IPSec Tunnel not working

harvey · March 4, 2013, 7:11am

Hi,

I am trying to get an IPSec tunnel working between my home and datacenter. I have set up the IPSec tunnel but nothing seems to happen. Nothing appears on under ‘Remote Peers’ or ‘Installed SAs’ on either side. I have enabled IPsec logging on one side and nothing appears:-

[admin-sy@scorpio] > / system logging print
Flags: X - disabled, I - invalid, * - default
 #    TOPICS                          ACTION                         PREFIX
 0  * info                            memory
 1  * error                           memory
 2  * warning                         memory
 3  * critical                        echo
 4    pptp                            memory
 5    script                          memory
 6 X  l2tp                            memory
 7    ipsec                           memory

To test the connection I am using the built in ping tool to ping a local IP on the remote side but a single ping has never come back.

At home I have an RB751G-2HnD running v6.0rc11
At DC it is a virtualized x86 VM running v6.0rc11

Under IPSec peer I have tried nat-traversal=no and yes on both sides.

The config on both box’s is as follows:-

Home Router:-

[admin@scorpio] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; default configuration
     10.1.1.1/24        10.1.1.0        bridge-local
 3 D 82.5.x.x/22      82.5.x.0       ether1-gateway

[admin@scorpio] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=10.1.1.0/24 src-port=any dst-address=10.2.2.0/24 dst-port=any
     protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
     sa-src-address=82.5.x.x sa-dst-address=82.147.x.x proposal=default
     priority=0

[admin@scorpio] > /ip ipsec peer  print
Flags: X - disabled
 1   address=82.147.x.x/32 port=500 auth-method=pre-shared-key
     secret="password" generate-policy=no exchange-mode=main
     send-initial-contact=yes nat-traversal=no my-id-user-fqdn=""
     proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
     dpd-maximum-failures=5

[admin@scorpio] > /ip ipsec proposal   print
Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
      pfs-group=modp1024

[admin@scorpio] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 2   chain=input action=accept src-address=82.147.x.x
 3   chain=output action=accept dst-address=82.147.x.x
 4   ;;; IPSec
     chain=input action=accept connection-state=new protocol=udp dst-port=500

[admin@scorpio] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat action=accept src-address=10.1.1.0/24 dst-address=10.2.2.0/24

DC Router:-

[admin@cloudrouter] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; WAN IP
     82.147.x.x/26    82.147.x.0     wan
 1   ;;; LAN IP
     10.2.2.1/24        10.2.2.0        lan

[admin@cloudrouter] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=10.2.2.0/24 src-port=any dst-address=10.1.1.0/24 dst-port=any
     protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
     sa-src-address=82.147.x.x sa-dst-address=82.5.x.x proposal=default
     priority=0

[admin@cloudrouter] > /ip ipsec peer print
Flags: X - disabled
 0   address=82.5.x.x/32 port=500 auth-method=pre-shared-key
     secret="password" generate-policy=no exchange-mode=main
     send-initial-contact=yes nat-traversal=no my-id-user-fqdn=""
     proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
     dpd-maximum-failures=5

[admin@cloudrouter] > /ip ipsec proposal  print
Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
      pfs-group=modp1024

[admin@cloudrouter] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=input action=accept src-address=82.5.x.x
 1   chain=output action=accept dst-address=82.5.x.x
 2   ;;; IPSec
     chain=input action=accept connection-state=new protocol=udp dst-port=500

[admin@cloudrouter] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat action=accept src-address=10.2.2.0/24 dst-address=10.1.1.0/24

Can anybody see whats going wrong / things I can test / look out for?

badea · March 4, 2013, 10:15am

In my configuration there is also

/ip firewall filter
add chain=input comment=Ip-Sec-ESP protocol=ipsec-esp
add chain=input comment=IP-Sec-AH protocol=ipsec-ah

on both routers. Maybe this will help? Anyway, you should read the topic http://forum.mikrotik.com/t/help-with-ipsec-nat-traversal/58597/1 and delete this one, because they are similar.

harvey · March 4, 2013, 11:02am

Ok, will try that tonight, thanks!

I will take a look at that thread too.

mixig · March 4, 2013, 12:23pm

Also alow UDP 500 on your firewall (input chain), be sure that your nat rule for local networks are above the masquerade rule in ip firewall nat

harvey · March 5, 2013, 7:08am

Hi,

As suggested I have added

/ip firewall filter
add chain=input comment=Ip-Sec-ESP protocol=ipsec-esp
add chain=input comment=IP-Sec-AH protocol=ipsec-ah

To both routers. Also both of these were already done:-

Also alow UDP 500 on your firewall (input chain), be sure that your nat rule for local networks are above the masquerade rule in ip firewall nat

This did trigger a few thoughts for me. One thing I forgot to mention is that a Cisco ASA is in front of the virtualised router. It goes a little like this:-

Home Mikrotik <—> Internet <—> Cisco ASA <—> VMWare <—> Virtualised DC Mikrotik

I had a deeper look in to the config and I was definitely missing things however I have added what else I think I need and still does not work. On the Cisco ASA I have it configured as below:-

access-list from_outside extended permit tcp any host 82.147.x.x
access-list from_outside extended permit udp any host 82.147.x.x
access-list from_outside extended permit esp any host 82.147.x.x
access-list from_outside extended permit ah any host 82.147.x.x
access-list from_outside extended permit gre any host 82.147.x.x

policy-map global_policy
    class inspection_default
         inspect ipsec-pass-thru

Any one have any other thoughts?

CelticComms · March 5, 2013, 2:24pm

No SA activity at all?

Use torch on your interfaces. Are you sending ISAKMP packets (UDP 500). Are the arriving at the other end? Replies? Without ISAKMP running nothing much else will happen.

harvey · March 6, 2013, 7:22am

Not 100% sure what I did but it is now working.

The only thing I can think of is when using the ping tool I specified the bridge interface and after a few missed pings it started working. I need to do some more testing to be sure it initiates from both sides etc. I will report back if I find out I did anything else. I also think I now have some un-required firewall rules on both so will do some testing and disable the ones I think are not being used.

Thanks all for you help. Very much appreciated.

harvey · March 8, 2013, 7:22am

Have done a few checks and all is well.

I have not been able to find any other changes that I may have made. Thanks all for you help.