IPSEC Site to Site Cyberoam + mikrotik

Dkmtk · October 24, 2017, 11:28am

Issue :
I am unable to browse certain lan segments in same subnet in HO LAN from BO LAN especially http traffic

HO LAN :192.168.0.0/24
HO Gateway:192.168.0.101
HO WAN IP :42.25.25.12 (Routable)

BO LAN: 192.168.1.101
BO Gateway:192.168.1.101
BO WAN:(Dynamic Non Routable)

c:> tracert 192.168.0.11

Tracing route to 192.168.0.11 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 192.168.1.101
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 28 ms 23 ms 21 ms 192.168.0.11

IPSEC Tunnel is working and by HO is able to access http site and resources on BO

[HO LAN (192.168.0.0/24]<---->(192.168.0.101)[ Cyberoam](public Routable IP 42.25.25.12)-----Internet-----[ISP NAT] <—>Mikrotik<—> (192.168.1.0/24 BO LAN)

I have done the setup as per https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel

Help is appreciated

emils · October 24, 2017, 11:54am

If Firewall is not restricting the traffic, I would suggest checking for MTU related issues. Can you ping between the gateways with 1500b packet size and do-not-fragment flag set to yes?

Dkmtk · October 24, 2017, 1:25pm

I cannot ping from Mikrotik(BO) the cyberoam(HO) gateway but I can ping from BO side PC

emils · October 24, 2017, 1:59pm

Why can not you ping between the routers? Anyway it sounds like an MTU related issue, I would suggest manually reducing TCP MSS using Mangle Firewall and see if anything changes.

Dkmtk · October 25, 2017, 6:46am

I have added this mangle
Trial 1
add chain=forward action=change-mss new-mss=1350 passthrough=yes tcp-flags=syn protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.0.0/24 tcp-mss=!0-1350
Trial 2
add chain=forward action=change-mss new-mss=1400 passthrough=yes tcp-flags=syn protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.0.0/24 tcp-mss=!0-1350

No change mikrotik terminal is unable to ping the router on other side of IPSEC

The most important problem is I am unable to access the http traffic of certain devices , which work perfectly otherwise

gkozakjian · April 11, 2018, 2:54pm

Hello,

Try to add a mangle rule on the Mikrotik to clear the DF (do not fragment), which is usually set by the sending device. When the DF is set, it tells the router that the MTU of packet is too large to traverse it, so it should be dropped and not fragmented. Hence, clearing the DF bit in the Mikrotik using a mangle rule will allow the packet to be fragmented and routed “through” the tunnel. DF is usually used when destination host does not have resources to handle fragmentation process. Note that DF exists in L3 header in the flags section (IP-layer).

-Configuration:

Mange Rule: chain=prerouting src.addr=192.168.0.1/24 dst.addr=0.0.0.0/0 action=clear DF

Hope this helps.