IPSec routing issue, please help

lscully · September 28, 2006, 11:23pm

I am setting up a RouterOS (Routerboard 532) to VPN to a Linksys BEFSX41, using IPSEC. I finally got the link configured and connected, but I can’t seem to figure out how to pass traffic from one network to the other. Both hosts are on the same ISP and will be in the same IP range. The set up is:

Mikrotik
Public (routable) IP: 216.XXX.XXX.116
Internal IP (ether 3): 10.10.10.1
Internal Machine: 10.10.10.10

Linksys BEFSX41
Public (routable) IP: 216.XXX.XXX.117
Internal IP: 192.168.1.1
Internal Machine: 192.168.1.100

Following the IPSec configuration from the documentation (the FreeSwan one was the only one I could get to work) I came up with this configuration:

ip ipsec peer print

0 address=216.XXX.XXX.117/32:500 secret=“secret” generate-policy=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1h lifebytes=0

ip ipsec proposal print

0 name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024

1 name=“proposal1” auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=none

ip ipsec policy print

0 src-address=10.10.10.0/24:any dst-address=192.168.1.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=216.XXX.XXX.116 sa-dst-address=216.XXX.XXX.117 proposal=proposal1 manual-sa=none dont-fragment=clear

When I ping from either side, I get a network is unreachable error. Both the Mikrotik and the Linksys are reporting that the link is up.

What have I missed? The configuration is very basic at this point, with only Ether1 and Ether3 up and configured. Routing works correctly expect for over the VPN.

One other question, when this finally does work, and you try to connect from the Mikrotik to the Linksys network, does the link come up automatically? At this point I am starting it from the Linksys side, but the user would be on the Mikrotik side of the network.

More information on request if it is needed.

Thank you

Lyle

stuntshell · October 22, 2006, 2:32pm

How did this ended up?
I’m having the exact same problem, should a traceroute show the path to the net or the tunnel IP?

Thanks,

lscully · October 23, 2006, 3:48pm

I finally gave it up. Went another route that while wasn’t as transparent to the user, ended up being easier and more flexible in the long run.

joeri91942 · October 23, 2006, 4:10pm

Do you have NAting on outgoing traffic? If so, did you add a srcnat/accept rule from your local net to the remote network BEFORE your NAT-rule? Otherwise it will be NATed and go out on the Internet! Try a sourceroute trace to see where your packets go…

/Jörgen

stuntshell · October 23, 2006, 5:52pm

Yes I do have NAT and I do have a src-nat rule pointing to my external IP address.
What I’m trying to accomplish is have one side of the network with 2 src-nat and only one of the networks can actually ‘talk’ to the ‘other’ side. In this case the 172.16.0.X network

joeri91942 · October 24, 2006, 8:44pm

Ok, did you try my suggestion?

“If so, did you add a srcnat/accept rule from your local net to the remote network BEFORE your NAT-rule?”

Did you try a traceroute to see which way your packets took?

My MT box has the following rules FIRST in the list;

/ ip firewall nat
add chain=srcnat src-address=192.168.2.0/24 dst-address=200.21.23.0/24 \
    action=accept comment="IPSec tunnels" disabled=no
add chain=srcnat src-address=192.168.2.0/24 dst-address=200.21.10.0/24 \
    action=accept comment="" disabled=no
add chain=srcnat src-address=192.168.2.0/24 dst-address=200.21.28.0/24 \
    action=accept comment="" disabled=no

This tells my box to accept all traffic to the remote sites (200.21.something * 3), if I do not have this it will src-nat everything (including stuff for the IPSEC tunnels out on Internet).

/Jörgen