IPSEC not sending packets back to initiator

brianlewis · October 26, 2009, 10:46pm

I have an RB1000U running RouterOS 4.0 (3.30 did the same thing) trying to setup an IPSEC tunnel between this unit and a Cisco at another company. They have configured their end and provided the ipsec details for me to finish the connection.
Private Network on my side is 192.168.80.0/24
Private Network on their side is 10.48.239.0/24

Installed-sa shows the ipsec tunnel is established, but I cannot get any packets to go from our Mikrotik (97.65.x.x) to their Cisco (12.39.x.x). Packets from their network are making it to us (Current Bytes is 6540), but Packets from our network to them is (0) according to Installed-SAs print. I’ve tried to ping multiple ips in the 10.48.239.x network and just get a request timed out. I’ve done this from the Mikrotik as well as from servers on my network behind the Mikrotik RB1000 Router. Servers behind the router use the default gateway ip of 192.168.80.1 which is bound to the Mikrotik Ether2.

Anyone have an idea on what might be configured incorrectly? It seems to be on my end since I’m showing 0 bytes for the Installed SA that has our 97.65.x.x ip as the source address and 12.39.x.x as the destination address.

[admin@mikrotik] > ip ipsec installed-sa print
1 E spi=0x6AE6B9A src-address=12.39.xx.xx dst-address=97.65.xx.xx
auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key=“4bb065e7514xxxxxxxx”
enc-key=“0988987a7fc89xxxxxxxx”
addtime=oct/26/2009 20:06:05 add-lifetime=6h24m/8h
usetime=oct/26/2009 20:11:26 use-lifetime=0s/0s current-bytes=6540
lifebytes=0/0

5 E spi=0x26E68167 src-address=97.65.xx.xx dst-address=12.39.xx.xx auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature auth-key=“5918aa9d2928dxxxxxxxxxxxxxxxxxxx”
enc-key=“37bcf49ad1xxxxxxxxxxxxxxxxxxxxxx” add-lifetime=6h24m/8h use-lifetime=0s/0s
lifebytes=0/0

[admin@mikrotik] /ip ipsec policy> print
1 src-address=192.168.80.0/24:any dst-address=10.48.239.0/24:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=97.65.xx.xx sa-dst-address=12.39.xx.xx proposal=labcorp
priority=0

[admin@mikrotik] /ip ipsec peer> print
1 address=12.39.xx.xx/32:500 auth-method=pre-shared-key secret=“changedxxxchanged” generate-policy=no
exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=1

[admin@mikrotik] /ip ipsec remote-peers> print
1 local-address=97.65.xx.xx remote-address=12.39.xx.xx state=established side=responder established=8h24m51s

[admin@mikrotik] /ip ipsec proposal> print
1 name=“othercorp” auth-algorithms=sha1 enc-algorithms=3des lifetime=8h pfs-group=modp1024

rickhodger · October 27, 2009, 9:15am

Upgrade to 4.1. I had identical problems under 4.0, and if you check the changelog for 4.1 you’ll see mention of a bug being fixed with regards to routing on virtual interfaces in 4.0.

I spent an entire day pulling my hair out until I upgraded to 4.1 and suddenly it all started working.

mrz · October 27, 2009, 9:27am

do you have any nat rules?

brianlewis · October 27, 2009, 3:26pm

I do have NAT rules for the systems behind the Mikrotik

[admin@mikrotik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ESourceSQL to Internet NAT
chain=srcnat action=masquerade src-address=192.168.80.5
1 ;;; SQL to ESourceSQL1
chain=dstnat action=dst-nat to-addresses=192.168.80.5 to-ports=1433 protocol=tcp dst-address=97.65.xx.43
dst-port=1433
2 X chain=dstnat action=dst-nat to-addresses=192.168.80.5 to-ports=5000 protocol=tcp dst-address=97.65.xx.43
dst-port=5000
3 X ;;; Remote Desktop to ESourceSQL1
chain=dstnat action=dst-nat to-addresses=192.168.80.5 to-ports=3389 protocol=tcp dst-address=97.65.xx.43
dst-port=3389
4 chain=srcnat action=src-nat to-addresses=97.65.xx.44 src-address=192.168.80.6
5 chain=srcnat action=src-nat to-addresses=97.65.xx.45 src-address=192.168.80.7
6 chain=srcnat action=src-nat to-addresses=97.65.xx.46 src-address=192.168.80.8
7 chain=srcnat action=src-nat to-addresses=97.65.xx.47 src-address=192.168.80.9
8 chain=srcnat action=src-nat to-addresses=97.65.xx.48 src-address=192.168.80.10
9 chain=dstnat action=dst-nat to-addresses=192.168.80.6 protocol=tcp dst-address=97.65.xx.44 dst-port=80,44>
10 chain=dstnat action=dst-nat to-addresses=192.168.80.7 protocol=tcp dst-address=97.65.xx.45 dst-port=80,44>
11 chain=dstnat action=dst-nat to-addresses=192.168.80.8 protocol=tcp dst-address=97.65.xx.46 dst-port=80,44>
12 chain=dstnat action=dst-nat to-addresses=192.168.80.9 protocol=tcp dst-address=97.65.xx.47 dst-port=80,44>
13 chain=dstnat action=dst-nat to-addresses=192.168.80.10 protocol=tcp dst-address=97.65.xx.48
dst-port=80,443

brianlewis · October 27, 2009, 8:25pm

Upgrading to 4.1 didn’t make a difference. Maybe something with the NAT rules is causing the packets to not transverse back across the ipsec tunnel?

mrz · October 28, 2009, 6:27am

ipsec traffic must not be natted.
This rule
0 ;;; ESourceSQL to Internet NAT
chain=srcnat action=masquerade src-address=192.168.80.5

changes source address of the packet and as you can see from packet flow diagram
http://wiki.mikrotik.com/wiki/Packet_Flow#IPsec_encryption
ipsec encryption is after source nat.
So you have to add accept rule before source nat rule.

brianlewis · October 28, 2009, 1:36pm

That worked! Added a source 192.168.80.0/24 to dst 10.48.239.0/24 rule at the top and packets are now passing. Thank you!