IPsec tunnel error with error Ignore because is not listening on ip address (Public Address)

hugonet888 · October 19, 2015, 5:00pm

Hello,

I’m trying to establish an IPSec tunnel with both sides behind a NAT (the modem of my ISP has the public IP address and not the mikrotik). In the moden redirect ports 500 and 4500 to the IP address of mikrotik. I configured the peers ipsec and ipsec Policy according to different tutorials that exist in the wiki and I can see the ipsec debug the tunnel is established, both the Phase 1 and the 2 pass, also when I do a ping to the IP address lan across fault, but I see the Installed SA is established, however there is no traffic passing through the tunnel.

In debug ipsec The only strange thing I see is that when I generate traffic in a LAN address to another get a message that says do not listen’ignore Because on source address (the public address).

I’ve seen in some forums that say mikrotik can not establish tunnels behind nat. That’s right?

I tested with version v6.32 and now download the beta version v6.33 trying to solve the problem, but without success.

Please I need your help

hugonet888 · October 21, 2015, 10:38pm

Any body want to help me please. I’m still having the issue.

jaytcsd · October 26, 2015, 1:35am

I tried Greg Sowell’s method for IPsec tunnel between 2 Mikrotiks and have the same problem you do, can’t ping or use VNC from one network to the other. I do see the public IPs in remote peers under IPsec. My stats show ‘no state’ and ‘state sequence’ errors.

I have “invalid length of payload” messages in my logs.

The wiki removed the example they had so I’m on a quest for more working examples, not ones where someone uses 1.1.1.1 and 2.2.2.2 as public IPs and the “internet” connection is a cat 5 cable on a test bench and the routers do not have any other rules.

pe1chl · October 26, 2015, 8:10am

When you want to make a direct IPsec tunnel between MikroTik routers you must make sure that you have an exception rule in your NAT table for traffic from the local to the remote network which says “accept” (before your general rule that says “masquerade” or “src-nat”).
When you do not do that, the router will mistakenly NAT the traffic before it puts it into the tunnel, and no communication will be possible.

jaytcsd · October 26, 2015, 8:38pm

I did hardware resets on an RB750 and 751U, updated to 6.32.3 and changed the 750 to 192.168.90.0/24.

I disabled the WAN firewall rules and used Greg’s guide for IPsec tunnel from Mikrotik to Mikrotik.

The 750 is on my DSL system for its public IP, the 751 is on my cable modem.

I can ping 192.168.88.1 from the 750 to the 751 but when I try to ping 192.168.90.1 from the 751
I get
SEQ HOST SIZE TTL TIME STATUS
0 66.75.161.48 96 252 386ms TTL exceeded

I get the same when I ping the PC on the 750 at 192.168.90.25 and even pinging non existent addresses. I don’t know where the 66.75.161.48 is coming from, my public IP on the 751 is on 76.88.xxx.xxx and my gateway is in the same network.

I do not have any installed SAs in the IPsec window, which I see on my other RBs when using VPN from a PC.

It looks like the cable ISP is the problem. I’m going to reconfigure the 751 on my DSL ISP, but since I have 5 IPs in the same network I don’t know if that will be a real test.

RB751 code

/ip ipsec peer>> print
Flags: X - disabled, D - dynamic
0 address=68.183.xxx.xxx/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret=“*****” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m dpd-maximum-failures=5

/ip ipsec policy>> print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 src-address=192.168.88.0/24 src-port=any dst-address=192.168.90.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=76.88.xxx.xxx
sa-dst-address=68.183.xxx.xxx proposal=default priority=0

/ip firewall nat>> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.90.0/24 log=yes log-prefix=“srcnat:”

1 ;;; default configuration
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=“”

msaxl · November 4, 2015, 10:22am

jaytcsd:

I did hardware resets on an RB750 and 751U, updated to 6.32.3 and changed the 750 to 192.168.90.0/24.

I disabled the WAN firewall rules and used Greg’s guide for IPsec tunnel from Mikrotik to Mikrotik.

The 750 is on my DSL system for its public IP, the 751 is on my cable modem.

I can ping 192.168.88.1 from the 750 to the 751 but when I try to ping 192.168.90.1 from the 751
I get
SEQ HOST SIZE TTL TIME STATUS
0 66.75.161.48 96 252 386ms TTL exceeded

I get the same when I ping the PC on the 750 at 192.168.90.25 and even pinging non existent addresses. I don’t know where the 66.75.161.48 is coming from, my public IP on the 751 is on 76.88.xxx.xxx and my gateway is in the same network.

I do not have any installed SAs in the IPsec window, which I see on my other RBs when using VPN from a PC.

It looks like the cable ISP is the problem. I’m going to reconfigure the 751 on my DSL ISP, but since I have 5 IPs in the same network I don’t know if that will be a real test.

RB751 code

/ip ipsec peer>> print
Flags: X - disabled, D - dynamic
0 address=68.183.xxx.xxx/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret=“*****” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m dpd-maximum-failures=5

/ip ipsec policy>> print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 src-address=192.168.88.0/24 src-port=any dst-address=192.168.90.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=76.88.xxx.xxx
sa-dst-address=68.183.xxx.xxx proposal=default priority=0

/ip firewall nat>> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.90.0/24 log=yes log-prefix=“srcnat:”

1 ;;; default configuration
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=“”

I dont know your exact setup, but in /ip ipsec policy the sa-src-address must be the one that the local mikrotik uses (the “local” IP Adress assigned on the WAN port). I would also use the same address in /ip ipsec peer as local-address

On the other side you would do the same (you put the public wan address of the peer as remote-address and sa-dst-address and as local-address and sa-src-address put the local address of the wan interface)