Hi guys,
I have a question about IP tunnel interface. I have IPSec tunnel between Mikrotik and Cisco ASA, all work finely. But in the “Interfeces” - “IP Tunnel”, my virtual interface have colums “Tx”"Rx""TX Packet""RX Paket" etc. = 0. Why?
I tried to creat new firewall rule that logging all traffic from virtual IP Tunnel, but I not see lines in the “Log”. Why?
Best Regards
Dmitrii.
What do you have, an IPsec tunnel or an IPIP tunnel?
Please show your configuration.
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr name=RB
/ip ipsec peer
add address=X.X.X.X/32 dh-group=modp1024 enc-algorithm=aes-256 nat-traversal=no secret=XYZ
/ip ipsec policy
add dst-address=192.168.1.1/32 proposal=RB sa-dst-address=X.X.X.X sa-src-address=Y.Y.Y.Y src-address=10.10.10.10/32 tunnel=yes
/interface ipip
add !keepalive local-address=Y.Y.Y.Y mtu=1452 name=ipip-RB remote-address=X.X.X.X
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ipip-RB
/ip firewall nat
add action=accept chain=srcnat comment=“For IPIP RB” dst-address=192.168.1.1 log=yes src-address=10.10.10.10
PS. Also I found such a thing. When I do “disable IP-IP interface” relationship between networks remains, that is, the pings don’t stop.
I have a feeling that virtual interface and the ipsec live separately.
That is correct, you have made two tunnels that are completely independent and have no relation, and traffic is flowing over the IPsec tunnel.
You can delete the IPIP tunnel, it is not required for this configuration.
Well, unless this person wants to use the tunnel interface. I find using transport mode ipsec between wan IPs is easier, then you can use whatever tunnels you want and they will be encrypted.
tunnel=no
proposal src-address=Y.Y.Y.Y
Consider using a GRE tunnel as well, although not sure if that matters.
If you want tunneling inside the IPIP (or GRE) interface, then there’s no need to tunnel “again” in ipsec.
Set up your routing to use the tunnel interface, not the ipsec.
This might break your ipsec until you set it up right on both sides though, be careful if you don’t have out of band management.
When you get done, turn on the sniffer on your outbound physical interface, then ping the WAN interface on the other side (Cisco) from the MIkroTik. Also, send some traffic over the IPIP tunnel. In Wireshark, the packets between the 2 WAN IPs should be encrypted (ESP). You should only see ESP packets between the 2 IPs. That’s how you know it’s working.
I agree with that, but I have seen the reply from several people that it is not so easy with the Cisco ASA.
(I have no experience at all with the Cisco ASA, only with Cisco IOS)
Thank You all so much! I now realized my mistake.
PS. It is a pity that Mikrotik not have such detailed manuals like Cisco.