IPSEC + Openswan

tadkins · November 15, 2012, 10:53pm

Having some issues getting our mikrotik to pass traffic through to the remote LAN.

LAN1 (10.4.4.0/24)- OpenSwan (10.4.4.103) - Firewall (Public) ------------- (Public) Mikrotik - (192.168.52.0/24) LAN2

I can ping devices on the LAN2 side from the LAN1 side but not from LAN2 to LAN1 except the vpn endpoint (10.4.4.103)

Here is the OpenSwan config

version 2.0 # conforms to second version of ipsec.conf specification

basic configuration

config setup
nat_traversal=yes
oe=off
protostack=netkey
uniqueids=yes

Add connections here

conn %default
type=tunnel
keyingtries=0
disablearrivalcheck=no
authby=secret
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
left=10.4.4.103
pfs=no

conn Mikrotik
leftsubnet=10.4.4.0/24
leftnexthop=%defaultroute
right=PUBLICIP
rightid=PUBLICIP
rightsubnet=192.168.52.0/24
rightnexthop=%defaultroute
auto=start

And the Mikrotik:

Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.52.0/24 src-port=any dst-address=10.4.4.0/24 dst-port=any protocol=all
action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=50.84.80.146
sa-dst-address=67.79.2.60 proposal=default priority=0

/ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=none

1 X name=“proposal1” auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.52.0/24 dst-address=10.4.4.0/24

Any insights? Again, LAN1 can ping devices on LAN2 but LAN2 can’t see devices on LAN1. Tunnel is established with no errors.

JanezFord · November 16, 2012, 8:09am

What is your routing and firewall on 10.4.4.103 ? did you turn on packet forwarding on 10.4.4.103 ?

JF.

tadkins · November 16, 2012, 1:44pm

The firewall is unknown. It’s a cloud firewall managed by the hosting company with UDP 500 and 4500 forwarding to the OpenSwan box.

paragshedbale · January 11, 2013, 7:14am

Have you been able to resolve this?
I am having almost the exact same issue the only difference being my firewall is a Juniper box.
Any help would be appreciated.
Thanks.

paragshedbale · January 15, 2013, 11:35am

The problem was resolved in my case.
It was the windows firewall.
Silly me!

Fraction · January 21, 2013, 6:26pm

I have similar situation but without separate firewall. Openswan installed on OpenWRT router connected directly to Internet.

From lan1 (behind OpenWRT) to lan2 (behind ROS 5.22) everything works nice, but from lan2 I can ping only my OpenWRT’s lan-address (lan1 gateway). With tcpdump on OpenWRT (interface ipsec0) I can see echo packets coming through the tunnel, but Wireshark on target computer doesn’t register those packets anymore.

Windows firewalls already disabled in this case.

I know this probably Openswan or OpenWRT problem, not MT, but situation is almost the same than other posters and any help appreciated here too.