IPSEC road warrior config help

synthmeme · April 5, 2007, 5:47pm

How are people managing mobile/road warrior IPSEC inbound connections to RouterOS? I have a few users who need access to their local networks via IPSEC to which they’ll be connecting from laptops anywhere, generally NAT’d behind something.

So, scenario would look something like this:

client (192.168.1.50) → NAT gateway → public Internet → (fixed or dynamic IP) Mikrotik Router → NAT’d local network (192.168.2.0/24)

NOTE that the client’s IP will be dynamic, hence the road warrior label.

Clients would be a mix of Macs and linux clients capable of doing NAT-T.

Can RouterOS be configured for unique PSKs for each remote user?

Any config examples would be great - the wiki doesn’t cover this.

Thanks.

andrewluck · April 9, 2007, 6:47pm

RouterOS 2.9 does not handle NAT-T.

Otherwise, for dynamic IP clients use ‘generate-policy’=yes in /ip policy peer.

Regards

Andrew

megajuras · February 17, 2012, 12:39pm

How about now in version 5.13.

I’m interested to do a roadwarrior to my LAN.
What I (requirement from my customers - as said, they are already using it to many different locations) wanted to do is to use software client (preferred GreenBow VPN client).

The LAN is 192.168.0./24 and I wanted to have one of the LANs IP to be used for connected PC (i.e. 192.168.0.222).

I configured IPSEC on MT and GB client and the tunnel is establishing very well.

I can ping the LAN gateway IP. I can ping .222 from MT using local (internal) interface.
One of the problems is that when I try to ping one of internal PC (lets say it’s 192.168.0.100) the PC does not know the MAC of .222 and enabling proxy-arp on the interface is not working. PC .100 is sending ARP requests but noone is answering.

Please advise.

megajuras · February 22, 2012, 1:16pm

To make da question simple:

How to make MT to answer for ARP-reqests about .222 (the warrior) to LAN?
(When I only add static ARP entry on the PC everything starts working but that is bad solution)

Enabling proxy-arp is not enough.

Please…

rjickity · February 22, 2012, 1:28pm

Could you post your config ? i’ve not had any success with roadwarrior ipsec on mt either.

megajuras · March 1, 2012, 9:57pm

My config is almost default:

In IP → IPsec → Peers:
Address: 0.0.0.0/0
Port: 500
Auth: PSK
ExchangeMode: Main
Send ini. contact: yes
NAT-T: yes
My ID User FQDN:
Proposal Check: obey
Hash: sha
Enc.: 3des
DH: modp2048
GeneratePolicy: yes

If your warrior’s “local” IP is for example 1.1.1.1 you need to add an exception for masquarading - before the masquerading rule in Firewall → NAT place a rule that says: " if src IP = your LAN and dst IP = 1.1.1.1 then take action: ACCEPT (do nothing, or do not masquarade it).

And that’s it on MT side. On your VPN client app you need to set the same things…

I didn’t play with different Peer configuration because I’m waiting for some answer on my question from previous posts.

megajuras · March 1, 2012, 9:58pm

Forgot to mention that I didn’t test how it works from NATed client.

megajuras · August 29, 2012, 8:42am

Anybody?

jaytcsd · September 20, 2012, 3:09pm

I did screen prints for my Win 7 netbook connecting to a routerboard 133.

http://mikrotik.patokatech.com/