IPSec + EoIP Tunnel - can't ping LAN to LAN

RouterOS Beginner Basics
1

Hi guys,
I’ve been google’ing for 2 days now, and I’m loosing hope… If anyone can point me in the right direction, I’d be extremely grateful!

I used this guide to setup the tunnel between 2 sites: http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1
It works, I managed to get the tunnel up, and I can ping Mikrotik on site A can ping the LAN IP of site B, and vice versa.

However, I can’t get the LAN on either site to ping the other side.
Routes (site A):

0 A S  0.0.0.0/0                          <public_ip_gw>              1
1 ADC  10.22.22.0/24      10.22.22.1      loopback                  0
2 ADC  <public_net>    <public_ip>    ether1                    0
3 A S  192.168.1.0/24     192.168.3.1     loopback                  1
4 ADC  192.168.3.0/24     192.168.3.1     bridge                    0

Routes (site B):

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 ADS  0.0.0.0/0                          <public_ip_gw>              1
1 ADC  10.22.22.0/24      10.22.22.2      ether1                    0
2 ADC  <public_net>/24    <public_ip>  ether1                    0
3 ADC  192.168.1.0/24     192.168.1.1     bridge                    0
4 A S  192.168.3.0/24     192.168.1.1     ether1                    1

Addresses (Site A):

 #   ADDRESS            NETWORK         INTERFACE                                                                          
0   ;;; defconf
     192.168.3.1/24     192.168.3.0     bridge                                                                             
1   <public>    <public>    ether1                                                                             
2   10.22.22.1/24      10.22.22.0      loopback

Addresses (Site B):

#   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                          
0   ;;; defconf
     192.168.1.1/24     192.168.1.0     bridge                                                                                                                                                                                                             
1 D <public>  <public>    ether1                                                                                                                                                                                                             
2 D 10.22.22.2/24      10.22.22.0      ether1

Firewall Rules (Site A):
(FILTER - excluding the defaults…)

1    chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 
2    chain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.1.0/24 log=no log-prefix="" 
3    ;;; IPSec
      chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix=""

NAT

0    chain=srcnat action=src-nat to-addresses=10.22.22.1 dst-address=10.22.22.2 
1    chain=srcnat action=accept src-address=192.168.3.0/24 dst-address=192.168.1.0/24 log=no log-prefix="" 
2    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

RAW

0    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.3.0/24 dst-address=192.168.1.0/24 
1    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.1.0/24 dst-address=192.168.3.0/24 
2  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough

Firewall Rules (Site B):

FILTER

1    chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 
2    chain=forward action=accept src-address=192.168.3.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

NAT

0    ;;; Tunnel specific rule
      chain=srcnat action=src-nat to-addresses=10.22.22.2 dst-address=10.22.22.1 log=no log-prefix="" 
1    chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.3.0/24 log=no log-prefix="" 
2    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

RAW

0    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.1.0/24 dst-address=192.168.3.0/24 
1    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.3.0/24 dst-address=192.168.1.0/24 
2  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough
2

Can you for a moment pretend that you didn’t find that linked config (which I can’t seem to understand the point of) and describe what exactly are you trying to achieve? Do you actually have any use for EoIP, or do you just want simple site to site tunnel between 192.168.1.0/24 and 192.168.3.0/24?

3

Lol…

That’s exactly what I want. I want 192.168.1.0 subnet device to be able to access a server in the 192.168.3.0 subnet - which happens to be in a remote LAN.

4

So no need for EoIP, certificates (they are not bad, but probably overkill for single tunnel), just simple site to site tunnel? If so, then try this:

Site A (with public address):

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 name=siteB
/ip ipsec peer
add exchange-mode=ike2 name=siteB passive=yes profile=siteB
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=siteB pfs-group=modp2048
/ip ipsec identity
add peer=siteB secret="SomeVeryVeryVeryLongAndImpossibleToGuessSecret"
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=siteB proposal=siteB src-address=192.168.3.0/24 tunnel=yes

Site B (behind NAT):

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 name=siteA
/ip ipsec peer
add address=<public address of site A> exchange-mode=ike2 name=siteA profile=siteA
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=siteA pfs-group=modp2048
/ip ipsec identity
add peer=siteA secret="SomeVeryVeryVeryLongAndImpossibleToGuessSecret"
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=siteA proposal=siteA src-address=192.168.1.0/24 tunnel=yes
5

Do I need to add routes or does the policy do that?

6

There must be route to destination, but it’s not actually used, only checked that it exists. Usually it’s not needed to add anything, default route (for 0.0.0.0/0) is enough.

I sometimes add unreachable route for 192.168.0.0/16 to prevent packet leaks to unused subnet, and in that case I have to add routes for existing remote subnets to override that.

Another reason for adding routes it to set source address which is used when router itself connects to something in remote subnet. By default it uses address from WAN interface, because for routing process it looks like the subnet is there. And then it fails, because for IPSec it doesn’t match policy. It can be fixed with route’s pref-src option. In your case it would be:

Site A:

/ip route
add dst-address=192.168.1.0/24 gateway=<gateway> pref-src=192.168.3.1

Site B:

/ip route
add dst-address=192.168.3.0/24 gateway=<gateway> pref-src=192.168.1.1

Gateway can be anything (as I wrote, it won’t be actually used), so either WAN interface, or sometimes I point it to empty bridge named “ipsec”. Which is in a way wrong, but it works and I didn’t find any proper solution in RouterOS.

7

candidate for a simpler wireguard vpn tunnel ??

8

It’s not that much simpler. And IPSec has hardware acceleration, if you have the right devices.

9

Awesome!
I got the tunnel up!! It’s showing state established. I also added the routes exactly as you mentioned.

When I try to ping 192.168.1.1 from the mikrotik at site A (which is 192.168.3.1 LAN) I’m getting a timeout.

Any firewall rules I should be adding? or something else I missed?

10

It depends on what you have now. What you posted before aren’t all your rules, or are they? Because if they are, then everything is wide open to the whole world. If not (that would be good), then one tip is that traffic from tunnel looks as if it comes from internet, so default firewall would block it. But you can match it using ipsec-policy=in,ipsec option, so you can do e.g. this to allow any access from tunnel to router (which may be more than you want, but you get the idea):

/ip firewall filter
add chain=input ipsec-policy=in,ipsec action=accept
11

That did it!! I had to move the ipsec rule to the top, and it works!!!

Thank you so much for your help!!!

12

Quick followup question - I walked in this morning and couldn’t ping from Site B to Site A. When I tried pinging from A to B that worked, and only then did B to A start working.
any idea what’s up with that?

13

It seems that I got mislead by the guide you originally linked to, where one side was behing NAT and couldn’t accept incoming connections. But in your config you list public address for both. If that’s correct, then on site A instead of this:

/ip ipsec peer
add exchange-mode=ike2 name=siteB passive=yes profile=siteB

use this:

/ip ipsec peer
add address=<public address of site B> exchange-mode=ike2 name=siteB profile=siteB