IPSec tunnel connects, but unable to ping or connect to remote network [SOLVED]

RouterOS Beginner Basics
1

I have installed a MikroTik CRS125-24G-1S-RM on both sites, and I am trying to set up a Site-to-Site VPN between them.

Configuration is as follows:

[admin@OFFICE] > ip ipsec peer print
Flags: X - disabled, D - dynamic 
 0    address=208.53.41.100/32 local-address=:: passive=no port=500 auth-method=pre-shared-key 
      secret="!sa4Domain#" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@OFFICE] > ip ipsec policy print   
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1     src-address=0.0.0.0/24 src-port=any dst-address=0.0.0.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=ah-esp tunnel=yes sa-src-address=173.10.26.100 
       sa-dst-address=208.53.41.100 proposal=default priority=0 


[admin@DATACENTER] > ip ipsec peer print  
Flags: X - disabled, D - dynamic 
 0    address=173.10.26.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="!sa4Domain#" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@DATACENTER] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1     src-address=0.0.0.0/24 src-port=any dst-address=0.0.0.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=ah-esp tunnel=yes sa-src-address=208.53.41.100 
       sa-dst-address=173.10.26.100 proposal=default priority=0

Looking at the IPSec logs on both sides, the connection is active and stable (all R-U-THEREs get ACKed). However, machines on one network cannot ping or otherwise connect to machines on the other, and vice versa.

Pinging each gateway from the other, returns time out.

Am I missing something? This is my first time working with RouterOS.

Ipsec - Overlapping Private Networks
2

Hello,

Can you post your NAT rules? YOu need at least one on the top.

Take a look at this great guide : http://gregsowell.com/?p=787

Regards,

3

Not sure what you wanted to achieve with such ipsec policies, but obviously src-address=0.0.0.0/24 dst-address=0.0.0.0/24 is not going to work.

4 



[admin@DATACENTER] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.2.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix="" 

 2    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.0.2.2 to-ports=21 protocol=tcp in-interface=ether1-master-local 
      dst-port=21 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.0.2.2 to-ports=52500-52600 protocol=tcp 
      in-interface=ether1-master-local dst-port=52500-52600 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.0.2.102 to-ports=80 protocol=tcp dst-port=1102 log=no 
      log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=10.0.2.101 to-ports=7001 protocol=tcp dst-port=7001 log=no 
      log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=10.0.2.101 to-ports=8080 protocol=tcp dst-port=8080 log=no 
      log-prefix="" 

[admin@OFFICE] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.0.0/24 dst-address=10.0.2.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix="" 

 2    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=10.0.0.0/24 log=no log-prefix=""
5

I was following this video guide, and he used 0.0.0.0/24 https://www.youtube.com/watch?v=y68Dx8iPikA

6

I had problems with IPsec tunnels but got EOIP with IPsec working very easily.

7

Did you change your encryption domain in your IPSec policy?

8

Site 1 is the opposite of 2, too lazy to post it’s rules.

site 2
/interface eoip> pr
Flags: X - disabled, R - running
0 R name=“to site 1” mtu=auto actual-mtu=1396 l2mtu=65535
mac-address=02:xxxxx arp=enabled local-address=(site 2 WAN IP)
remote-address=(site 1 WAN IP) tunnel-id=0 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no ipsec-secret=“PISSOFF” allow-fast-path=no

/ip ipsec policy> pr
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 T group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all
proposal=default template=yes

2 D ;;; to SITE 1
src-address=(site 2 WAN IP) src-port=any dst-address=(site 1 WAN IP)
dst-port=any protocol=gre action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=(site 2 WAN IP)
sa-dst-address=(site 1 WAN IP) priority=0

Can’t figure out the terminal command for bridging, my EOIP tunnel is bridged to my LAN port.

9

Okay I’ve gone through the suggested guides and recreated the settings as follows:

[admin@OFFICE] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=10.0.0.0/24 src-port=any dst-address=10.0.2.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=173.10.26.100 sa-dst-address=208.53.41.100 
       proposal=default priority=0 
[admin@OFFICE] /ip ipsec> peer print
Flags: X - disabled, D - dynamic 
 0    address=208.53.41.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="FOO" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@OFFICE] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024
 [admin@OFFICE] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 2    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 
[admin@OFFICE] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.0.0/24 dst-address=10.0.2.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix="" 

 
 [admin@DATACENTER] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=10.0.2.0/24 src-port=any dst-address=10.0.0.0/24 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=208.53.41.100 sa-dst-address=173.10.26.100 
       proposal=default priority=0 
[admin@DATACENTER] /ip ipsec> peer print
Flags: X - disabled, D - dynamic 
 0    address=173.10.26.100/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="FOO" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5 
[admin@DATACENTER] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp1024 
 
 [admin@DATACENTER] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 2    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 
[admin@DATACENTER] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.0.2.0/24 dst-address=10.0.0.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-master-local log=no log-prefix=""

The tunnel appears to connect, but I still cannot ping or connect through it.
I am seeing interesting entries on the ipsec log:

DPD R-U-There-Ack recieved
Recieved an R-U-THERE-ACK

1 times of 1 bytes message will be sent to 208.53.41.100[4500]
ff
ignore because do not listen on source address: 173.10.26.100

Any thoughts?

10

I could not ping from inside one tunnel to inside the other using IPsec tunnels, but could ping in the reverse direction, ie 192.168.100.20 could ping 192.168.200.20 but not from 200.20 to 100.20.

I don’t think EOIP helped that either, spent a long time experimenting to get this working and forgot all the steps I went through.

I changed my 200.0/24 network at site 2 to 100.0/24 and renumbered the PCs with duplicate addresses.

My only NAT rule is a masquerade.
My site 2 router is 192.168.100.10, I use that gateway for site 2 PCs but use dhcp from 100.1 at site 1. I only have a few PCs using dhcp.

I don’t know if there are any performance issues with using EOIP vs IPsec tunnel but for my small personal network I don’t care. My CPU is running 3-6% while copying a 3 gig file between the sites, ping times are over 500 ms but drop to under 100 with little or no traffic.

11

Thanks all, but it appears simply organizing for the routers to BOTH be rebooted at near-same time made it work. Odd, but I’ll take it.

12

Thats actually in the tutorial. That you have to clear all the connections to get the packets to hit that first NAT rule.

13

@ Desjani
Do you want to mark this topic Solved in the subject in case someone else is looking for a solution?