I have configured IPSec on RB751G-2hnd (ROS 6.6) according following document from Mikrotik wiki: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf
but Shrew client can not bring-up ipsec tunnel, time-out occur.
There is nothing mentioned in the wiki about firewall rules for road warrior, it is not clear where problems occur - in the firewall rules or in the IPSec policy?
I think firewall INPUT chain should contain at at least one rule to allow new connection on WAN, port 500 udp to start initiate IPSec tunnel. What about other rules to allow traffic from road warrior via IPSec to LAN?
I would be grateful if someone would help for me to complete configuration for road warrior with IPSec policy for Shrew client?
You need these to allow outer-tunnel IPsec traffic (you can further restrict them to your WAN interface only):
/ip firewall filter
add chain=input comment=IPsec dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udpAs to the inner-tunnel traffic, it’s a bit more complicated. First, use mangle rules like these to mark (not yet decapsulated) IPsec packets with ‘vpn’ packet mark:
/ip firewall mangle
add action=mark-packet chain=input dst-port=4500 new-packet-mark=vpn protocol=udp
add action=mark-packet chain=input new-packet-mark=vpn protocol=ipsec-espThe ‘vpn’ packet mark will be copied to your inner-tunnel packets during decapsulation, so you can use it in filter rules later.
Also please note that there’s a bug in the policy templates configuration, ‘dst-address’ and ‘src-address’ are mixed up in 6.6 and earlier version. I was going to write to support about the issue, but have not done that yet.
Now tunnel is enabled but I can’t ping remote LAN.
When I remove following lines from shrew:
s:ident-client-data:
s:ident-server-data:
and add
s:client-iface:virtual
s:client-ip-addr:192.168.7.50 → free IP from remote LAN, not from DHCP pool
s:client-ip-mask:255.255.255.0
only then I can ping several IP’s on remote LAN.
Quite interesting situation - I can ping only some IP’s, others IP’s are unreachable, where unreachable IP’s can be pinged via Winbox ping tool without problems.
Remote LAN contains several static IP’s + dynamic IP’s (from DHCP pool), local PC firewall is turned to off.
Why only some IP’s are accessible on remote LAN?
Any ideas are welcome, thank you.
What Windows client? To my knowledge, there’s no easy to use pure (policy based) IPsec client in Windows itself at all. Shrew supports virtually anything you can do with IPsec- no other client that I know of is as flexible as Shrew.
Shrew profile files (even though being plain-text) are not designed to be human-readable/editable, IMO. Can you please specify what these options refer to in the UI?
I do NOT recommend using IPs from remote LAN’s subnet for your road-warriors (VPN users). Even though it might (or might not) work with proxy ARP enabled, classic policy-based IPsec is not meant to be used that way. Allocate another (separate) subnet for your road-warriors.