New to Mikrotik. I have two RB2011 units running OS 6.19. Basic configuration as in static IP on WAN port
ether 1. Remainder of ethernet ports bridged as LAN sitting behind a masquerade NAT rule to 192.168.1.X.
Other unit is the same except LAN IP range is 192.168.0.X. Computers conencted to both units can surf the web without a problem. Attempted to configure an IPSec tunnel between units using the tutorial provided by Greg Sowell. In the logs, I can see that the ISAKMP-SA will establish without difficulty but if I attempt to ping
an IP in the remote network nothing else appears in the logs and the tunnel doesn’t come up. I suspect the reason for the tunnel not coming up is that it doesn’t recoginize “Interesting Traffic”.
Not sure where to look so posting here for some insight.
Thank you for the reply. I am using Winbox and the ping tool. I am selecting the lan interface on the “Interface” portion of the ping dialog.
Does that do the same thing as entering a “source” on the advanced tab?
from the terminal screen I have tried ping 192.168.0.1 src-address 192.168.1.1 and it still does not bring up the tunnel. I can still see that the ISAKMP is established in the log. I have tripled checked that the IPSEC policy and proposal match on both ends and the accept NAT rule is enabled and above the Masquerade rule.
In have tried pinging the remote Mikrotik LAN gateway as well as hosts on the internal LAN that I know are up and will repsond to a ping with zero success. ISAKMP is established but tunnel never comes up. At this point I think I am going to factory default the units and take one more crack at it before abanding them for something I am more familure with. Not sure if I remove the default configuration if the default firewall rules are removed also. Sounds logical that they would be but I need to be prepared to put them back before I get on site if they do get removed.
Not sure if leaving the default configuration is part of the problem after adding my LAN address, Static WAN, and MASQ rule. Also, not sure if I need to make firewall rules for 50,51, and 500 for the IPsec to work. I have them now but it didn’t make any difference when I added them.
I am running Router OS 6.19 on one end and 6.20 on the other.
And the ‘trick’ to be able for the router it self to access through the tunnel and have Netwatch to work, you need this (Lan here being the name of your local interface/bridge):
So I have now downgraded the unit that had 6.20 back to 6.19 to match the other router in this configuration. I have factory reset both unts and did the most basic configuration to apply Static WAN ip and massquerade, DHCP, to the local network. Added back in the IPSec configuration using the router defaults where possible. Finally, added back in the NAT rule before the masquerade rule to prevent NATing of the ipsec “Interesting Traffic”. According to the logs, ISAKMP will establish but IPSec will not come up by doing pings from the router itself using ping X.X.X.X src-address=X.X.X.X or from a lan connected windows machine. Found a couple of bizaar things. If I ping from winbox using ping 192.168.1.254 src-address=192.168.0.1 it hangs with a flashing cursor. Using Winbox Version 3.0Beta3. Same command appears to complete with no reply if I am telneted into the router. Also, if I check the configuration after random amounts of time I notice that under the “Action” tab in the IPsec policy the tunnel box is unchecked and the Src address and Dst address are all zeros but the src address and dst address are still there under the “General” tab. Not sure why it is removing them or maybe the routers are randomily rebooting and losing the config. I would think it should save the config in any case. I have seen reference to opening ports in the firewall for IPSec to function but did not see that in the Wiki so not sure if that needs to happen.
Success! After a quick message from MikroTik support (Maris. B) it turns out you can’t edit the Policy Template directly and get it to work. You have to create an entirely new policy. Learned a couple of things that might be useful for other newbies.
You don’t have to add any firewall rules for 50,51, port 500 or port 4500 to get the site-to-site ipSec tunnel to work between two Mikrotiks. At least on version 6.19 of ROS.
The hang condition I was getting with the src-address paramater seems to happen with anything except the address tied to the LAN gateway interface. Not sure why that is.