IPSec: Tunnel established but no connection

almdandi · May 3, 2015, 4:19pm

Hallo everyone

I’m trying to setup up an IPSec VPN with a friend. Both are Mikrotik router with the current RouterOS version.
Setting up the Polices, the Peer,the proposal and the src-nat exclusion, no problem, the tunnel gets established. But when i try to ping an ip in his network i get a timeout and the same when he tries to ping me. The Byte Counter in the Installed SAs tab counts up but there are no packets arriving. I tried to use the “dump-kernel-policies” command but the command is not available. The challenge is that he gets acces to me DMZ (ether2-dmz. 192.168.10.0/24) subnet.

The IPSec debug Log only says:

KA: 178.190.87.165[4500]>77.117.109.238[4500]
sockname 178.190.87.165[4500]
send packet from 178.190.87.165[4500]
send packet to 77.117.109.238[4500]
src4 178.190.87.165[4500]
dst4 77.117.109.238[4500]
1 times of 1 bytes message will be send to 77.117.109.238[4500]
ff

Here is my IPSec and Firewall configuration:

Firewall

 
 0    ;;; == Internet
      chain=input action=accept connection-state=established,related in-interface=pppoe-out1 log=no log-prefix="" 
 1    chain=input action=accept protocol=udp in-interface=pppoe-out1 dst-port=500 log=no log-prefix="" 
 2    chain=input action=accept protocol=udp in-interface=pppoe-out1 dst-port=4500 log=no log-prefix="" 
 3    chain=input action=drop in-interface=pppoe-out1 log=no log-prefix="" 
 4    chain=forward action=drop connection-state=invalid in-interface=pppoe-out1 log=no log-prefix="" 
 5    chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1 log=no log-prefix="" 
 6    ;;; == Internet Failover
      chain=input action=accept connection-state=established,related in-interface=ether10-failover log=no log-prefix="" 
 7    chain=input action=drop in-interface=ether10-failover log=no log-prefix="" 
 8    chain=forward action=drop connection-state=invalid,new in-interface=ether10-failover log=no log-prefix="" 
 9    ;;; == Gast ISO
      chain=forward action=accept in-interface=bridge-gast out-interface=pppoe-out1 log=no log-prefix="" 
10    chain=forward action=drop connection-state=invalid,new in-interface=bridge-gast log=no log-prefix="" 
11 X  ;;; == DMZ ISO
      chain=forward action=accept in-interface=ether2-dmz out-interface=pppoe-out1 log=no log-prefix="" 
12 X  chain=forward action=drop connection-state=invalid,new in-interface=ether2-dmz log=no log-prefix="" 
13    chain=forward action=drop out-interface=ether8-mngt log=no log-prefix="" 
14    ;;; == Defaults
      chain=forward action=accept log=no log-prefix="" 
15    chain=input action=accept protocol=udp dst-port=53 log=no log-prefix="" 
16    chain=input action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""

Firewall Nat:

 0    ;;; == IPSec Remote Subnet
      chain=srcnat action=accept src-address=192.168.10.0/24 dst-address=192.168.70.0/24 log=no log-prefix="" 
 1    ;;; == SRC NAT
      chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix="" 
 2    chain=srcnat action=masquerade to-addresses=10.0.0.1 out-interface=ether9-modem log=no log-prefix="" 
 3    chain=srcnat action=masquerade to-addresses=10.0.1.1 out-interface=ether10-failover log=no log-prefix="" 
 4    ;;; == Port forwarding
      chain=dstnat action=dst-nat to-addresses=192.168.10.50 to-ports=4545 protocol=udp 
      in-interface=pppoe-out1 dst-port=4545 log=no log-prefix="" 
 5    chain=dstnat action=dst-nat to-addresses=192.168.2.97 to-ports=38163 protocol=tcp in-interface=pppoe-out1 
      dst-port=38163 log=no log-prefix="" 
 6    chain=dstnat action=dst-nat to-addresses=192.168.2.97 to-ports=38164 protocol=udp in-interface=pppoe-out1 
      dst-port=38164 log=no log-prefix="

IPSec Polices

1     src-address=192.168.10.0/24 src-port=any dst-address=192.168.70.0/24 dst-port=any protocol=all 
       action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=178.190.87.165 
       sa-dst-address=77.117.109.238 proposal=default priority=

IPSec Peers

 0    address=77.117.109.238/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="psk" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha256 
      enc-algorithm=aes-192,aes-256 dh-group=modp2048 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5

IPSsec Proposals

 0    address=77.117.109.238/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key 
      secret="12345678" generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha256 
      enc-algorithm=aes-192,aes-256 dh-group=modp2048 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5

Milliways · May 11, 2015, 9:11pm

Spent a lot of time trying ti get ipsec working and only getting ping replies from the routers,
Figured out after tollowing lots of guides that they all failed to mention that you need forward (and input?) firewall rules for the remote networks =)

almdandi · May 14, 2015, 8:59pm

Wow. Thanks a lot. That was the issue.
I misunderstood the packet flow but when you take a closer look at the IPsec encryption and decryption diagram you see exactly how the packet flows.