Ipsec not traffic passing

Hello all.

I have set up the IPsec and I don’t get the traffic passing. I have done Firewall Nat and no luck.
Please can you help me what am I missing?

Thank you

Router 2

/ip ipsec> export
# nov/27/2020 13:49:56 by RouterOS 6.47.8
#
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 local-address=2.2.2.2 name=Router2
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s enc-algorithm=aes-256 hash-algorithm=sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-override notrack-chain=output peer=Router2 secret="*********"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.59.10.0/24 peer=Router2 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.1.0/24 tunnel=yes

/ip firewall nat
add action=accept chain=srcnat dst-address=10.59.10.0/24 src-address=192.168.1.0/24

Router1

[code]
ip ipsec export
# nov/27/2020 14:11:18 by RouterOS 6.47.8
#
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=ike2 local-address=1.1.1.1 name=Router1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorithm=sha512 proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-override notrack-chain=output peer=Router1 secret="`secret"
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=Router1 sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=10.59.10.0/24 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 log-prefix=ipsec-nat src-address=10.59.10.0/24

Check my guide: http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1

I think you are missing bridge/interface for VPN server as well as NAT rule for internal networks. I’ve mentioned everything there.

I have followed the guys setup. https://www.informaticar.net/how-to-establish-site-to-site-vpn-with-mikrotik-routers/

Try again. At least you are missing NAT rule.

I did add the nat rule, ?

Not Working!

Not Working!

So what logs say? Enable ipsec logging and show the logs. What is happening in overall?

Hey, I got it working, Thank you.

so Noob question: Router A is 192.168.1.0/24 and Router is 10.59.10.0/24. if I add the Nat I can’t ping the Linux box on 192.168.1.18 from 10.59.10.40.
How do I go about this with the IPsec?

What NAT are you talking about? The action=accept chain=srcnat rules you’ve posted in the config excerpts shown in the OP? These are intended to make sure that the traffic between the LAN subnets will not be handled by the subsequent action=src-nat or action=masquerade rules. Without seeing the configuration which does not work, it is hard to guess what is wrong.

Hope the log will help.
ipsec.0.txt (19.9 KB)

Router A

@*****VM > export         
# nov/30/2020 09:00:04 by RouterOS 6.47.8
# software id = 
#
#
#
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment=MirotikSW-Router disable-running-check=no name=ether1-external
set [ find default-name=ether3 ] comment=ISSA-VM disable-running-check=no name="ether2- iscar"
set [ find default-name=ether2 ] disable-running-check=no disabled=yes name=ether3
set [ find default-name=ether4 ] comment=MikrotikSW-Lan disable-running-check=no name="ether4 - Lan"
/interface eoip
add !keepalive local-address=10.22.22.1 mac-address=******name="My EoIP" remote-address=10.22.22.2 tunnel-id=0
/interface list
add name=WAM
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=10.22.22.2 name="My mc" split-include=10.22.22.1/32 system-dns=no
/ip ipsec policy group
add name="My group"
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s enc-algorithm=aes-256 hash-algorithm=sha512
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer
add address=*****/32 exchange-mode=ike2 local-address=1***** name="My server" passive=yes profile="My profile"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="ether4 - Lan" name=dhcp1
/system logging action
add disk-file-name=ipsec name=action1 target=disk
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=!none
/interface list member
add interface=ether1-external list=WAM
add list=LAN
/ip address
add address=192.168.1.1/24 interface="ether4 - Lan" network=192.168.1.0
add address=******/29 interface=ether1-external network=********
add address=10.22.22.1/24 interface=loopback network=10.22.22.0
/ip dhcp-client
add add-default-route=no disabled=no interface="ether2- iscar" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=10.22.22.2
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=yes
/ip firewall mangle
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=10.59.10.0/24
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1
add action=masquerade chain=srcnat
add action=accept chain=srcnat disabled=yes dst-address=10.22.22.0/24 src-address=10.59.10.0/24
/ip ipsec identity
add auth-method=digital-signature certificate="My server" generate-policy=port-strict mode-config="My mc" peer="My server" policy-template-group="My group" remote-id=ignore
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.2/32 level=unique peer="My server" proposal="My proposal" sa-dst-address=***** sa-src-address=******** src-address=10.22.22.1/32 tunnel=yes
/ip route
add distance=1 gateway=*****
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24,10.59.0.0/24
set api disabled=yes
set winbox address=10.59.0.0/24,169.1.234.50/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Skynet-VM
/system logging
add action=action1 prefix=IPsec topics=ipsec
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Router B

**@****-hEXs > export
# nov/30/2020 09:23:51 by RouterOS 6.47.8
# software id = 
#
# model = 
# serial number = 
/interface ethernet
set [ find default-name=ether1 ] name=ether1_Afrihost speed=100Mbps
set [ find default-name=ether2 ] disabled=yes name=ether2_ECT speed=100Mbps
set [ find default-name=ether3 ] disabled=yes name="ether3 - Laptop" speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=sfp1 ] name=sfp1_Fiberlink
/interface eoip
add !keepalive local-address=10.22.22.2 mac-address=FE:81:E1:E0:86:AB name="My EoIP" remote-address=10.22.22.1 tunnel-id=0
/interface vlan
add disabled=yes interface=sfp1_Fiberlink name=vlan_IoT vlan-id=60
add disabled=yes interface=sfp1_Fiberlink name=vlan_Security vlan-id=80
add interface=sfp1_Fiberlink name=vlan_SkyNetSW vlan-id=50
add interface=ether2_ECT name=vlan_Skynet vlan-id=20
add interface=ether2_ECT name=vlan_WAM2 vlan-id=40
/interface list
add name=IoT
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name="My mc" responder=no use-responder-dns=no
/ip ipsec policy group
add name="My group"
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=13m20s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorithm=sha512 proposal-check=strict
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer
add address=*****/32 exchange-mode=ike2 local-address=***** name="My peer" profile="My profile"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip kid-control
add fri="" mon="" name=kid1 sat="" sun="" thu="" tue="" wed=""
/ip pool
add name=SkyNet_Pool ranges=10.59.10.20-10.59.10.100
add name=IPSec_Pool ranges=10.59.11.5-10.59.11.10
add name=IoT_Pool ranges=10.59.12.100-10.59.12.150
add name=Homesec_Pool ranges=10.59.13.5-10.59.13.10
/ip dhcp-server
add address-pool=SkyNet_Pool disabled=no interface=vlan_SkyNetSW lease-time=8h name=Skynet_DHCP
add address-pool=SkyNet_Pool interface=vlan_Skynet name=server1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1_Afrihost list=WAN
add list=LAN
add list=IoT
add interface=vlan_WAM2 list=WAN
/ip address
add address=10.59.10.1/24 interface=vlan_SkyNetSW network=10.59.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1_Afrihost use-peer-ntp=no
add add-default-route=no disabled=no interface=vlan_WAM2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.59.10.40 client-id=1:b8:27: mac-address=B8:27:EB:D server=Skynet_DHCP
/ip dhcp-server network
add address=10.59.10.0/24 dns-server=10.59.10.1 gateway=10.59.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=176.103.130.130,176.103.130.131,1.1.1.1,9.9.9.9
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addresses=10.22.22.2
add action=masquerade chain=srcnat
/ip ipsec identity
add auth-method=digital-signature certificate="My client" mode-config="My mc" peer="My peer" policy-template-group="My group" remote-id=ignore
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" sa-dst-address=***** sa-src-address=***** src-address=10.22.22.2/32 \
    tunnel=yes
/ip ipsec settings
set accounting=no
/ip route
add comment="Cloud update" disabled=yes distance=1 gateway=***** routing-mark=via-gw1
add disabled=yes distance=1 gateway=**** routing-mark=to_wlan1
add disabled=yes distance=1 gateway=ether1_Afrihost routing-mark=VPN_Traffic
add check-gateway=ping disabled=yes distance=1 gateway=*******
/ip service
set telnet disabled=yes
set ftp address=10.59.10.0/24 disabled=yes
set www disabled=yes
set ssh address=10.59.10.0/24,******/32,10.59.11.0/24,192.168.1.0/24 port=22020
set api disabled=yes
set winbox address=*******/32,10.59.11.0/24,10.59.10.0/24,192.168.1.0/24 port=26030
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=****-hEXs
/system logging
add prefix=IPSEC topics=ipsec
add prefix=Firewall topics=firewall

****-hEXs >

• on Router A, the action=accept rule in chain srcnat of /ip firewall nat is after the action=masquerade one, so the packet it would match never reach it. Order of rules matters, they are evaluated first to last until first match.
• the log shows that only a policy for the peers’ addresses is established (initiator selector: 10.22.22.2, responder selector: 10.22.22.1), which is in accord with the currently published configuration.

So if you want the subnets to talk to each other transparently, you have to add again the policies with those subnets as src-address and dst-address, and move the action=accept rule before (above) the action=masquerade one.

Currently, the first (action=src-nat) rule in srcnat chain of Router A makes connections from Router A to Router B’s address 10.22.22.2 look as if sent from 10.22.22.1, but that doesn’t make it possible to connect to LAN subnet of router B unless you’d use port forwarding at Router B.

Apologies, but I’m lost now.
I have fixed the nat rules,

Router A

/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.2 to-addresses=10.22.22.1
add action=masquerade chain=srcnat

/ip ipsec policy group
add name="My group"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.2/32 level=unique peer="My server" proposal="My proposal" sa-dst-address="Router B" sa-src-address="Router A" src-address=10.22.22.1/32 tunnel=yes
add dst-address=192.168.1.0/24 peer="My server" proposal="My proposal" sa-dst-address="Router B" sa-src-address="Router A" src-address=10.59.10.0/24 tunnel=yes

Router B

/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.22.22.1 to-addre
add action=masquerade chain=srcnat

/ip ipsec policy group
add name="My group"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.22.22.1/32 peer="My peer" proposal="My proposal" sa-dst-address="Router A"  sa-src-address= "Router B"  src-address=10.22.22.2/32 tunnel=yes
add dst-address=10.59.10.0/24 peer="My peer" proposal="My proposal" sa-dst-address="Router A"  sa-src-address= "Router B"  src-address=192.168.1.0/24 tunnel=yes

You’re halfway there. You have properly added the policies for 10.59.10.0/24 <=> 192.168.1.0/24 traffic, but you haven’t excluded this traffic from being src-nated to the WAN IP of each machine. So when the packet from (e.g.) 10.59.10.3 is sent to (e.g) 192.168.1.17, it is routed via WAN
(as there is only the default route) and gets src-nated to the IP of the outgoing interface chosen by regular routing, thanks to the action=masquerade rule, hence it becomes invisible to the IPsec policy, as its source address doesn’t fit into 10.59.10.0/24 anymore.

Hence you need to add the chain=srcnat action=accept src-address=10.59.10.0/24 dst-address=192.168.1.0/24 rule before (above) the action=masquerade one, to prevent the above from happening.

I have done that and no winnings. I miss something, I have played with nat and Routes.

Post both current configuration exports, I’ll give you some commands to make it possible for the client to reach the server.

Here is the config of eash router
router b.txt (5.81 KB)
router a.txt (5.27 KB)

OK, so you’ve attempted to use an EoIP tunnel to connect the sites rather than using an IPsec policy to directly match the traffic. This is also a possible approach (which costs a couple of bytes per packet more), but as EoIP is an L2 tunnel, you cannot use the tunnel name as a gateway of a route, plus you have misunderstood the role of local-address and remote-address in the EoIP tunnel configuration.

So tell me whether the use of EoIP is the preferred way or whether you’ve tried that just out of desperation and you actually prefer the bare IPsec with traffic matching to a policy.

[/quote]
OK, so you’ve attempted to use an EoIP tunnel to connect the sites rather than using an IPsec policy to directly match the traffic. This is also a possible approach (which costs a couple of bytes per packet more), but as EoIP is an L2 tunnel, you cannot use the tunnel name as a gateway of a route, plus you have misunderstood the role of local-address and remote-address in the EoIP tunnel configuration.

So tell me whether the use of EoIP is the preferred way or whether you’ve tried that just out of desperation and you actually prefer the bare IPsec with traffic matching to a policy.
[/quote]

I prefer to use bare Ipsec!

WARNING: your firewalls are basically non-existent. So if the routers are connected to the internet using public IPs (as seems to be the case) and there is no firewall between each of them and the internet, chances are high that both are malware zombies by now. The filth from the net is incredibly quick to squat in, sometimes minutes of exposure are enough. So I would highly recommend to netinstall both of them (which will also create a decent set of firewall rules) and then use the configuration exports to recreate the necessary configurations line by line. I wouldn’t even bother to export the certificates and would start from scratch with them as well, as they may be compromised too. If you used one of the devices as a certification authority, you should remove it from the list of trusted CAs everywhere.

You may think I am paranoid, however the sad truth is that even if no one may be interested in your data and network in particular, botnets crawl the net automatically and try to seize every device they find.

Back to the topic, here’s how to modify the existing configuration:

Router A:
/ip route remove [find gateway~“My EOIP”]
/interface eoip remove [find name~“My EOIP”]
/ip firewall nat remove [find !(action~“masquerade”)]
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=10.59.10.0/24 action=accept place-before=[find action~“masquerade”]
/ip ipsec policy remove [find peer~“My server”]
/ip ipsec policy add src-address=192.168.1.0/24 peer=“My server” proposal=“My proposal” dst-address=10.59.10.0/24 tunnel=yes
/ip firewall mangle remove [find action~“accept” chain~“forward” dst-address~“192.168.1.0/24” src-address~“10.59.10.0/24”
/ip ipsec identity set [find certificate~“My server” generate-policy=no mode-config=none]

Router B:
/ip route remove [find gateway~“My EoIP”]
/interface eoip remove [find name~“My EOIP”]
/ip firewall nat remove [find !(action~“masquerade”)]
/ip firewall nat add action=accept chain=srcnat src-address=10.59.10.0/24 dst-address=192.168.1.0/24 place-before=[find action~“masquerade”]
/ip ipsec policy remove [find peer~“My peer”]
/ip ipsec policy add src-address=10.59.10.0/24 peer=“My peer” proposal=“My proposal” dst-address=192.168.1.0/24 tunnel=yes
/ip ipsec identity set [find certificate~“My client”] mode-config=none

If you follow the security advice above, the order of steps would be to apply these sets of command line commands to the existing configurations, export the resulting configurations and download the export files outside the devices, netinstall both devices, and re-create the configurations using the new exports. After that, you’ll likely have to add some permissive rules to the default firewall to allow the IPsec tunnel to work, I haven’t checked how the default firewall of 6.47.8 in particular looks like but typically IPsec traffic is not permitted in default firewall settings.