IPSec Issue

jrosetto · June 27, 2016, 4:03pm

I have an IPSec setup between two sites and I can ping the router from both sides. However I cannot ping or get any traffic to pass through the IPSec other than to the routers from the remote sides. I assumed I needed to add something to my Routes to get it working but I am shooting blanks. Any suggestions? If needed I can do an export of my config. I am running the latest stable build.

Thanks in advance for any help you can provide.

andriys · June 27, 2016, 4:18pm

Classic (policy-based) IPsec does not take routing into account at all.
Please post your current configuration alone with some further clarification of what traffic is expected to be tunneled.

jrosetto · June 27, 2016, 4:28pm

I would like to have a secondary domain controller replicating AD and DNS with the primary DC through the IPSec. Here is my config.

jun/27/2016 12:21:39 by RouterOS 6.35.2

software id = 04S0-0M99

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.3.100-192.168.3.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/ip address
add address=1.1.1.1/28 interface=ether1 network=173.241.201.160
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.3.1 name=router
/ip firewall address-list
add address=2.2.2.2 list=ALLOW
add address=192.168.2.0/24 list=ALLOW
/ip firewall filter
add chain=input dst-port=500,4500 protocol=udp src-address=2.2.2.2
add chain=input protocol=ipsec-esp src-address=2.2.2.2
add chain=output protocol=ipsec-esp src-address=2.2.2.2
add chain=input dst-port=8291 protocol=tcp src-address-list=ALLOW
add chain=input dst-port=161 protocol=udp src-address-list=ICMP
add chain=input comment=“default configuration” protocol=icmp src-address-list=ALLOW
add action=drop chain=input protocol=icmp
add chain=input comment=“defconf: accept establieshed,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1
add chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=2.2.2.2/32 secret=*********
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.2.0/24 sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=gateway

jrosetto · June 27, 2016, 5:47pm

OK, this rule seems to be causing the issue over IPSec.

/ip firewall filter
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1

Is it safe to leave this disabled?

PatelDh · June 27, 2016, 6:04pm

Make sure your firewall is configured properly.

jrosetto · June 27, 2016, 6:31pm

More information would really be helpful. I am aware the firewall needs some tweaks. Here is my config
/ip firewall filter
add chain=input dst-port=500,4500 protocol=udp src-address=2.2.2.2
add chain=input protocol=ipsec-esp src-address=2.2.2.2
add chain=output protocol=ipsec-esp src-address=2.2.2.2
add chain=input dst-port=8291 protocol=tcp src-address-list=ALLOW
add chain=input comment=“defconf: accept ICMP” protocol=icmp src-address-list=ALLOW
add action=drop chain=input protocol=icmp
add chain=input comment=“defconf: accept establieshed,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=ether1
add chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1

How do I make sure my IPSec doesn’t get caught in the last line?

kujo · June 27, 2016, 7:36pm

Try to bypass nat for remote net

/ip firewall nat chain=srcnat dst-address=192.168.3.0/24 action=accept place-before=0

Have a good day!

jrosetto · June 28, 2016, 11:06am

Thanks for the suggestion but that didn’t help. I already had this

/ip firewall nat chain=srcnat src-address=192.168.2.0/24 dst-address=192.168.3.0/24 action=accept place-before=0

I removed the source address to verify nothing changed.
Any other suggestions?

kujo · June 28, 2016, 1:44pm

Check the are action accept or masquerade?
Insert before

/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1

rules for remote LAN forward accept

add chain=forward comment="From DC to DC" dst-address=DC1.addr  src-address=DC2.addr action=accept

loveman · June 28, 2016, 3:12pm

In server check
Ip, ipsec, peer
Check
Generate policy : port overmide
…
And in proposale
Select
3des
Sha1

jrosetto · August 22, 2016, 12:40pm

Between the last two posts I was able to solve the problem. Thanks for the help.