IPSEC tunnel between RB912 and Sonicwall UP but no packets

IngensNetworks · November 20, 2013, 8:46am

We have configured an IPSEC configuration between a RB912 with a Sierra 8705 through LTE interface.

The RB912 connects through LTE interface with operator OK.

0 R name=“Sierra8705” mtu=1500 mac-address=A2:A3:72:DA:01:07 apn=“movistar.es”
user=“MOVISTAR” password=“MOVISTAR” network-mode=auto authentication=chap

Topology is as simply as:

PC(1.254.0.10)—(1.254.0.254:eth)RB912(lte:95.72.26.26)—INTERNET—(213.27.221.220:wan)Sonicwall(lan:172.16.0.X)

IPSEC is UP:

[admin@MikroTik] /ip ipsec policy>
0 src-address=1.254.0.0/24 src-port=any dst-address=172.16.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=213.27.221.220
sa-dst-address=95.126.72.72 proposal=default priority=0

[admin@MikroTik] /ip ipsec peer>
0 ;;; Unsafe configuration, suggestion to use certificates
address=213.27.221.220/32 passive=no port=500 auth-method=pre-shared-key
secret=“1234” generate-policy=no exchange-mode=aggressive
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec proposal>
0 * name=“default” auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=8h
pfs-group=modp1024

[admin@MikroTik] /ip ipsec remote-peers> pr
0 local-address=95.126.72.72 remote-address=213.27.221.220 state=established
side=responder established=4h49m34s

I take in consideration the Bypass NAT too:

[admin@MikroTik] /ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=NAT Bypass IPSEC action=accept src-address=1.254.0.0/24
dst-address=172.16.0.0/24

1 X ;;; default configuration
chain=srcnat action=masquerade out-interface=wlan1-gateway

2 chain=srcnat action=masquerade src-address=1.254.0.0/24
dst-address=172.16.0.0/24 out-interface=Sierra8705 [/color]

But any packet from PC (1.254.0.10) reach any equipment in 172.16.0.X, and even pings in Mikrotik or Sonicwall, aren’t able to reach devices or computers, so I understand that MIX of IPSEC,LTE and NAT has some consideration that I’have not been able to understand or find.

Could anyone help me about it?

Are there any especific configurations, to FORCE traffic go through IPSEC stablished through a LTE (Sierra 8705 mini PCI-e)?

Thanks in advance!

mixig · November 20, 2013, 8:27pm

Hi,

this is from your MKT:
[admin@MikroTik] /ip ipsec policy>
0 src-address=1.254.0.0/24 src-port=any dst-address=172.16.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=213.27.221.220
sa-dst-address=95.126.72.72 proposal=default priority=0

your sa-src-address must be your public ip (95.126.72.72), you have public ip which is on sonicwall am i right? try to replace sa-src and sa-dst-address with each other

IngensNetworks · November 20, 2013, 11:49pm

Thanks a lot MIXIG!!! You are right, there was a mistake in the PUBLIC addresses SRC & DST …

Now everithing works fine and packets are travelling perfectly end to end, but I have two final DOUBTS:

\

How is possible to be working, without taking in consideration the coments below, from the official manual…?

NAT Bypass

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

At this point if you will try to establish IpSec tunnel it will not work, packets will be rejected. This is because both routers have NAT rules that is changing source address after packet is encrypted. Remote router reiceves encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration. For more information see packet flow ipsec example.

To fix this we need to set up NAT bypass rule.

Office1 router:

/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=10.1.202.0/24 dst-address=10.1.101.0/24

2. As you see, I’ve configured the IPSEC between MKT & Sonicwall, as site to site FIX public IP tunnel, but now I need to convert it, as a DINAMIC ORIGIN, so where was defined 95.126.72.72, it should be DINAMIC IP (public) given by the operator each time LTE interface renegotiate link.
So, is it as easy as define origin ip 0.0.0.0 (as occurs with sonicwall) ?

Thanks again!!

IngensNetworks · November 21, 2013, 5:03pm

Well, now everything is working 100%

\

We don’t need any Bypass NAT rule to reach packets end to end.
For the DINAMIC IP origin (with Mikrotik RB912) we used a “My ID User FQDN” with an e-mail, and in Sonicwalls SIDE (FIX IP IN CENTRAL OFFICE) define the origin as 0.0.0.0 and “Peer IKE ID” e-mail address, so now IP origin is not necesary, and everithing works fine connected with IPSEC AES256 and DINAMIC to STATIC.

Thanks everybody!

saintofinternet · March 6, 2014, 6:35am

hi,

i am stuck in a similar condition and just cannot get the VPN to work between Sonicwall and Mikrotik.

case identical to yours with the Sonicwall ( Central with Fixed IP ) and Mikrotik with 3G USB Dongle and dynamic IP.

can you please please help me with it??

config as below :

PC–(172.1.1.10)—(172.1.1.1:eth)–RB–(USB:dynamicIP)===INTERNET===(117.228.x.x:WAN)—Sonicwall—(192.168.100.x:lan)

saintofinternet · March 6, 2014, 7:11am

tried the above option but the sonicwall log gives the following output:

saintofinternet · March 8, 2014, 4:04am

knock… knock…

any update??

help requested… i am stuck with this 2 devices interoperability for IPSec VPN…

nilss7 · June 27, 2015, 5:52am

HI any sample config for Mikrotik-Sonicwall VPN