IPsec between 2 RouterOS (Vs.3.10)

zi4 · June 12, 2008, 7:17am

IPsec between 2 RouterOS (Vs.3.10)
hi all,
I want to connect two offices using an ipsec VPN.
Following the Wiki: http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco
This works fine, as long as WAN1 (10.10.1.100) and WAN2 (10.10.1.200) are in the same network:

Router 1
------------
interface ipip \
  add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no
ip address \  add address=10.10.1.100/24 network=10.10.1.0   broadcast=10.10.1.255   interface=ether1  comment="" disabled=no 
ip address \  add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether2  comment="" disabled=no 
ip address \  add address=172.16.0.1/30  network=172.16.0.0  broadcast=192.168.0.3   interface=Tunnel1 comment="" disabled=no

routing rip \ set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no \
  metric-static=1 metric-connected=1  metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m 
routing rip interface \ add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" \
  in-prefix-list="" out-prefix-list=""
routing rip neighbor \ add address=172.16.0.2 
routing rip network \  add network=192.168.1.0/24
routing rip network \  add network=172.16.0.0/30

ip ipsec proposal \
  add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
ip ipsec peer \
  add address=10.10.1.200/32:500 secret="geheim0815" generate-policy=no exchange-mode=main send-initial-contact=yes \
  proposal-check=obey   hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no

ip ipsec policy \
  add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require \
  ipsec-protocols=esp  tunnel=no  sa-src-address=10.10.1.100  sa-dst-address=10.10.1.200 \
  proposal=IPSec manual-sa=none dont-fragment=clear disabled=no


Router 2--same WAN network:
--------------------
interface ipip \
  add name="Tunnel1" mtu=1480 local-address=10.10.1.200 remote-address=10.10.1.100 comment="" disabled=no

ip address \  add address=10.10.1.200/24 network=10.10.1.0   broadcast=10.10.1.255   interface=ether1  comment="" disabled=no 
ip address \  add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ether4  comment="" disabled=no 
ip address \  add address=172.16.0.2/30  network=172.16.0.0  broadcast=192.168.0.3   interface=Tunnel1 comment="" disabled=no

routing rip \ set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no \
  metric-static=1 metric-connected=1  metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m 
routing rip interface \ add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" \
  in-prefix-list="" out-prefix-list=""
routing rip neighbor \ add address=172.16.0.1
routing rip network \  add network=192.168.2.0/24
routing rip network \  add network=172.16.0.0/30

ip ipsec proposal \
  add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
ip ipsec peer \
  add address=10.10.1.100/32:500 secret="geheim0815" generate-policy=no exchange-mode=main send-initial-contact=yes \
  proposal-check=obey   hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
ip ipsec policy \
  add src-address=10.10.1.200/32:any dst-address=10.10.1.100/32:any protocol=all action=encrypt level=require \
  ipsec-protocols=esp  tunnel=no  sa-src-address=10.10.1.200  sa-dst-address=10.10.1.100 \
  proposal=IPSec manual-sa=none dont-fragment=clear disabled=no

Now, I changed 10.10.1.200 to 10.10.2.100, - both connected to the same Linux box, with ip_forward enabled. But, there’s no connection anymore:

interface ipip \
  add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.2.100 comment="" disabled=no

ip address \  add address=10.10.1.100/24 network=10.10.1.0   broadcast=10.10.1.255   interface=ether1  comment="" disabled=no 
ip address \  add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether2  comment="" disabled=no 
ip address \  add address=172.16.0.1/30  network=172.16.0.0  broadcast=192.168.0.3   interface=Tunnel1 comment="" disabled=no

routing rip \ set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no \
  metric-static=1 metric-connected=1  metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m 
routing rip interface \ add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" \
  in-prefix-list="" out-prefix-list=""
routing rip neighbor \ add address=172.16.0.2 
routing rip network \  add network=192.168.1.0/24
routing rip network \  add network=172.16.0.0/30
ip ipsec proposal \
  add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
ip ipsec peer \
  add address=10.10.2.100/32:500 secret="geheim0815" generate-policy=no exchange-mode=main send-initial-contact=yes \
  proposal-check=obey   hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
ip ipsec policy \
  add src-address=10.10.1.100/32:any dst-address=10.10.2.100/32:any protocol=all action=encrypt level=require \
  ipsec-protocols=esp  tunnel=no  sa-src-address=10.10.1.100  sa-dst-address=10.10.2.100 \
  proposal=IPSec manual-sa=none dont-fragment=clear disabled=no


Router 2:
-----------
interface ipip \
  add name="Tunnel1" mtu=1480 local-address=10.10.2.100 remote-address=10.10.1.100 comment="" disabled=no

ip address \  add address=10.10.2.100/24 network=10.10.2.0   broadcast=10.10.2.255   interface=ether1  comment="" disabled=no 
ip address \  add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ether4  comment="" disabled=no 
ip address \  add address=172.16.0.2/30  network=172.16.0.0  broadcast=192.168.0.3   interface=Tunnel1 comment="" disabled=no

routing rip \ set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no \
  metric-static=1 metric-connected=1  metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m 
routing rip interface \ add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" \
  in-prefix-list="" out-prefix-list=""
routing rip neighbor \ add address=172.16.0.1
routing rip network \  add network=192.168.2.0/24
routing rip network \  add network=172.16.0.0/30

ip ipsec proposal \
  add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
ip ipsec peer \
  add address=10.10.1.100/32:500 secret="geheim0815" generate-policy=no exchange-mode=main send-initial-contact=yes \
  proposal-check=obey   hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no

ip ipsec policy \
  add src-address=10.10.2.100/32:any dst-address=10.10.1.100/32:any protocol=all action=encrypt level=require \
  ipsec-protocols=esp  tunnel=no sa-src-address=10.10.2.100  sa-dst-address=10.10.1.100 \
  proposal=IPSec manual-sa=none dont-fragment=clear disabled=no

Please help me find the error.
How can I activate/view the IPsec log?
thanks, Stefan

fatonk · June 12, 2008, 7:59am

Do you have IP connectivity WAN to WAN

zi4 · June 12, 2008, 8:16am

hi fatonk,
I suppose so. It’s a knoppix BootCD, eth0: 10.10.1.1, eth1 10.10.2.1,
there’s no firewall running and /proc/sys/net/ip_forward is set to 1.
How to make sure connectivity is ok?

I can ping both 10.10.1.100 and 10.10.2.100 from this test-WAN-box.

fatonk · June 12, 2008, 8:24am

can you ping 10.10.1.1 from 10.10.2.1 and vice versa, check default routes in MT Boxes.

hilton · June 12, 2008, 9:09am

This sounds like you maybe mixed up the IP addresses (internally vs externally). To function properly the IP of the WAN is completely irrelevant in terms of it being on the same network or not. But the IPs of the internal LANs must be on different networks.

Sorry, I haven’t had time to go through your config yet.

zi4 · June 12, 2008, 2:15pm

Thanks for your replies, I will be able to check it out tomorrow.
Stefan

zi4 · June 16, 2008, 1:54pm

I checked the connectivity WAN to WAN, means: I can ping 10.10.1.1 from 10.10.2.1 and vice versa.
The default routes look like this:

[admin@MikroTik-1] /ip route> pr 
 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE    GATEWAY    DISTANCE   INTERFACE          
 0 ADC  10.10.1.0/24       10.10.1.100                                    0        ether1             
 1 ADC  172.16.0.0/30      172.16.0.1                                     0        Tunnel1            
 2 ADC  192.168.1.0/24     192.168.1.1                                    0        ether2  

[admin@MikroTik-2] /ip route> pr 
 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE    GATEWAY    DISTANCE   INTERFACE          
 0 ADC  10.10.2.0/24       10.10.2.100                                    0        ether1             
 1 ADC  172.16.0.0/30      172.16.0.2                                     0        Tunnel1            
 2 ADC  192.168.2.0/24     192.168.2.1                                    0        ether4

I noticed there’s no default gateway. So I added:
/ ip route add dst-address=192.168.1.0/24 gateway=192.168.1.1
/ ip route add gateway=10.10.1.1 ## on MT-1

/ ip route add dst-address=192.168.2.0/24 gateway=192.168.2.1
/ ip route add gateway=10.10.2.1 ## on MT-2

Still no luck.
I’m using MT-syslog, but it shows only my changes, nothing about ipsec e.g:
system,info route removed by admin in 16-Jun 15:19:39.17 from 192.168.2.1
system,info route added by admin in 16-Jun 15:39:21.31 from 192.168.2.1

How can I debug the problem, maybe tcpdump?

hilton · June 17, 2008, 1:30pm

sorry but this is now beyond my expertise.