IPSEC not working?

ProCon · March 28, 2014, 7:50pm

Hi,

I am trying to connect 2 networks via ipsec ad when i goto remote peers it tells me its established yet there isn’t any Installed SA’s working and I cant ping locally either. Ex) i cant ping from one office to the other. Likes I cant ping 192.168.10.1 from 192.68.11.1. Below are my settings and a depiction of the networks

Settings for 192.168.10.x router

# jan/02/1970 00:19:35 by RouterOS 6.11
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1,null enc-algorithms=des \
    lifetime=8h pfs-group=modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface l2tp-server server
set enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0
add address=24.**** interface=ether1 network=24.****
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,24.92.226.12
/ip firewall filter
add chain=input disabled=yes protocol=ipsec-esp src-address=192.168.88.54
/ip firewall nat
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.11.0/24 \
    src-address=192.168.10.0/24
add chain=srcnat protocol=ipsec-esp
add chain=dstnat protocol=ipsec-esp
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=PPTP disabled=yes dst-port=1723 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.10.2 to-ports=1723
add action=dst-nat chain=dstnat comment=PPTP disabled=yes dst-port=1723 \
    in-interface=ether1 protocol=udp to-addresses=192.168.10.2 to-ports=1723
/ip ipsec peer
add address=50.*****/32 dh-group=modp768 dpd-interval=10s enc-algorithm=\
    des lifetime=8h nat-traversal=yes secret="****"
/ip ipsec policy
add dst-address=192.168.11.0/24 sa-dst-address=50.***** sa-src-address=\
    24.**** src-address=192.168.10.0/24 tunnel=yes
/ip route
add distance=1 gateway=24.****
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=MTSMFRI
/system ntp client
set mode=broadcast

Settings for 192.168.11.x router

# jan/02/1970 00:19:13 by RouterOS 6.11
#
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1,null enc-algorithms=des \
    lifetime=8h pfs-group=modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.11.2-192.168.11.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=192.168.11.1/24 interface=ether2 network=192.168.11.0
add address=50.**** interface=ether1 network=50****
/ip dhcp-server lease
add address=192.168.11.102 client-id=1:0:30:1b:47:b7:a3 mac-address=\
    00:30:1B:47:B7:A3 server=dhcp1
add address=192.168.11.101 client-id=1:0:e0:b6:15:b6:a9 mac-address=\
    00:E0:B6:15:B6:A9 server=dhcp1
add address=192.168.11.100 client-id=1:0:e0:b6:13:71:2e mac-address=\
    00:E0:B6:13:71:2E server=dhcp1
add address=192.168.11.103 client-id=1:0:c0:ee:b2:b9:79 mac-address=\
    00:C0:EE:B2:B9:79 server=dhcp1
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip dns
set servers=192.168.11.1,8.8.8.8
/ip firewall filter
add chain=input protocol=ipsec-esp src-address=192.168.88.53
/ip firewall nat
add chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.11.0/24
add chain=srcnat dst-address=192.168.11.0/24 src-address=192.168.10.0/24
add chain=srcnat protocol=ipsec-esp
add chain=dstnat protocol=ipsec-esp
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=24.**** dh-group=modp768 dpd-interval=10s enc-algorithm=\
    des lifetime=8h nat-traversal=yes secret="****"
/ip ipsec policy
add dst-address=192.168.10.0/24 sa-dst-address=24.**** sa-src-address=\
    50.**** src-address=192.168.11.0/24 tunnel=yes
/ip route
add distance=1 gateway=50.****
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=MTSMWEL
/system ntp client
set mode=broadcast

CelticComms · March 28, 2014, 9:27pm

Can you check that you have routes for the remote LAN pointing to the remote WAN address? The configs didn’t seem to show such routes. The SAs won’t be created until traffic causes an IPSEC attempt.

ProCon · March 29, 2014, 1:49pm

I think I am a bit lost here. So you want me to take the 24.x.x.x router that hosts the 192.168.10.x range and put a route in it for the remote router? Such as dst=192.168.11.0/24 with a gateway of the public remote 50.x.x.x ?

CelticComms · March 29, 2014, 4:06pm

I looked at the config in a rush - it looks like the traffic should be hitting the appropriate interface.

It sounds like it might be failing to select a proposal. Could you try using a specific proposal and set the proposal to:

Auth. - sha1 only
Encr. - aes-128 cbc only
Lifetime 00:30:00
PFS Group - modp768

at both ends.

ProCon · March 29, 2014, 6:59pm

Ok I tried that and still no success

CelticComms · March 29, 2014, 7:32pm

OK - that combination should be OK so could you upload your configs again?

ProCon · March 29, 2014, 7:53pm

settings for 192.168.10.x router

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface l2tp-server server
set enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0
add address=24.xxx interface=ether1 network=24.xxx
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,24.92.226.12
/ip firewall filter
add chain=input protocol=udp src-address=50xxx src-port=500
add chain=input protocol=ipsec-esp src-address=50xxx
/ip firewall nat
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.11.0/24 \
    src-address=192.168.10.0/24
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.10.0/24 \
    src-address=192.168.11.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=PPTP dst-port=1723 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.10.2 to-ports=1723
add action=dst-nat chain=dstnat comment=PPTP dst-port=1723 in-interface=\
    ether1 protocol=udp to-addresses=192.168.10.2 to-ports=1723
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=50.xxx dh-group=modp768 dpd-interval=10s exchange-mode=\
    aggressive lifetime=30m nat-traversal=yes secret=xxx
/ip ipsec policy
add dst-address=192.168.11.0/24 sa-dst-address=50.xxx sa-src-address=\
    24.xxx src-address=192.168.10.0/24 tunnel=yes
/ip route
add distance=1 gateway=24.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=MTSMFRI
/system ntp client
set mode=broadcast

Settings for 192.168.11.x router

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.11.2-192.168.11.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=192.168.11.1/24 interface=ether2 network=192.168.11.0
add address=50.xxx interface=ether1 network=50.xxx
/ip dhcp-server lease
add address=192.168.11.102 client-id=1:0:30:1b:47:b7:a3 mac-address=\
    00:30:1B:47:B7:A3 server=dhcp1
add address=192.168.11.101 client-id=1:0:e0:b6:15:b6:a9 mac-address=\
    00:E0:B6:15:B6:A9 server=dhcp1
add address=192.168.11.100 client-id=1:0:e0:b6:13:71:2e mac-address=\
    00:E0:B6:13:71:2E server=dhcp1
add address=192.168.11.103 client-id=1:0:c0:ee:b2:b9:79 mac-address=\
    00:C0:EE:B2:B9:79 server=dhcp1
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip dns
set servers=8.8.8.8,192.168.11.1
/ip firewall filter
add chain=input protocol=udp src-address=24.xxx src-port=500
add chain=input protocol=ipsec-esp src-address=24xxx
/ip firewall nat
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.10.0/24 \
    src-address=192.168.11.0/24
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.11.0/24 \
    src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=24.xxx dh-group=modp768 dpd-interval=10s exchange-mode=\
    aggressive lifetime=30m nat-traversal=yes secret=xxx
/ip ipsec policy
add dst-address=192.168.10.0/24 sa-dst-address=24xxx sa-src-address=\
    50xxx src-address=192.168.11.0/24 tunnel=yes
/ip route
add distance=1 gateway=50.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=MTSMWEL
/system ntp client
set mode=broadcast

CelticComms · March 29, 2014, 8:30pm

Could you use a named profile (not default) with those settings so that it shows up fully in the configs. Then upload configs again.

ProCon · March 29, 2014, 8:43pm

192.168.10.x router

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp768
add enc-algorithms=3des name=prop pfs-group=modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface l2tp-server server
set enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0
add address=24xxx interface=ether1 network=24xxx
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,24.92.226.12
/ip firewall filter
add chain=input protocol=udp src-address=50xxx src-port=500
add chain=input protocol=ipsec-esp src-address=50xxx
/ip firewall nat
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.11.0/24 \
    src-address=192.168.10.0/24
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.10.0/24 \
    src-address=192.168.11.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=PPTP dst-port=1723 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.10.2 to-ports=1723
add action=dst-nat chain=dstnat comment=PPTP dst-port=1723 in-interface=\
    ether1 protocol=udp to-addresses=192.168.10.2 to-ports=1723
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=50xxx dh-group=modp768 dpd-interval=10s exchange-mode=\
    aggressive lifetime=30m nat-traversal=yes secret=xxx
/ip ipsec policy
add dst-address=192.168.11.0/24 proposal=prop sa-dst-address=50xxx \
    sa-src-address=24xxx src-address=192.168.10.0/24 tunnel=yes
/ip route
add distance=1 gateway=24xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=MTSMFRI
/system ntp client
set mode=broadcast

192.168.11.x router

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp768
add enc-algorithms=3des name=prop pfs-group=modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.11.2-192.168.11.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=192.168.11.1/24 interface=ether2 network=192.168.11.0
add address=50xxx interface=ether1 network=50xxx
/ip dhcp-server lease
add address=192.168.11.102 client-id=1:0:30:1b:47:b7:a3 mac-address=\
    00:30:1B:47:B7:A3 server=dhcp1
add address=192.168.11.101 client-id=1:0:e0:b6:15:b6:a9 mac-address=\
    00:E0:B6:15:B6:A9 server=dhcp1
add address=192.168.11.100 client-id=1:0:e0:b6:13:71:2e mac-address=\
    00:E0:B6:13:71:2E server=dhcp1
add address=192.168.11.103 client-id=1:0:c0:ee:b2:b9:79 mac-address=\
    00:C0:EE:B2:B9:79 server=dhcp1
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip dns
set servers=8.8.8.8,192.168.11.1
/ip firewall filter
add chain=input protocol=udp src-address=24xxx src-port=500
add chain=input protocol=ipsec-esp src-address=24xxx
/ip firewall nat
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.10.0/24 \
    src-address=192.168.11.0/24
add chain=srcnat comment="IPSEC RULE" dst-address=192.168.11.0/24 \
    src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=24xxxx dh-group=modp768 dpd-interval=10s exchange-mode=\
    aggressive lifetime=30m nat-traversal=yes secret=codered1234
/ip ipsec policy
add dst-address=192.168.10.0/24 proposal=prop sa-dst-address=24xxx \
    sa-src-address=50xxx src-address=192.168.11.0/24 tunnel=yes
/ip route
add distance=1 gateway=50xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=MTSMWEL
/system ntp client
set mode=broadcast

CelticComms · March 29, 2014, 9:04pm

OK - set the prop proposal to use aes-128 cbc rather than 3des and test again.

ProCon · March 29, 2014, 9:14pm

Didnt work. Tryied killing connections and rebooting routers and still no change.

CelticComms · March 29, 2014, 10:03pm

Switch on ipsec logging and see what the messages are.

ProCon · March 30, 2014, 1:58am

I have no idea on what i am to look for;
There is nothing there saying it has failed or anything of the sort.

Perhaps I am fighting firmware issues? I have v6.11…? Does it have issues with IPSEC?
Nope. Downgraded to 6.7 and it didn’t make a difference… Also tried 5.26 with same results
Ive also tried different encryption types… idk… i just need to tunnel these networks… at this point idc how lol

Heres the log… =

CelticComms · March 30, 2014, 12:19pm

Did you check the installed SAs when you looked at the log? The log entries suggest that you should have seen something there.

ProCon · March 30, 2014, 12:32pm

After I rebooted the router I was able to get this shot

CelticComms · March 30, 2014, 1:06pm

Check the Installed SAs tab again. The screenshot shows an SA establishing.

ProCon · March 30, 2014, 1:10pm

Here is the rest of them. I was going to just copy and paste the but it didnt seperate the lines and it was very hard to read.

ProCon · March 30, 2014, 1:12pm

The SA still doesnt show anything

CelticComms · March 30, 2014, 1:14pm

If you want me to look remotely email me.

ProCon · March 30, 2014, 1:15pm

No matter what encryption I use I get the same result. no sa’s