Hi,
I have encountered following situation:
IPSEC configured on CCR. Client side – Windows ShrewSoft VPN client.
There is no issues with VPN tunnel from wired/WiFi networks.
But I have problems with VPN if I try connect from 4G mobile network, I share internet connection from Android phone via tethering.
Tunnel is established, I see policy on router, but packets do not flow, VPN actually do not working.
If I take SIM card from another 4G operator – no issues at all, VPN working as expected.
It’s obvious, that issues related to 4G operator.
Does anybody could explain what is going on and how to fix that?
ISP can give you IPv6, other IPv4.
ISP can block protocols but you should check the Firewall\Connections
You should check this yourself - you know. IPSec configure means know what and how works should be checked by you too.
ISP assign for me IPv4, as I noted - VPN is established, I am sure for 99% that ISP do no block protocol, we have no regulations regarding VPN.
MTU came in to a suspicion while I read your post, have to check this idea…
Ping src-address=IP_Site_A size=20 IP_RemoteSite
Ping with small icmp give you hint if communication exist or not. MTU create problems at bigger package.
So, situation is as follows:
created 4 rules in firewall to log packets.
I can see in the input chain incoming VPN packets with proto 50
then I can see in forward chain ICMP request
then I can see in forward chain ICMP response
and finally I can see packets leaving my router with proto 50 in output chain
Seems to be from my side everything is OK.
It’s obvious:
ISP 4G network is NAT’ed. My phone receives IP 10.122.219.186. And that’s normal practice for 4G networks.
On client side I have set NAT-T with port 4500. And my PC started to receive ping from remote host via VPN.
After NAT-T I can see on router UDP packets on port 4500 len 29 every 30s. This is kind of “ping”.
I thought ISP NAT very quickly “forget” related connection, but NAT-T timeout is 30s, and tunnel still is OK.
Any explanations are welcome regarding NAT-T.
I not understand one stuff.
Now you write that you see at MikroTik (vpn server) the traffic inside firewall in&out.
but before you write
“Tunnel is established, I see policy on router, but packets do not flow, VPN actually do not working.”
and this is strange.
If ISP change the “outgoing” IP then you should check if the status of firewall connection is proper.
ip firewall connection print where dst-address~“:4500$”
SAC = S - seen-reply, A - assured, C - confirmed
I hope I add some info to this issue.
I was behind NAT via 4G and I would get the vpn ipsec established, and SPI was matching on both sides.
Even under active peer it says its established under port 4500 (indicating it is NAT).
[olof@cpe002] /ip ipsec> active-peers print detail
Flags: R - responder, N - natt-peer
0 id="123.123.123.2" local-address=100.98.165.37 port=4500 remote-address=123.123.123.2 port=4500
state=established side=initiator uptime=6s last-seen=6s ph2-total=1
/ip ipsec> profile print
Flags: * - default
0 * name="profile-ike" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=ecp521 lifetime=8h
proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5
So then I just change my profile to include nat-traversal=yes. and it will allow traffic over!
It is confusing as the tunnel will be actually established with nat-traversal=off, when using NAT such as an lte connection.
Not necessarily. I don’t remember exact details, but IPSec can use both 500 and 4500 for IKE. RouterOS uses 4500 with IKEv2, whether there’s NAT or not. The real difference is whether you see ESP packets. With NAT-T they are encapsulated in UDP (port 4500), so you don’t see them as protocol 50.