IPsec s2s VPN between Mikrotik RB4011 and Palo Alto PA-220 multiple policies problem

Hello,

I am very new to IPsec config and also to Mikrotik products. I want to achieve site to site tunnel between our HQ Palo Alto firewall and Mikrotik for our new branch office. Also i need tunnel interfaces on the both sides for OSPF which I will set later. Tunnel is established and it is ok, but the problem is that I need access to two different subnets from Mikrotik. I have these subnets:

• 10.0.0.0/11 - This is HQ LAN which is agregated.
• 10.255.128.0/30 - Point to point network inside tunnel between Palo Alto and Mikrotik.
• (10.32.0.0/19 - Branch office LAN. )

So I created two IPsec policies (they are set in tunnel mode, because Palo Alto does not support transport mode):

• src-address: 0.0.0.0/0 dst-address: 10.0.0.0/11 level: unique
• src-address: 0.0.0.0/0 dst-address: 10.255.128.0/30 level: unique

With one policy all works great. With two policies there is a problem. When Mikrotik initialize connection, tunnel is failing. When initialization from Mikrotik side is disabled, tunnel is created successfully, but when I try to ping to some IP from subnets configured in policies, there is packet loss above 50%. It seems that half of whole time works first policy and next half second policy.

It is interesting that from Palo Alto side there is no need to specify some policy rules and everything works. When I tried to setup one policy with src-address: 0.0.0.0/0 dst-address: 0.0.0.0/0, these rules had more priority than routes and everything was routed through tunnel interface. I not sure which behavior is better by the standards.

Here are tutorials and threads which I used:

• https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
• https://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco
• http://forum.mikrotik.com/t/ipsec-multisubnet-or-multi-policy-issue/22411/1

I am sorry for my weak english, I hope that you will understand me.

Hey,

I am working here on an IPSEC s2s setup with Palo Alto and Mikrotik CHR.
It would help to understand both sides setup.
In the PA side you can use the default PH1 and PH2 IKEv2 and IPSEC profiles.
** EDIT ** For most use cases you will need to set on the PA side the IKE Gateway side “Peer IP Address Type” to Dynamic.
Take a peek at:
Palo Alto: Getting Started: VPN
Palo Alto: IPSec VPN Tunnel with Peer Having Dynamic IP Address

Before starting with the setup config you must know that to reach each end you must be inside the LAN segment of the NETWORK.
To ping from the Mikrotik towards the tunnel with the local ip address you can use something like:

/ping address=192.168.99.1 src-address=192.168.89.254

or

/ping address=192.168.99.1 interface=ether3

which ether3 is my LAN inteface and 192.168.89.254 is the Mikrotik IP on this interface

On PA Steps to create the IPSEC tunnel itself :

Network → Interfaces → Tunnel → Add

• Interface name(numeric) ie 10
• Comment = S2S Name
• Virtual Router = Default (unless you have a more complex setup)
• Zone = VPN(Or Whatever is ok for this peer)
  → IPV4
• Add → 192.168.99/32
  (/32 since it’s a “dummy” rules that will force traffic into the tunnel instead of into the defautl GW Route)
  → Advanced
• Management Profile → (Choose if you have one)

Network → IKE Gateways → Add

• Name = MT-S2S-SomeSite-GW
• Version = IKEv2 only mode
• Interface = WAN Interface with the IP of the peer ie ethernet1/1.10 (which holds the 200.200.200.200/24)
• Local IP Address = 200.200.200.200/24
• Peer IP Address Type = > Dynamic > ( Choose IP > only > if the peer have a static IP which is tested to work with this mode)
• Peer Address = 201.201.201.201 ( Requied Only when the Peer IP Address Type = IP)
• Pre-shared Key = Test***
• Confirm Pre-shared Key = Test***
• Local Identification → IP Address = 200.200.200.200
• Peer Identification → IP Address = 201.201.201.201
  → Advanced
• Enable NAT Traversal → Check
• (IKEv2) IKE Crypto Profile = Default
  → OK
  Network → IPSEC Tunnels → Add
• Name = MT-S2S-SomeSite-IPSEC-Tunnel
• Tunnel Interface = tunnel.10
• Type = Auto Key
• Address Type = IPv4
• IKE Gateway = MT-S2S-SomeSite-GW
• IPSec Crypto Profile = Default
  → Proxy ID IPv4 → Add
• Proxy ID = px1
• Local = 192.168.99.1/32
• Remote = 192.168.89.0/24
• Protocol = Any
  → Proxy ID IPv4 → Add
• Proxy ID = px2
• Local = 10.200.0.0/24
• Remote = 192.168.89.0/24
• Protocol = Any
  → Proxy ID IPv4 → Add
• Proxy ID = px2
• Local = 10.205.0.0/24
• Remote = 192.168.89.0/24
• Protocol = Any
  → OK
  Network → Virtual Router → Default ( Or any other if you have a more complex Setup)
  → Static Routes → IPv4 → Add
• Name = S2S Tunnle Route
• Destination = 192.168.89.0/24
• Interface = tunnel.10
• Next-Hop = “IP Address” (literal String. the ip itself is in the next box below)
• Box below the string “Next-Hop” = 192.168.99.1
  → OK
  → OK

Commit

Go to the Mikrotik and setup the connection.. And it’s up

In PA you must add:

• FW rules to allow ike(port 500/4500) from the remote site and back
• IP address (should be /32) on the tunnel interface
• Proxy ID policy from the LAN Towards the S2S LAN
• IP route(static or dynamic using BGP/OSPF/OTHER) that will direct traffic towards the other site via the tunnel /32 ip address
• FW rules and zones on the addresses and/or the tunnel interface that will allow traffic from side to side
  
  
  
  My Local Mikrotik IPSEC and FW settings(200.200.200.200 is the PA ie peer and 201.201.201.201 is my Local address):

[admin@MT-CHR-R1] > /ip ipsec installed-sa print terse 
 0 HE spi=0xC6C726E src-address=200.200.200.200 dst-address=201.201.201.201 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=3b****cd enc-key=68****83 addtime=oct/28/2020 21:44:29 expires-in=8m38s add-lifetime=24m4s/30m5s current-bytes=30604 current-packets=502 replay=128 
 1 HE spi=0xCEEAB2B9 src-address=201.201.201.201 dst-address=200.200.200.200 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=b19****f9 enc-key=45****b2 addtime=oct/28/2020 21:44:29 expires-in=8m38s add-lifetime=24m4s/30m5s current-bytes=33044 current-packets=542 replay=128 
 2 HE spi=0x72A91A9 src-address=200.200.200.200 dst-address=201.201.201.201 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=ad****cb enc-key=93***a7 add-lifetime=24m8s/30m10s replay=128 
 3 HE spi=0xADE50688 src-address=201.201.201.201 dst-address=200.200.200.200 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=e1****a0 enc-key=5b****e8 add-lifetime=24m8s/30m10s replay=128 
 4 HE spi=0xF1CBCE0 src-address=200.200.200.200 dst-address=201.201.201.201 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=da****94 enc-key=5b****c9 add-lifetime=24m20s/30m26s replay=128 
 5 HE spi=0xDD03EDEB src-address=201.201.201.201 dst-address=200.200.200.200 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key=06****76 enc-key=8b****c9 add-lifetime=24m20s/30m26s replay=128 


[admin@MT-CHR-R1] /ip ipsec> export verbose terse
# oct/28/2020 22:02:45 by RouterOS 6.47.6
# software id = 
#
#
#
/ip ipsec mode-config set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group set [ find default=yes ] name=default
/ip ipsec profile set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec profile add dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128 hash-algorithm=sha1 lifetime=1d name=Work_Profile nat-traversal=yes proposal-check=obey
/ip ipsec peer add address=200.200.200.200/32 disabled=no exchange-mode=ike2 local-address=201.201.201.201 name=Work-s2s port=500 profile=Work_Profile send-initial-contact=yes
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
/ip ipsec proposal add auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=Work-Proposal pfs-group=modp1024
/ip ipsec identity add auth-method=pre-shared-key disabled=no generate-policy=no my-id=address:201.201.201.201 peer=Work-s2s secret=Test****
/ip ipsec policy set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec policy add action=encrypt disabled=no dst-address=10.200.0.0/16 dst-port=any ipsec-protocols=esp level=unique peer=Work-s2s proposal=Work-Proposal protocol=all sa-dst-address=200.200.200.200 sa-src-address=201.201.201.201 src-address=192.168.89.0/24 src-port=any tunnel=yes
/ip ipsec policy add action=encrypt disabled=no dst-address=10.205.0.0/16 dst-port=any ipsec-protocols=esp level=unique peer=Work-s2s proposal=Work-Proposal protocol=all sa-dst-address=200.200.200.200 sa-src-address=201.201.201.201 src-address=192.168.89.0/24 src-port=any tunnel=yes
/ip ipsec policy add action=encrypt disabled=no dst-address=192.168.99.1/32 dst-port=any ipsec-protocols=esp level=unique peer=Work-s2s proposal=Work-Proposal protocol=all sa-dst-address=200.200.200.200 sa-src-address=201.201.201.201 src-address=192.168.89.0/24 src-port=any tunnel=yes
/ip ipsec settings set accounting=yes interim-update=0s xauth-use-radius=no


[admin@MT-CHR-R1] /ip ipsec> /ip ipsec active-peers print terse 
 0    id=200.200.200.200 local-address=201.201.201.201 remote-address=200.200.200.200 state=established side=initiator uptime=18m58s last-seen=3s ph2-total=3 


[admin@MT-CHR-R1] /ip ipsec> /ip ipsec statistics print  
                  in-errors: 0
           in-buffer-errors: 0
           in-header-errors: 0
               in-no-states: 4
   in-state-protocol-errors: 0
       in-state-mode-errors: 0
   in-state-sequence-errors: 0
           in-state-expired: 0
        in-state-mismatches: 0
           in-state-invalid: 0
     in-template-mismatches: 0
             in-no-policies: 0
          in-policy-blocked: 0
           in-policy-errors: 0
                 out-errors: 0
          out-bundle-errors: 0
    out-bundle-check-errors: 0
              out-no-states: 213
  out-state-protocol-errors: 1
      out-state-mode-errors: 0
  out-state-sequence-errors: 0
          out-state-expired: 1
         out-policy-blocked: 0
            out-policy-dead: 0
          out-policy-errors: 0


admin@MT-CHR-R1] /ip firewall nat> /ip firewall nat export terse 
# oct/28/2020 22:04:09 by RouterOS 6.47.6
# software id = 
#
#
#
/ip firewall nat add action=accept chain=srcnat dst-address-list=WORK-OFFICE-VPN log=yes src-address=192.168.89.0/24
/ip firewall nat add action=accept chain=srcnat src-address-list=WORK-OFFICE-VPN
/ip firewall nat add action=accept chain=srcnat disabled=yes dst-address-list=WORK-OFFICE-OFFICE src-address=192.168.89.0/24
/ip firewall nat add action=accept chain=srcnat disabled=yes src-address-list=WORK-OFFICE-OFFICE
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN


[admin@MT-CHR-R1] /ip firewall nat> /ip firewall filter print terse 
 0    chain=forward action=accept src-address-list=WORK-OFFICE-VPN log=no log-prefix="" 
 1    chain=forward action=accept src-address-list=WORK-OFFICE-OFFICE log=no log-prefix="" 
 2    chain=forward action=accept dst-address-list=WORK-OFFICE-VPN log=no log-prefix="" 
 3    chain=forward action=accept dst-address-list=WORK-OFFICE-OFFICE log=no log-prefix="" 
 4    comment=Accept ESTABLISH,RELATED chain=forward action=accept connection-state=established,related log=no log-prefix="" 
 5    comment=Drop INVALID chain=forward action=drop connection-state=invalid log=no log-prefix="" 
 6    comment=Accept NEW From LAN chain=forward action=accept connection-state=new in-interface-list=LAN log=no log-prefix="" 
 7    comment=ACCEPT DNAT FROM WAN chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN log=no log-prefix="" 
 8    comment=DROP New From WAN chain=forward action=drop connection-state=new in-interface-list=WAN log=no log-prefix="" 
 9    comment=Allow ESTABLISHED Related chain=input action=accept connection-state=established,related log=no log-prefix="" 
10    comment=ipsec policy matcher chain=input action=accept in-interface-list=WAN log=no log-prefix="" ipsec-policy=in,ipsec 
11    comment=Accept ICMP on WAN chain=input action=accept connection-state=new protocol=icmp in-interface-list=WAN log=no log-prefix="" 
12 X  chain=input action=accept connection-state=new src-address-list=WORK-OFFICE-VPN log=no log-prefix="" 
13 X  chain=input action=accept connection-state=new src-address-list=WORK-OFFICE-OFFICE log=no log-prefix="" 
14    chain=input action=drop connection-state=new in-interface-list=WAN log=no log-prefix="" 
15    chain=input action=accept log=no log-prefix=""

Hi and thank you for your reply!

What you described is state very similar to what I have, but thanks to you, I have clarified a few details. My original question about multiple policies is solved, I forgot to set proxy IDs on Palo side.

But what if I want the tunnel interface also on the Mikrotik side as well? My original goal was to have two OSPF routers and automatic route propagation of Mikrotik LAN networks to potential next OSPF node. I have currently set the IPIP interface, but Mikrotik overlooks it. I’ve filled both public IP addresses and local IP from p2p subnet, but all routes via this interface are marked as inactive. I have read a lot of topics about it, so do I understand right, that Mikrotik does not support route based IPsec VPN (so I can’t force IPsec to use any tunnel interface)?

Thank you kindly.

Hey,

The basic config of a GRE tunnel between PA and MT would be a bit different from MT to MT.
With MT to MT the IPSec tunnel would be negotiated with the PSK defined in the GRE configuration.
With PA and MT I assume that you would be required to to create another tunnel ontop of the IKE and the ipsec tunnel.
On the MT create a bridge interface with an ip address such as 192.168.199.1/32.
(Alternatively you can use the MT LAN ip address like 192.168.0.1/32 )
Then on the ipsec policies on both sides of the PA and the MT allow/accept only from 192.168.199.1/32 to 192.168.99.1/32 and vice versa on the PA.
In the PA create a static route to 192.168.199.1/32 via the 192.168.99.1 address on the ipsec tunnel.
After this create a GRE tunnel from 192.168.99.1 to 192.168.199.1 on the PA And on the MT.
IE the MT GRE tunnel would be from 192.168.199.1 to 192.168.99.1 .
Then you can add addresses to the GRE tunnel itself like a 192.168.200.1/30 on the MT and 192.168.200.2/30 on the PA.
Once you have these configured you could probably do anything with OSPF.

• From what I know PA 9.0 doesn’t have support for IPIP tunnels.

I have seen that PA has a “Add GRE Encapsulation” checkbox however I have not tried to use it but I believe it would work with some vendors.
Not sure if MT GRE with IPsec PSK would work with it.

An example for VyOS an PA IPSEC and GRE cli configuraion might help to configure the PA side of via cli instead of WEBUI:
VyOS: GRE/IPsec
VyOS: VTI with Palo Alto

PA - IPSec Tunnel General Tab
GRE Tunnel Overview

Ok, thank you. I will try it when I’m preparing another router.

Hi sir Elico, any chance we could get in touch to talk about the same project with vpn(s) between multiple remotes sites on Mikroitk and a HQ on PA?

Thank you very much

Hi, I am certainly sure, that you cannot make s2s VPN with same networks. You also cannot connect same networks to router…

[quote=randhir18 post_id=852772 time=1618222884 user_id=154820]
I have 2 mikrotik router .one is rb4011 and second one is rb3011 .both are different location. I want to configure vpn between router..But local Ip is same in both location.how to configure???
[/quote]