ipsec road warrior android

volga629 · September 8, 2015, 9:33pm

Hello Everyone,
Having issue where I created profile with IPsec Road Warrior connection for android clients, but can’t access any resources on LAN or Server Subnet. Clients connects without any issues.
I created ipsec chain and ESP with NAT-T marking connection in mangle table to make sure allow only encrypted packet.
RouterOS ver 6.31

Input chain

[volga629@canlrt01] > /ip firewall filter print where chain=input 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    ;;; Jump to IPsec chain
      chain=input action=jump jump-target=ipsec in-interface=WAN-eth1 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp in-interface=!WAN-eth1 dst-port=80,22,443 log=no log-prefix="" 
 4    chain=input action=accept protocol=udp in-interface=!WAN-eth1 dst-port=53,123 log=no log-prefix="" 
 5    chain=input action=accept protocol=ospf src-address=10.3.3.0/29 log=no log-prefix="" 
 6    ;;; IPsec ESP encrypted.
      chain=input action=accept packet-mark=ipsec-encrypted log=no log-prefix="" 
 7    chain=input action=reject reject-with=icmp-network-unreachable dst-address=LAN_SUBNET log=no log-prefix="" 
 8    chain=input action=drop log=yes log-prefix=""

IPsec Chain

[volga629@canlrt01] > /ip firewall filter print where chain=ipsec
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=ipsec action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=500 log=no log-prefix="" 

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""

Here Ipsec Policy Output.

[volga629@canlrt01] > /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
  
 0 T   group=RemoteAccess src-address=10.30.254.0/24 dst-address=0.0.0.0/0 protocol=all proposal=netlab-remote-access template=yes 

 1  D  src-address=0.0.0.0/0 src-port=any dst-address=10.30.254.245/32 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=my_pub_ip sa-dst-address=142.169.78.37 priority=2

Mangle table.

2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix="" 
[volga629@canlrt01] > /ip firewall mangle print                  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPsec encrypted ESP traffic mark
      chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=ipsec-esp in-interface=WAN-eth1 
      log=no log-prefix="" 

 1    chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=udp in-interface=WAN-eth1 
      dst-port=4500 log=no log-prefix=""

TonyJr · September 9, 2015, 1:25am

volga629:

Hello Everyone,
Having issue where I created profile with IPsec Road Warrior connection for android clients, but can’t access any resources on LAN or Server Subnet. Clients connects without any issues.
I created ipsec chain and ESP with NAT-T marking connection in mangle table to make sure allow only encrypted packet.
RouterOS ver 6.31

Input chain

[volga629@canlrt01] > /ip firewall filter print where chain=input 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    ;;; Jump to IPsec chain
      chain=input action=jump jump-target=ipsec in-interface=WAN-eth1 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp in-interface=!WAN-eth1 dst-port=80,22,443 log=no log-prefix="" 
 4    chain=input action=accept protocol=udp in-interface=!WAN-eth1 dst-port=53,123 log=no log-prefix="" 
 5    chain=input action=accept protocol=ospf src-address=10.3.3.0/29 log=no log-prefix="" 
 6    ;;; IPsec ESP encrypted.
      chain=input action=accept packet-mark=ipsec-encrypted log=no log-prefix="" 
 7    chain=input action=reject reject-with=icmp-network-unreachable dst-address=LAN_SUBNET log=no log-prefix="" 
 8    chain=input action=drop log=yes log-prefix=""

IPsec Chain

[volga629@canlrt01] > /ip firewall filter print where chain=ipsec
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=ipsec action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=500 log=no log-prefix="" 

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""

Here Ipsec Policy Output.

[volga629@canlrt01] > /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
  
 0 T   group=RemoteAccess src-address=10.30.254.0/24 dst-address=0.0.0.0/0 protocol=all proposal=netlab-remote-access template=yes 

 1  D  src-address=0.0.0.0/0 src-port=any dst-address=10.30.254.245/32 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=my_pub_ip sa-dst-address=142.169.78.37 priority=2

Mangle table.

2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix="" 
[volga629@canlrt01] > /ip firewall mangle print                  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPsec encrypted ESP traffic mark
      chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=ipsec-esp in-interface=WAN-eth1 
      log=no log-prefix="" 

 1    chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=udp in-interface=WAN-eth1 
      dst-port=4500 log=no log-prefix=""

Try opening udp port 1701 too.

tonyjr

volga629 · September 9, 2015, 12:37pm

TonyJr:

volga629:

Hello Everyone,
Having issue where I created profile with IPsec Road Warrior connection for android clients, but can’t access any resources on LAN or Server Subnet. Clients connects without any issues.
I created ipsec chain and ESP with NAT-T marking connection in mangle table to make sure allow only encrypted packet.
RouterOS ver 6.31

Input chain

[volga629@canlrt01] > /ip firewall filter print where chain=input 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    ;;; Jump to IPsec chain
      chain=input action=jump jump-target=ipsec in-interface=WAN-eth1 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp in-interface=!WAN-eth1 dst-port=80,22,443 log=no log-prefix="" 
 4    chain=input action=accept protocol=udp in-interface=!WAN-eth1 dst-port=53,123 log=no log-prefix="" 
 5    chain=input action=accept protocol=ospf src-address=10.3.3.0/29 log=no log-prefix="" 
 6    ;;; IPsec ESP encrypted.
      chain=input action=accept packet-mark=ipsec-encrypted log=no log-prefix="" 
 7    chain=input action=reject reject-with=icmp-network-unreachable dst-address=LAN_SUBNET log=no log-prefix="" 
 8    chain=input action=drop log=yes log-prefix=""

IPsec Chain

[volga629@canlrt01] > /ip firewall filter print where chain=ipsec
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=ipsec action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=500 log=no log-prefix="" 

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""

Here Ipsec Policy Output.

[volga629@canlrt01] > /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
  
 0 T   group=RemoteAccess src-address=10.30.254.0/24 dst-address=0.0.0.0/0 protocol=all proposal=netlab-remote-access template=yes 

 1  D  src-address=0.0.0.0/0 src-port=any dst-address=10.30.254.245/32 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=my_pub_ip sa-dst-address=142.169.78.37 priority=2

Mangle table.

2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix="" 
[volga629@canlrt01] > /ip firewall mangle print                  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPsec encrypted ESP traffic mark
      chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=ipsec-esp in-interface=WAN-eth1 
      log=no log-prefix="" 

 1    chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=udp in-interface=WAN-eth1 
      dst-port=4500 log=no log-prefix=""

Try opening udp port 1701 too.

tonyjr

Hello Tony,
This is not l2tp ipsec remote access, this is ipsec road warrior with xauth, l2tp is 1701/udp

Janhouse · February 18, 2016, 11:41am

What was the solution to this problem?