IPsec site-site tunnel behind NAT

jeroen · April 12, 2017, 10:00pm

Hi all,

I am trying to set up a site-site tunnel from my Mikrotik at home (behind a NATting DSL router) and my VPS (no NAT) running Strongswan.
The network looks like:

Public home ip: 1.1.1.1
NAT ip of Mikrotik: 10.1.2.80
Public ip strongswan server: 2.2.2.2

192.168.88.0/24(LAN)–Mikrotik–10.1.2.0/24—Fritzbox(DSL router) (1.1.1.1)-----internet-----Strongswan server (2.2.2.2)

Now this router is going to travel with me to similar situations (behind NAT), so i dont want to change anything in the NATting DSL router. The Mikrotik behind NAT is going to set up the tunnel, so i feel this should be possible. I have included as much as possible of information.
What happens is that sometimes phase 2 is completed and i have the following entries in the SA’s:

 	 	SPI	Src. Address	Dst. Address	Auth. Algorithm	Encr. Algorithm	Current Bytes	 
	E	c7ae8dc7	10.1.2.80	2.2.2.2	sha1	aes cbc	0	
	E	f67d655	2.2.2.2	10.1.2.80	sha1	aes cbc	0

That looks sort of okay. I am not sure if the 10.1.2.80 should be there, but that may be correct as the tunnel is now up.
I cannot get traffic over this tunnel though (ping the remote end). How can i start debugging this? (am i missing a NAT firewall rule that is preventing traffic from passing into the tunnel?)
Thanks in advance.

Jeroen

[admin@MikroTik] /ip> export compact 
# apr/12/2017 23:24:21 by RouterOS 6.38.5
# software id = QG52-GD39
#
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=testproposal pfs-group=none

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no \
    interface=ether1

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=\
    icmp

add action=accept chain=input comment=\
    "defconf: accept established,related" connection-state=\
    established,related

add action=accept chain=input comment=\
    "Allow IPSec from VPN server" dst-port=500,4500 \
    in-interface=ether1 protocol=udp

add action=accept chain=input comment="accept http(s) on wan" dst-port=\
    80,443 in-interface=ether1 protocol=tcp

add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1

add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment=\
    "defconf: accept established,related" connection-state=\
    established,related

add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid

add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1

/ip ipsec peer
add address=2.2.2.2/32 comment="VPN server" dh-group=\
    modp2048 enc-algorithm=aes-256 exchange-mode=ike2 hash-algorithm=\
    sha256 my-id=user-fqdn:email@address.be port=500 secret=\
    asdlkj

/ip ipsec policy
add comment="IP tunnel" dst-address=0.0.0.0/0 proposal=\
    testproposal sa-dst-address=2.2.2.2 sa-src-address=\
    1.1.1.1 src-address=192.168.88.0/24 tunnel=yes

Strongswan configuration:
ipsec.conf:

config setup
	charondebug="all"
	strictcrlpolicy=no
	uniqueids = yes

conn %default
    keyexchange=ikev2

conn office
     mobike=yes
     left=2.2.2.2
     leftsubnet=0.0.0.0/0
     right=1.1.1.1
     rightid=email@address.be
     rightsubnet=192.168.88.0/24
     keyexchange=ikev2
     authby=secret
     ike=aes256-sha256-modp2048
     esp=aes128-sha1
     modeconfig=push
     type=tunnel
     auto=route

ipsec.secrets:

: PSK "asdlkj"

idlemind · April 13, 2017, 3:27pm

Make sure you have NAT Traversal enabled on the server and client.

/ip ipsec peer set 1 nat-traversal=yes

jeroen · April 13, 2017, 7:24pm

Hi idlemind,

I have done this, but it did not help. I was also under the impression that using ikev2 solves a lot of the nat-issues ikev1 had.
What else can i try now? How can i test the connection best? doing a traceroute on the Mikrotik?
Regards,

Jeroen

ibrahimovich87 · January 11, 2018, 4:10pm

mY Mikrotik it’s behind a router in bridge mode

sindy · January 11, 2018, 6:31pm

As this chapter of the manual explains, you have to

prevent src-nat from changing the source address of packets sent from the IP subnet at Mikrotik side, by placing an “action=accept” rule for this traffic before the “action=masquerade” rule in the srcnat chain,
prevent fasttrack from handling these packets, which can be one in two ways, depending on whether you need connection tracking of the tunnel traffic or not - either by preventing conntracking completely by placing exception “action=no-track” rules to the “raw” group, or by preventing fasttracking alone by placing exception “action=accept” rules before the “action´fasttrack” one.

Have you done both?

As for IKEv2 “solving NAT-related issues encountered in IKEv1”:

as the SAs are established, your issue is not related to NAT traversal
IKEv2 actually uses the same solution of NAT traversal like IKEv1, except that in IKEv2 it is part of the standard where for IKEv1 it was a NAT-T extension of the standard

.
So you don’t have to specially activate the extension in configuration if you choose IKEv2, it is always enabled and is chosen automatically if NAT traversal is detected.