IPSec established but no Ping between remote networks

Kokos · September 8, 2020, 5:38pm

Good evening,

I’ve managed to create a tunnel between 2 remote sites. No matter what I try, I cant ping between the networks though.
Maybe you can notice something on my configuration that I haven’t.

Also I see a bunch of encryption protocols there, which of those can be called “best practice”?

Any security measures that you can propose for Site2Site configuration?

HQ:

MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.47.3 (c) 1999-2020       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[admin@HQ] > export 
# sep/08/2020 20:18:20 by RouterOS 6.47.3
# software id = LPP2-44E0
#
# model = 2011UiAS
# serial number = ************
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=Remote nat-traversal=no
/ip ipsec peer
add address=RemotePubIP/32 local-address=192.168.10.250 name=Remote \
    profile=Remote
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,aes-128-ctr lifetime=8h name=\
    "Remote Proposal"
/ip pool
add name=pos_pool ranges=10.10.0.100-10.10.0.200
/ip dhcp-server
add address-pool=pos_pool disabled=no interface=ether10 name=pos_dhcp
/port
set 0 baud-rate=9600
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.10.0.1/24 comment=LAN interface=ether2 network=10.10.0.0
add address=192.168.10.250/24 comment=WAN interface=ether1 network=192.168.10.0
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \
    in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
    dst-port=500,1701,4500 in-interface=ether1 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.1.0/24 log=yes src-address=\
    10.10.0.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add peer=Remote secret=****************************
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.10.1.0/24 peer=Remote proposal="Remote Proposal" \
    sa-dst-address=RemotePubIP sa-src-address=192.168.10.250 src-address=\
    10.10.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.10.254
/system clock
set time-zone-name=Asia/Athens
/system identity
set name=HQ
/system logging
add topics=ipsec
/tool user-manager database
set db-path=user-manager

Client:

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.47.3 (c) 1999-2020       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[admin@Remote] > export
# sep/08/2020 20:25:05 by RouterOS 6.47.3
# software id = 56LN-4XX2
#
# model = 750
# serial number = ***************
/interface bridge
add name="Bridge - LAN"
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name="HQ Profile" nat-traversal=no
/ip ipsec peer
add address=HQPubIP/32 local-address=192.168.10.250 name="HQ Peer" \
    profile="HQ Profile"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,aes-128-ctr lifetime=8h name=\
    "HQ Proposal"
/ip pool
add name=pos_pool ranges=10.10.1.100-10.10.1.200
add name=lan_pool ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=pos_pool disabled=no interface=ether2 name=pos_dhcp
add address-pool=lan_pool disabled=no interface="Bridge - LAN" name=lan_dhcp
/port
set 0 baud-rate=9600 name=serial0
/interface bridge port
add bridge="Bridge - LAN" interface=ether3
add bridge="Bridge - LAN" interface=ether4
add bridge="Bridge - LAN" interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.10.1.1/24 interface=ether2 network=10.10.1.0
add address=10.0.0.1/24 interface="Bridge - LAN" network=10.0.0.0
add address=192.168.10.250/24 interface=ether1 network=192.168.10.0
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.1
add address=10.10.1.0/24 dns-server=8.8.8.8 gateway=10.10.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \
    in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
    dst-port=500,1701,4500 in-interface=ether1 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.0.0/24 src-address=\
    10.10.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer="HQ Peer" secret=************************
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.10.0.0/24 peer="HQ Peer" proposal="HQ" \
    sa-dst-address=HQPubIP sa-src-address=192.168.10.250 src-address=\
    10.10.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.10.254
/system clock
set time-zone-name=Asia/Athens
/system identity
set name=Remote
/system logging
add topics=ipsec

Sob · September 8, 2020, 7:27pm

If this:

/ip address
add address=192.168.10.250/24 comment=WAN interface=ether1 network=192.168.10.0

means that router itself doesn’t have public address, then nat-traversal=no in ipsec profile is not good idea and you want yes on both sides.

Kokos · September 8, 2020, 8:52pm

Yes, you are right. I disabled it for testing. But still no ping between those routers.

Sob · September 8, 2020, 9:01pm

And what exactly are you testing? It won’t by default work if you try to access remote subnet from router itself, because it chooses “wrong” source address and policy doesn’t match. Testing from device in local subnet can have another problem with firewall on remote device, which may not accept packets from other subnets. You can also check IP->IPsec->Installed SAs, what incoming and outgoing traffic you see there (I’m not sure if byte counter column is displayed by default).