-algorithms=des lifetime=1d name=CPK pfs-group=modp1536
/ip pool
add name=dhcp ranges=10.18.10.50-10.18.10.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.18.10.254/24 comment=defconf interface=bridge network=\
    10.18.10.0
add address=213.189.xx.xx/30 interface=ether1 network=213.189.206.xxxx
add address=10.7.202.0/24 disabled=yes interface=bridge network=10.7.202.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.18.10.0/24 comment=defconf gateway=10.18.10.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.7.202.21,10.7.202.22
/ip dns static
add address=10.18.10.254 comment=defconf name=router.lan
/ip firewall address-list
add address=10.15.2.0/24 disabled=yes list=bruteforse_stage1
/ip firewall filter
add action=accept chain=input comment=int dst-port=\
    123,161,500,1701,4500,3081,3080 in-interface=ether1 protocol=udp
add action=accept chain=input comment="ipsec policy" protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment=new disabled=yes dst-address=\
    84.42.11.38 in-interface=ether1 protocol=ipsec-esp src-address=\
    213.189.206.174
add action=accept chain=input disabled=yes dst-address=84.42.xx  dst-port=\
    500 in-interface=ether1 protocol=udp src-address=213.189.2xx.xx \
    src-port=500
add action=accept chain=input disabled=yes dst-address=213.189.xxxx \
    dst-port=500 in-interface=ether1 protocol=udp src-address=84.42.xxxx \
    src-port=500
add action=accept chain=input disabled=yes dst-address=213.189.xxxxx\
    in-interface=ether1 protocol=ipsec-esp src-address=84.42.1xxxxx
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=add-src-to-address-list address-list=bruteforse_stage1 \
    address-list-timeout=1w3d chain=input comment="bruteforse add to stage2" \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=\
    bruteforse_stage1
add action=drop chain=forward comment="DROP- invalid DDOS" connection-state=\
    invalid
add action=drop chain=input connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=80 new-routing-mark=ORA \
    passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    10.15.2.0/24 dst-port=80 new-routing-mark=2 packet-mark="" passthrough=\
    yes protocol=tcp routing-mark=main src-address=10.18.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=static
add action=accept chain=dstnat disabled=yes in-interface=ether1 src-address=\
    10.18.10.0/24
/ip ipsec identity
add peer=MPK secret=coral-meat
add peer=SVK-3 secret=coral-meat
add peer=SVK-4 secret=coral-meat
add peer=CPK secret=coral-meat
/ip ipsec policy
set 0 disabled=yes
add comment=MPK dst-address=10.7.202.0/24 peer=MPK proposal=MPK src-address=\
    10.18.10.0/24 tunnel=yes
add comment=SVK-7 dst-address=10.15.2.0/24 peer=MPK proposal=MPK src-address=\
    10.18.10.0/24 tunnel=yes
add comment=CPK dst-address=192.168.144.0/24 peer=CPK proposal=CPK \
    src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-3 dst-address=192.168.61.0/24 peer=SVK-3 proposal=svk-3 \
    src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-1.2 dst-address=192.168.20.0/24 peer=MPK proposal=MPK \
    src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-8 dst-address=10.16.2.0/24 peer=MPK proposal=MPK src-address=\
    10.18.10.0/24 tunnel=yes
add comment=SVK-5 dst-address=10.13.10.0/24 peer=MPK proposal=MPK \
    src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-6 dst-address=10.14.10.0/24 peer=MPK proposal=MPK \
    src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-9 dst-address=10.17.10.0/24 peer=MPK proposal=MPK \
    src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-4 dst-address=10.12.2.0/24 peer=SVK-4 proposal=svk-4 \
    src-address=10.18.10.0/24 tunnel=yes
/ip route
add comment=int distance=1 gateway=213.189.xxxxx
add comment=IP-sec distance=1 dst-address=10.7.202.0/24 gateway=bridge
add comment=IP-sec disabled=yes distance=1 dst-address=10.15.2.0/24 gateway=\
    bridge
add comment=int distance=1 dst-address=10.18.10.0/24 gateway=213.189.xxxxx
add comment=IP-sec disabled=yes distance=1 dst-address=192.168.144.0/24 \
    gateway=bridge pref-src=10.18.10.254
/ip route rule
add disabled=yes dst-address=10.15.2.0/24 src-address=10.18.10.0/24 table=2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=daily
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

pe1chl · June 15, 2022, 9:09am

When you want to make an IPsec setup with many subnets and the peers are under your control (e.g. they are branches of your company), I advise you to step back and use a different solution: GRE or IPIP tunnels over IPsec transport, with auto-routing using BGP or OSPF.
Enough can be found on this topic on the forum.

vasilevv · June 16, 2022, 4:48am

there are only ip-sec settings. before that, there was a fortinet. everything worked there.

pe1chl · June 16, 2022, 8:07am

Is the other side still a fortinet or is there another MikroTik with the same (mirrored) configuration?

vasilevv · June 16, 2022, 9:59am

Yes, the other side is Fortinet(MPK). L2 channel on 6 addresses is connected in Fortinet. The correct policy is below

/ip ipsec policy
add comment=MPK dst-address=10.7.202.0/24 peer=MPK proposal=MPK src-address=10.18.10.0/24 tunnel=yes

I am able to see the IPs from other subnets via Torch . But I have no access to them

pe1chl · June 16, 2022, 11:19am

Probably a NAT problem. You have a NAT avoidance rule but it is disabled and it is below the masquerade rule, should be above.

vasilevv · June 16, 2022, 12:24pm

included, placed above everything. nothing has changed

vasilevv · June 16, 2022, 12:25pm

maybe routes are needed?

pe1chl · June 16, 2022, 12:39pm

routes are not needed as long is there is some route for the traffic. that would normally be the default route that points to internet.
I will leave it to others to answer, I am not a fan of this configuration, I use GRE/IPsec to solve this kind of issues.

vasilevv · June 16, 2022, 1:47pm

Thanks for assistance man

vasilevv · June 20, 2022, 6:05am

upd