IPsec tunnel between rb and chr. Ok ping no web interface

simonefil · May 3, 2024, 7:20pm

Good morning everyone.
I’m doing an exercise to learn how to use IPsec tunnels. I activated the IPsec tunnel between routerboard and a CHR.
Routerboard IP: 10.255.251.1/24
IP CHR: 10.10.0.1/24
The tunnel goes up correctly. From chr I correctly ping the routerboard and also from the routerboard I correctly ping the CHR.
From my PC connected to ether1 of the routerboard I correctly ping the CHR.
The problem is that the CHR web interface does not respond to my PC. Neither the www service nor the www-ssl service.
Both services are obviously activated and without IP restrictions on the services. I created an input rule on the CHR where I accept all traffic coming from the routerboard subnet but the web interface still doesn’t open.
I understand that there is an error (when I connect to the VPN on the CHR the web interface works) but I don’t understand where.
Here is the configuration of the routerboard:

/interface wifi
set [ find default-name=wifi2 ] configuration.mode=station
/interface list
add name=WAN
add name=LAN
/interface wifi security
add disabled=no name=simone-wifi
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ac configuration.country=\
    Italy .mode=station .ssid="Simone WiFi" disabled=no security=simone-wifi \
    security.disable-pmkid=yes .encryption=""
/ip ipsec peer
add address=***.***.***.***/32 name=peer-test
/ip pool
add name=dhcp_pool0 ranges=10.255.251.100-10.255.251.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether1 name=dhcp1
/interface list member
add interface=wifi1 list=WAN
add interface=ether1 list=LAN
/ip address
add address=10.255.251.1/24 interface=ether1 network=10.255.251.0
/ip dhcp-client
add interface=wifi1
/ip dhcp-server network
add address=10.255.251.0/24 dns-server=8.8.8.8 gateway=10.255.251.1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.0.0/24 src-address=\
    10.255.251.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add peer=peer-test
/ip ipsec policy
add dst-address=10.10.0.0/24 peer=peer-test src-address=10.255.251.0/24 tunnel=\
    yes

And here is the CHR configuration:

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/interface list
add name=WAN
add name=LAN
/ip ipsec peer
add address=***.***.***.***/32 name=peer-test
/ip pool
add name=dhcp_vlan10 ranges=10.10.0.100-10.10.0.200
/ip dhcp-server
add address-pool=dhcp_vlan10 interface=vlan10 lease-time=10m name=dhcp_vlan10
/ppp profile
add local-address=10.10.0.1 name="vlan 10" remote-address=dhcp_vlan10 use-encryption=yes use-ipv6=default
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile="vlan 10" enabled=yes use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=10.10.0.1/24 comment="VPN L2tp IPsec" interface=vlan10 network=10.10.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input src-address=10.255.251.0/24

add action=drop chain=input
add action=accept chain=forward comment="Accept Established, related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept New Connections" connection-state=new src-address-list=LAN
add action=drop chain=forward
/ip firewall nat
add action=accept chain=srcnat comment="IPsec Rule" dst-address=10.255.251.0/24 src-address=10.10.0.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=peer-test
/ip ipsec policy
add dst-address=10.255.251.0/24 peer=peer-test src-address=10.10.0.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl certificate=ca_bundle disabled=no port=63443
set api disabled=yes
set api-ssl disabled=yes

/routing bfd configuration
add disabled=no

I’m wondering if anyone wants to take a look at it to understand what doesn’t work.
Thanks very much to everyone

abbio90 · May 3, 2024, 8:58pm

in the configuration I don’t see the www service in ip service but only the www-ssl one. when you connect are you specifying the protocol https://ipaddress:63443?

simonefil · May 3, 2024, 9:11pm

Hi Abbio90.
Thank you for your answer. I checked again and on the CHR the web service (http) is active.

And Yes, obviously I also specify the port (for web-ssl, for web being port 80 it is not necessary to specify it) but it doesn’t work as you can see.

abbio90 · May 3, 2024, 9:49pm

If you have fast track enabled, disable it. also ping with MTU at 1500 and see if they pass. if they don’t pass, decrease and write at what size they pass