IPSec Netmap one way ping

ixix · May 16, 2015, 8:29am

Hi all,

I have a problem with basics, not sure what is wrong, please someone help.

I have an IPSec tunel OpenSWAN ↔ Mikrotik (customer). Problem is that customer is using 192.168.0.0/24, which of course is not the first one, so netmap is needed. However, Mikrotik LAN is not accessible from OpenSWAN LAN.

OpenSWAN_LAN(10.10.10.0/24)< --->OpenSWAN(1.1.1.1)<---->Mikrotik(2.2.2.2)<---->Mikrotik_LAN(192.168.0.0/24)

Traffic comming to OpenSWAN_LAN from Mikrotik_LAN should be src-NAT-ed to 172.18.18.0/24. Traffic in oposite direction should be dst-NAT-ed to 192.168.0.0/24.

Ping from Mikrotik_LAN to OpenSWAN_LAN works ok, opposite direction does not work. I can ping 172.18.18.1 from OpenSWAN_LAN, but nothing else.

Here is the config:

OpenSWAN:

conn test
        left=1.1.1.1
        leftsubnet=10.10.10.0/24
        right=2.2.2.2
        rightsubnet=172.18.18.0/24
        compress=no
        authby=secret
        esp=aes256-sha1
        ike=aes256-sha1-modp1536
        pfs=yes
        ikelifetime=24h
        keylife=1h
        auto=start

MikroTik:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-256 lifetime=1h name=\
    "Test VPN" pfs-group=modp1536
	
/ip firewall filter
add action=accept chain=forward disabled=no dst-address=172.18.18.0/24 \
    src-address=10.10.10.0/24
add action=accept chain=forward disabled=no dst-address=10.10.10.0/24 \
    src-address=192.168.0.0/24
add action=accept chain=forward disabled=no dst-address=192.168.0.0/24 \
    src-address=10.10.10.0/24
	
/ip firewall nat
add action=netmap chain=srcnat disabled=no dst-address=10.10.10.0/24 \
    src-address=192.168.0.0/24 to-addresses=172.18.18.0/24
add action=netmap chain=dstnat disabled=no dst-address=172.18.18.0/24 \
    src-address=10.10.10.0/24 to-addresses=192.168.0.0/24
	
/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key comment="Test VPN" \
    dh-group=modp1536 disabled=no dpd-interval=2m dpd-maximum-failures=5 \
    enc-algorithm=aes-256 exchange-mode=main generate-policy=no hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 \
    proposal-check=obey secret=xxxxxxxxx send-initial-contact=no
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.10.10.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal="Test VPN" protocol=\
    all sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=\
    172.18.18.0/24 src-port=any tunnel=yes

Thank you very much.

BR

ixix · May 18, 2015, 9:35am

Problem solved. Config was ok, machine on the other side that I’ve tried to ping had a firewall enabled that refused connection from other networks.