IPSEC site-2-site: adding policy hangs the router

nashaden · December 18, 2016, 8:06pm

Hi,

I have RouterBoard RB952Ui-5ac2nD-TC hAP ac Lite Tower Case at home and am trying to set up an IPSEC site-to-site tunnel with RB2011UiAS-RM at the office.
I have a static IP at the office and dynamic one at home. Before getting hte hap ac lite I used Cisco RV130W at home and had the IPSEC tunnel working. To do that I set up RB2011 at the office as found on this page: http://mikrotikroutersetup.blogspot.com/2012/01/mikrotik-router-site-to-site-ipsec-vpn-configuration-dhcp-ip-address.html I had Cisco RV130W set up accordin to the values from that page as well. It worked fine.

Now that I bought RouterBoard RB952Ui-5ac2nD-TC hAP ac Lite I used the same settings and… my hap ac lite hangs whenever I add the policy from that settings page.

Here is my configuration on hap ac lite (RouterOS 6.37.3):

# dec/18/2016 20:57:02 by RouterOS 6.37.3
# software id = EICN-H8P5
#
/interface bridge add name=bridge2

/ip pool add name=dhcp ranges=10.12.12.10-10.12.12.254

/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge2 lease-time=3d10m name=dhcp1

/interface bridge port
add bridge=bridge2 interface=ether2
add bridge=bridge2 interface=ether3
add bridge=bridge2 interface=ether4
add bridge=bridge2 interface=ether5
add bridge=bridge2 interface=wlan2
add bridge=bridge2 interface=wlan1

/ip address
add address=10.12.12.1/24 interface=ether2 network=10.12.12.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server network
add address=10.12.12.0/24 gateway=10.12.12.1 netmask=24

/ip firewall filter
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment="DROP Invalid Forward" \
    connection-state=invalid in-interface=ether1
add action=drop chain=input comment="DROP Invalid Input" connection-state=\
    invalid in-interface=ether1
add action=drop chain=input comment="Drop UDP DNS remote requests" dst-port=\
    53 protocol=udp src-address-list="!Internal network"
add action=drop chain=input comment="Drop TCP DNS remote requests" dst-port=\
    53 protocol=tcp src-address-list="!Internal network"
add chain=input comment="Allow SSH Internal Network" dst-port=61212 protocol=tcp \
    src-address=10.12.12.0/24
add action=drop chain=input comment="DROP SSH" dst-port=61212 protocol=tcp
add chain=input comment="Allow WinBox Internal Network" dst-port=8291 \
    protocol=tcp src-address=10.12.12.0/24
add action=drop chain=input comment="DROP WinBox" dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop PING" protocol=icmp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add chain=forward comment="Allow Established/Related Forward Chain" \
    connection-state=established,related
add chain=input comment="Allow Established/Related iNPUT Chain" \
    connection-state=established,related
add action=drop chain=input comment="Drop Input" in-interface=ether1
add action=drop chain=forward comment="DROP Forward" in-interface=ether1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Now, whenever I add

ip ipsec policy add src-address=0.0.0.0/0 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=OFFICE_MT_IP proposal=default priority=0

I get disconnected from hap ac lite and from now on I cannot login again. The only way to gain control back is to hard reset the router and set it up again.

What am I missing?

pe1chl · December 18, 2016, 8:15pm

Your policy is seriously wrong, it tells the router to encrypt all traffic from anywhere to everywhere!

nashaden · December 18, 2016, 10:10pm

Bloody idiot I am… copy/pasted the policy from a tutorial without actually checking the IPs. anyway, this needed one more thing: a script I found here http://gregsowell.com/?p=1290 that sets sa-src-address according to actual one I got from my ISP. Now it works like charm.

razavim · December 18, 2016, 10:22pm

and also you made mistake by giving ip to ether2. you must set the ip in bridge interface cause ether 2 is already part of bridge and dhcp server is run on bridge as well.

Sent from my SM-N910C using Tapatalk

nashaden · December 20, 2016, 12:23am

Now that is funny because that was set by mikrotik QuickSet plus I have no problems with DHCP server running…

razavim · December 20, 2016, 5:27am

then it is time to contact the support and report the issue. however i believe by upgrading your routerOS you may over come this problem.

Sent from my SM-N910C using Tapatalk