I have problems to get a working connection between a Miktrotik hAP and a Bintec RS123 router. The VPN connection itself is enstablished, but I cannot make a TCP connection between a computer in the network of the Bintec router and a NAS in the network of the Mikrotik router.
Setup is as following:
Bintec RS123: Network 10.1.0.0/16, connected to Internet via cable
Miktrotik hAP: 6.32.1: Network 10.3.0.0/16 connected to Internet via LTE
IPSEC tunnel stable, ping works, but a tcp connection (http or https) between 10.1.1.15 (Windows PC) and 10.3.1.11 (NAS) does not work.
2 strange findings:
1st) everything works, when Torch is active on the hAP
2nd) I had first a mAP instead of a hAP and with packet size limitation to 0-1438 in the NAT rule. Works really fine, but I needed more Ethernet ports. The hAP is behaving completely different.
Does anybody has any idea, what settings do I need to modify to get a running tunnel?
Is there nobody who was able to setup an IPSEC tunnel between a Bintec RS123 and a Mikrotik hAP that works proberly and who wants to share his/her knowledge with me?
After playing around for weeks I finally found the missing switch: it is the fasttrack.
Whatever this feature is for, it destroys TCP packages for the IPSEC tunnel.
Switched it off, and everything works as expected. (This explains also the finding that the IPSEC was running ok on the mAP: the mAP has no fasttrack)
Can somebody explain, what the fasttrack feature is for and why it interferes with the IPSEC tunnel? Or let me reformulate my question: Can somebody explain me what to add to have the fasttrack feature enabled (maybe something else is not working now, which I have not noticed so far) and the IPSEC tunnel working.
Because the explanation could be also huge. It is better to read first and then ask detailed questions when something is not clear rather than ask others to rewrite something that was already written without reading it.
I think my problem description was pointing clearly to a dedicated problem. Instead of getting a detailed answer I had to find a working solution by trial and error.
Hallo,
can some one please share me his configuration for ipsec tunnel between Mikrotik RouterBoard and Bintec router .
i have already setup this tunnel but always get the error phase 2 wont establisched.
thank you
It’s quite long time since I used the miktrotik with the bintec router. As far as I can remember, the phase 2 topics were solved by selecting the correct encryption on both sides. I will take a look, if I find the old backup files of the routers. It took me some days to find the right combination. Very helpful was the logging functionality of the bintec router (bintec was the receiver only on a fixed IP, the mikrotik was the “caller” from a dynamically changing IP) (unfortunately you have to switch between 2 web-masks in the bintec to see the newest entries).
The issue I had was that the communication was stable, but I lost a lot of packages due to the fastrack setting in the firewall. When you struggle with similar problems (after you have resolved the phase 2 issues) just switch the fastrack off and everything runs fine.
found the backup files, but… the mikrotik one is encrypted and I cannot read it, the Bintec one is a Textfile, but no clean structure in it. Maybe following fragment helps you a little bit:
[…]
ikeProposalTable;ikePropIndex;ikePropNextChoice;ikePropDescription;ikePropEncAlg;ikePropHashAlg;ikePropGroup;ikePropAuthMethod;ikePropEncKeySize;ikePropEncKeySizeMin;ikePropEncKeySizeMax
0;1;0;“3DES/SHA1”;des3_cbc;sha1;2;default;192;192;192
1;2;1;“AES-128/SHA1”;aes_cbc;sha1;2;default;128;128;128
2;3;2;“AES-192/SHA1”;aes_cbc;sha1;2;default;192;192;192
3;4;3;“AES-256/SHA1”;aes_cbc;sha1;2;default;256;256;256
4;5;0;“3DES/MD5”;des3_cbc;md5;2;default;192;192;192
5;6;5;“AES/MD5”;aes_cbc;md5;2;default;128;128;256
6;7;6;“AES-256/SHA1”;aes_cbc;sha1;2;default;256;256;256
7;8;20;“AES/SHA1”;aes_cbc;sha1;2;default;128;128;256
8;9;0;“AES/MD5”;aes_cbc;md5;2;default;128;128;256
9;15;22;“AES-128/SHA1”;aes_cbc;sha1;2;default;128;128;128
10;20;0;“3DES/SHA1”;des3_cbc;sha1;2;default;192;192;192
11;22;0;“3DES/SHA1”;des3_cbc;sha1;2;default;192;192;192
[…]
ipsecTrafficTable;ipsecTrIndex;ipsecTrNextIndex;ipsecTrDescription;ipsecTrLocalAddress;ipsecTrLocalMaskLen;ipsecTrLocalRange;ipsecTrRemoteAddress;ipsecTrRemoteMaskLen;ipsecTrRemoteRange;ipsecTrProto;ipsecTrLocalPort;ipsecTrRemotePort;ipsecTrAction;ipsecTrProposal;ipsecTrForceTunnelMode;ipsecTrLifeTime;ipsecTrGranularity;ipsecTrKeepAlive;ipsecTrInterface;ipsecTrDirection;ipsecTrLocalAddressType;ipsecTrRemoteAddressType;ipsecTrProfile;ipsecTrCreator
ipsecProposalTable;ipsecPropIndex;ipsecPropNext;ipsecPropDescription;ipsecPropProto;ipsecPropIpcomp;ipsecPropEspAes;ipsecPropEspTwofish;ipsecPropEspBlowfish;ipsecPropEspCast;ipsecPropEspDes3;ipsecPropEspDes;ipsecPropEspNull;ipsecPropEspRijndael;ipsecPropEspMd5;ipsecPropEspSha1;ipsecPropEspNoMac;ipsecPropAhMd5;ipsecPropAhSha1;ipsecPropIpcompDeflate;ipsecPropAesKeySize;ipsecPropAesKeySizeMin;ipsecPropAesKeySizeMax;ipsecPropBlowfishKeySize;ipsecPropBlowfishKeySizeMin;ipsecPropBlowfishKeySizeMax;ipsecPropTwofishKeySize;ipsecPropTwofishKeySizeMin;ipsecPropTwofishKeySizeMax
0;1;0;“ESP(3DES/SHA1)”;esp;disabled;0;0;0;0;1;0;0;-1;0;1;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
1;2;1;“ESP(AES/MD5)”;esp;disabled;1;0;0;0;0;0;0;-1;1;0;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
2;3;2;“ESP(-ALL-/-ALL-)”;esp;disabled;1;4;3;5;2;6;0;-1;1;2;0;0;1;0;aes192;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
3;4;0;“ESP(3DES/SHA1)”;esp;disabled;0;0;0;0;1;0;0;-1;0;1;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
4;5;4;“ESP(AES/SHA1)”;esp;disabled;1;0;0;0;0;0;0;-1;0;1;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
5;6;5;“ESP(AES-256/SHA1)”;esp;disabled;1;0;0;0;0;0;0;-1;0;1;0;1;0;0;aes256;aes256;aes256;128;40;448;twofish128;twofish128;twofish256
6;7;0;“ESP(AES/MD5)”;esp;disabled;1;0;0;0;0;0;0;-1;1;0;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
7;8;10;“ESP(AES/SHA1)”;esp;disabled;1;0;0;0;0;0;0;-1;0;1;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
8;9;0;“ESP(AES/MD5)”;esp;disabled;1;0;0;0;0;0;0;-1;1;0;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
9;10;9;“ESP(AES/MD5)”;esp;disabled;1;0;0;0;0;0;0;-1;1;0;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
10;11;14;“ESP(3DES/SHA1)”;esp;disabled;0;0;0;0;1;0;0;-1;0;1;0;1;0;0;aes128;aes128;aes256;128;40;448;twofish128;twofish128;twofish256
11;14;0;“ESP(AES-128/SHA1)”;esp;disabled;1;0;0;0;0;0;0;-1;0;1;0;1;0;0;aes128;aes128;aes128;128;40;448;twofish128;twofish128;twofish256
[…]
ikeProfileTable;ikePrfIndex;ikePrfDescription;ikePrfAuthMethod;ikePrfMode;ikePrfProposal;ikePrfGroup;ikePrfCert;ikePrfLocalId;ikePrfCaCerts;ikePrfLifeTime;ikePrfPfsIdentity;ikePrfHeartbeats;ikePrfBlockTime;ikePrfNatT;ikePrfMtuMax;ikePrfLifeSeconds;ikePrfLifeKBytes;ikePrfLifePolicy
0;1;“XXXXXXXX”;pre_sh_key;id_protect;7;2;0;“[www.XXXXXX.XXX]”;;-1;default;auto;30;enabled;0;14400;0;loose
[…]
First block seems to be phase 1, second Phase 2 and third the lifetime Information
That time I had pre shared key and it was working fine → nevertheless I changed all my routers to Mikrotik and sold the Bintec RS123
Hi Stefan ,
thanks for your reply ,
well i get it to work today.finaly
i will explain some stuff what happen today .
first of all there is no fasttrack enabled in my firewall.
the encryption on both sides was match but no connection :S
i put on the policy side of mikrotik src and dst ip to 0.0.0.0/0 and no ip forwarding on ipsec on bintec side
so i get a dynamic connectionon policy only with dst ip so ping from mikrotik to bintec establiced but not other wise.
when ip on both sides match tunnel wont be establiched.
then i put the ip forwarding on bintec to the dst and src ip as i need and keep it on mikrotik side to 0.0.0.0/0 on both dst and src here i get the dynamic policy as i needed IPsec up
and connection work great .
changing every thing to mikrotik is the best thing you made LOL
we are a IT company from Lippstadt germany and we use only mikrotik brands.
but in this issue we must do it with bintec that one customer need it this way and other side branch wont accept to change biintec to mikrotik.
thank you again for your reply and wish you a great day
lg
Ali
how did you configure for bintec and mikrotik routers? i cannot make an ipsec tunnel work here.. almost same hardware setup like you. maybe you could give me your config? thx
