I recently moved the config of a failing RB3011 onto an L009. Everything works perfectly except IPSec. The configuration for this is identical and I even fired up the 3011 and it woek just fine there. On the L009 the tunnel is established but I cannot reach the remote subnet and ping gives net unreachable.
This is to an Oracle Cloud IPSec VPN. Here is the relevant config, grateful for any ideas!
The first thing that stands out is that in vanilla IPsec you cannot have two policies with identical traffic selectors, the one lower on the list is considered invalid and no Phase 2 SA pair is established for it. So I am very surprised it works with the 3011. The Mikrotik solution here is to have a single policy but bind it to both peers; that way, RouterOS establishes Phase 1 SAs with both peers, but only establishes Phase 2 with the first one. If Phase 1 to that peer fails, it establishes Phase 2 with the other one, and keeps using it even if Phase 1 to the first one re-establishes later. The only reason to return Phase 2 to the first peer is a failure of Phase 1 with the second one. So if you want ROS to prefer one of the peers when both are available, you have to use a periodically scheduled script to disable and re-enable the backup peer.
If the remote peers are RouterOS devices, they both have to have a route to 172.16.0.0/12 via the other one, and generate IPsec policies dynamically from a template. That way, no matter which one of them receives a packet for 172.16.0.0/12, it either has a dynamically created policy for it, or it forwards it to the other one. If the Phase 2 is not established to any of them, they keep sending the packet to each other until its TTL expires. The Oracle peers must behave the same way - if Phase 2 is not established towards one of them, it must forward the traffic for your Mikrotik to the other one.
Other than that, I hazily remember aes-gcm had some issues on some versions of ROS 7 on some CPU models. It is definitely not supported in hardware on RB3011 whereas such support seems to be available on L009, but there was some trouble with it. I was discussing that with someone here some months ago.
For the IPsec tunnel to work correctly, there must be different subnets of the internal network on both sides. In your case, it is not really clear how it works at all. The order of firewall rules is also important. You are missing entries that ensure correct traffic flow and of course security in general.
There are two types of configuration types for Mikrotik - one is: ‘‘allow everything and deny only what needs to be denied’’.
The other: ‘‘deny everything and allow only what we need to allow’’. This is the most popular practice, so you can safely use this method.
We are also having problems with the L009 on RouterOS version higer than 7.16 and IPsec. I have not yet taken the time to investigate. All other devices are working fine with the exact same configuration. For the L009 to work correctly we stay on 7.16.x on those devices.
When 2 tunnels are defined to the same endpoints only 1 becomes active so thats not an issue just not useful.
A tunnel is showing as established on both ends but traffic just does not pass between the subnets, which are distinct. I did not paste my complete config for brevity but in testing if I allow all traffic through the firewall I still get no connectivity.
Essentially the only thing to have changed between the 3011 and the L009 is the interface names, which have all been checked.
I’d be very interested in anything you discover @onnoossendrijver.
Did you try to set up the firewall according to my example? Did you change the subnets on both sides? Did the recommendations for traffic flow adjustments in the firewall and video link instructions not help?
The tunnel is configured correctly, matching the requirements on the other end and is established. Both ends of the tunnel state that it is up.
It is not a firewall issue as I have tested by bypassing completely.
A src-nat rule exists correctly.
Thanks
You say that the tunnel is configured correctly, but if we look at your example, we see that both sides have the same internal subnets, which are not correct.
Did you compare your configuration with the one I posted in the link? Did you look at the example? If you did everything according to the instructions in the video tutorial, everything should work, but - on the condition that you correct your firewall rule entries.
Why? Because your Mikrotik does not have the correct packet flow ( https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS specified and it does not know how to properly redirect traffic to it, etc.
You are not using the input and Forward chain correctly. Each entry is important, the sequence is also very important because incorrectly created entries can create incorrect traffic flow, can cause traffic jams, can cause unexpected disconnects, and also unstable operation.
INPUT CHAIN → To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN → Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN → From the Router. Directional flow is Router to WAN.
Is it possible to see the latest firewall configuration?
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
As mentioned earlier, the fact there are 2 tunnels specified is irrelevant. RouterOS will simply place one as inactive if the same subnets are specified. Yes I have read your post and IPSec is configured correctly, the tunnel is established. I have also confirmed that the firewall is not the issue by bypassing it and allowing all traffic on all chains. Again I used the same configuration on an RB3011 for several years without issue and when reverting to this router have full functionality. This seems specific to the L009.
Thanks
