IPSec not Working

tauresb · August 16, 2013, 9:54pm

Hi,
I’ve configured IPSec between two mikrotiks. One is a RB1200. The other is a RB493G.

Current setup is.
Local=10.1.202.1----Public=192.168.90.1 —Internet— Public=192.168.80.1—Local=10.1.101.1

I can not get a tunnel to establish with IPsec. When I ping the private network (10.1.101.1) which is on the remote router it fails every time. I can successful ping the wan ip address (192.168.80.1) on the remote router no problem.

HOST SIZE TTL TIME STATUS
10.1.101.1 timeout
10.1.101.1 timeout
192.168.90.254 84 64 994ms host unreachable

HOST SIZE TTL TIME STATUS
192.168.80.1 56 63 5ms
192.168.80.1 56 63 0ms
192.168.80.1 56 63 0ms

My ip ipsec statistics are:
[admin@MikroTik] >> ip ipsec statistics print
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 0
in-state-protocol-errors: 0
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 0
in-template-mismatches: 0
in-no-policies: 0
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 0
out-state-protocol-errors: 0
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 0
out-policy-blocked: 0

My Install SAs are blank on both routes. When I use packet sniffer, I do not see any IPsec protocols being used.

My logs say this:
aug/16/2013 15:40:39 system,info router rebooted
aug/16/2013 15:40:39 ipsec,debug @(#)This product linked OpenSSL 1.0.0e 6 Sep 2011
(http://www.openssl.org/)
aug/16/2013 15:40:39 ipsec,debug call pfkey_send_register for AH
aug/16/2013 15:40:39 ipsec,debug call pfkey_send_register for ESP
aug/16/2013 15:40:39 ipsec,debug call pfkey_send_register for IPCOMP
aug/16/2013 15:40:39 ipsec,debug initializing scheduler…
aug/16/2013 15:40:39 ipsec,debug initializing policies…
aug/16/2013 15:40:39 ipsec,debug initializing cfg…
aug/16/2013 15:40:39 ipsec,debug,packet installing phase2 config: id=0
aug/16/2013 15:40:39 ipsec,debug AddressHandler init
aug/16/2013 15:40:39 ipsec,debug 192.168.90.1[500] used as isakmp port (fd=14)
aug/16/2013 15:40:39 ipsec,debug 192.168.90.1[4500] used as isakmp port with NAT-T
(fd=15)
aug/16/2013 15:40:39 ipsec,debug 10.1.202.1[500] used as isakmp port (fd=16)
aug/16/2013 15:40:39 ipsec,debug 10.1.202.1[4500] used as isakmp port with NAT-T (
fd=17)
aug/16/2013 15:40:39 ipsec,debug starting looper…
aug/16/2013 15:40:39 interface,info ether1 link up (speed 1000M, full duplex)
aug/16/2013 15:40:39 interface,info ether2 link up (speed 100M, full duplex)
aug/16/2013 15:40:39 system,info,account user admin logged in via winbox
aug/16/2013 15:40:39 system,info,account user admin logged in via local

aug/16/2013 15:40:39 ipsec,debug,packet installing phase2 config: id=0
aug/16/2013 15:40:39 ipsec,debug AddressHandler init
aug/16/2013 15:40:39 ipsec,debug 192.168.90.1[500] used as isakmp port (fd=14)
aug/16/2013 15:40:39 ipsec,debug 192.168.90.1[4500] used as isakmp port with NAT-T
(fd=15)
aug/16/2013 15:40:39 ipsec,debug 10.1.202.1[500] used as isakmp port (fd=16)
aug/16/2013 15:40:39 ipsec,debug 10.1.202.1[4500] used as isakmp port with NAT-T (
fd=17)
aug/16/2013 15:40:39 ipsec,debug starting looper…
aug/16/2013 15:40:39 interface,info ether1 link up (speed 1000M, full duplex)
aug/16/2013 15:40:39 interface,info ether2 link up (speed 100M, full duplex)
aug/16/2013 15:40:39 system,info,account user admin logged in via winbox
aug/16/2013 15:40:39 system,info,account user admin logged in via local

My firewall connections say this:
[admin@MikroTik] > /ip firewall connection print
Flags: S - seen reply, A - assured

PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 icmp 192.168.90.1 10.1.101.1 9s
1 udp 10.1.202.1:5678 255.255.255.255:5678 9s
2 udp 192.168.90.1:5678 255.255.255.255:5678 9s
3 udp 169.254.204.98:55871 255.255.255.255:20561 9s

Router 1 is setup like below:

[admin@MikroTik] > /export compact

aug/16/2013 15:50:59 by RouterOS 5.25

software id = BY1X-VYZY

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/system logging action
add name=ipsec target=memory
/ip address
add address=192.168.90.1/24 interface=ether1
add address=10.1.202.1/24 interface=ether2
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input protocol=ipsec-esp
add chain=input dst-port=1723 protocol=tcp
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-ah
add chain=input protocol=gre
/ip firewall nat
add chain=srcnat dst-address=10.1.101.0/24 src-address=10.1.202.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=192.168.80.1/32 generate-policy=yes nat-traversal=yes secret=test
/ip ipsec policy
add dst-address=10.1.101.0/24 sa-dst-address=192.168.80.1 sa-src-address=192.168.90.1 src-address=10.1.202.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.90.254
/system logging
add topics=ipsec
[admin@MikroTik] >

Router 2 is setup like below:

aug/16/2013 15:54:43 by RouterOS 5.25

software id = PKZ1-PH3Y

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/system logging action
add name=ipsec target=memory
add name=firewall target=memory
/ip address
add address=192.168.80.1/24 interface=ether2
add address=10.1.101.1/24 interface=ether3
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input protocol=gre
add chain=input dst-port=1723 protocol=tcp
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input protocol=ipsec-ah
/ip firewall nat
add chain=srcnat dst-address=10.1.202.0/24 src-address=10.1.101.0/24
add action=masquerade chain=srcnat out-interface=ether2
/ip ipsec peer
add address=192.168.90.1/32 generate-policy=yes nat-traversal=yes secret=test
/ip ipsec policy
add dst-address=10.1.202.0/24 sa-dst-address=192.168.90.1 sa-src-address=192.168.80.1 src-address=10.1.101.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.80.254
/system logging
add topics=ipsec
add topics=firewall

Can someone please tell me what I am doing wrong?

kwetcherod · August 22, 2013, 1:57pm

good afternoon
I have the same problem!! please can somebody helps us? i don’t have installed-sa when i type and yet i follow this official tutorial from mikrotik to put in place site to site ipsec vpn [u]**http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Manual_SA**[/u]

[admin@MikroTik] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs

[admin@MikroTik] /ip ipsec statistics> print
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 0
in-state-protocol-errors: 0
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 0
in-template-mismatches: 0
in-no-policies: 0
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 0
out-state-protocol-errors: 0
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 0
out-policy-blocked: 0

Thanks

rjickity · August 23, 2013, 10:36am

Do you have any hosts on those lans or is this a lab. No sa at all would indicate ipsec isn’t seeing any interesting traffic to encrypt.

Ensure while testing you ping with src-address specified with its lan side ip address.

Sent from my GT-I9100 using Tapatalk 2

tauresb · August 23, 2013, 9:33pm

Thanks. That was the problem. Now I just need to figure out how to get IPEC to work with a Cradlepoint.

kwetcherod · August 26, 2013, 9:02am

good day!!

tauresb what was the problem? It ist not already done whith my configuration!! i have tried to make a ping from a pc LAN1 to a PC lan2; no reply

No SA appear to me in /ip ipsec installed-sa

nothing in

[admin@MikroTik] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs

tauresb · August 29, 2013, 1:47am

kwetcherod

My configurations were correct. I just was not testing correctly. Have you enabled the logs for ipec and reviewed them? Post your configuration so we can review them.

kwetcherod · August 29, 2013, 9:47am

Good morning all of u!!

I come today to post my configuration about the problem whith IPSEC.

You can see here the scheme of my network int the attachements file

Below it is the configuration of router 1 and router 2 which what i want to make ipsec

Router 1

jan/04/1970 21:12:28 by RouterOS 5.16

software id = 1PPL-KTY0

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024

/ip address
add address=192.168.112.254/24 comment=“default configuration” disabled=no
interface=LAN network=192.168.112.0
add address=10.0.0.1/24 disabled=no interface=WAN network=10.0.0.0

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.2.0/24
src-address=192.168.112.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=WAN to-addresses=0.0.0.0

/ip ipsec peer
add address=10.0.0.2/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0
lifetime=1d my-id-user-fqdn=“” nat-traversal=no port=500 proposal-check=
obey secret=test send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=10.0.0.2 sa-src-address=10.0.0.1 src-address=
192.168.112.0/24 src-port=any tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=192.168.2.0/24 gateway=10.0.0.2
scope=30 target-scope=10
/ip service
set telnet address=“” disabled=no port=23
set ftp address=“” disabled=no port=21
set www address=“” disabled=no port=80
set ssh address=“” disabled=no port=22
set www-ssl address=“” certificate=none disabled=yes port=443
set api address=“” disabled=yes port=8728
set winbox address=“” disabled=no port=8291

Router 2

jan/02/1970 15:57:24 by RouterOS 5.16

software id = H0CX-WZ7B

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
/ip address
add address=192.168.2.254/24 disabled=no interface=LAN network=192.168.2.0
add address=10.0.0.2/24 disabled=no interface=WAN network=10.0.0.0

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.112.0/24
src-address=192.168.2.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=WAN to-addresses=0.0.0.0

/ip ipsec peer
add address=10.0.0.1/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0
lifetime=1d my-id-user-fqdn=“” nat-traversal=yes port=500 proposal-check=
obey secret=test send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.112.0/24 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=
192.168.2.0/24 src-port=any tunnel=yes

/ip neighbor discovery
set WAN disabled=no
set LAN disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
set ovpn-out1 disabled=yes

/ip route
add disabled=yes distance=1 dst-address=192.168.112.0/24 gateway=10.0.0.1
scope=30 target-scope=10
/ip service
set telnet address=“” disabled=no port=23
set ftp address=“” disabled=no port=21
set www address=“” disabled=no port=80
set ssh address=“” disabled=no port=22
set www-ssl address=“” certificate=none disabled=yes port=443
set api address=“” disabled=yes port=8728
set winbox address=“” disabled=no port=8291

Ipsec log Router 1
jan/04/1970 21:16:59 ipsec,debug flushed a lot of peer cfg, initializing cfg…
jan/04/1970 21:16:59 ipsec,debug unbind ::ffff:192.168.112.254
jan/04/1970 21:16:59 ipsec,debug unbind ::ffff:10.0.0.1
jan/04/1970 21:16:59 ipsec,debug,packet installing phase2 config: id=0
[admin@Router1] >
(6 messages discarded)
echo: ipsec,debug initializing cfg…
echo: ipsec,debug,packet installing phase2 config: id=0
echo: ipsec,debug AddressHandler init
echo: ipsec,debug 192.168.112.254[500] used as isakmp port (fd=14)
echo: ipsec,debug 10.0.0.1[500] used as isakmp port (fd=15)
echo: ipsec,debug starting looper…
echo: ipsec,debug flushed a lot of peer cfg, initializing cfg…
echo: ipsec,debug unbind ::ffff:192.168.112.254
echo: ipsec,debug unbind ::ffff:10.0.0.1
echo: ipsec,debug 192.168.112.254[500] used as isakmp port (fd=14)
echo: ipsec,debug 10.0.0.1[500] used as isakmp port (fd=15)
echo: ipsec,debug,packet installing phase2 config: id=0
[admin@Router1] >

IPSEC log router 2
[admin@Router2] >
echo: ipsec,debug flushed a lot of peer cfg, initializing cfg…
echo: ipsec,debug unbind ::ffff:192.168.2.254
echo: ipsec,debug unbind ::ffff:10.0.0.2
echo: ipsec,debug,packet installing phase2 config: id=0
[admin@Router2] >
echo: ipsec,debug flushed a lot of peer cfg, initializing cfg…
echo: ipsec,debug 192.168.2.254[500] used as isakmp port (fd=14)
echo: ipsec,debug 192.168.2.254[4500] used as isakmp port with NAT
echo: ipsec,debug 10.0.0.2[500] used as isakmp port (fd=18)
echo: ipsec,debug 10.0.0.2[4500] used as isakmp port with NAT-T (f
echo: ipsec,debug,packet installing phase2 config: id=0
[admin@Router2] >

At end no SA installed!!
[admin@MikroTik] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs

Then ping from host 12.168.2.1 to host 192.168.112.41 is not reachable
schema réseau.pdf (266 KB)