Hey Team!
I’ve ran into a problem trying to setup a stable IPsec tunnel between two MikroTik routers. (RouterOS v6.36.3)
I’m able to provide a working connection but after about two days, it will go offline and I have to enter the below config to re-setup IPsec between the two sites. (1A)
To further troubleshoot the IPsec tunnel, I’ve provided the two router configs below. (2A)
I’ve also ran into a second problem using one of the routers to setup PPTP VPN for smartphone clients to connect.
No matter what guide I follow, I can’t authenticate with the router. I’ve provided the config of this router below. (3A)
Thanks!
-L2
(1A)
####################### - SITE 01 - #######################
WAN:
XXXXXXXXXXX
LAN:
192.168.2.0/24
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
/ip ipsec peer
add address=XXXXXXXXXXX/32 port=500 auth-method=pre-shared-key secret="XXXXXXXXXXX"
/ip ipsec policy
add src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any \
sa-src-address=XXXXXXXXXXX sa-dst-address=XXXXXXXXXXX \
tunnel=yes action=encrypt proposal=default
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.2.0/24 dst-address=XXXXXXXXXXX/24
/ip firewall filter
add chain=forward action=accept place-before=1
src-address=192.168.2.0/24 dst-address=192.168.1.0/24 connection-state=established,related
add chain=forward action=accept place-before=1
src-address=192.168.1.0/24 dst-address=192.168.2.0/24 connection-state=established,related
/ip firewall raw
add action=notrack chain=prerouting src-address=192.168.2.0/24 dst-address=192.168.1.0/24
add action=notrack chain=prerouting src-address=192.168.1.0/24 dst-address=192.168.2.0/24
####################### - SITE 02 - #######################
WAN:
XXXXXXXXXXX
LAN:
192.168.1.0/24
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
/ip ipsec peer
add address=XXXXXXXXXXX/32 port=500 auth-method=pre-shared-key secret="XXXXXXXXXXX"
/ip ipsec policy
add src-address=192.168.1.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any \
sa-src-address=XXXXXXXXXXX sa-dst-address=XXXXXXXXXXX \
tunnel=yes action=encrypt proposal=default
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.1.0/24 dst-address=XXXXXXXXXXX/24
/ip firewall filter
add chain=forward action=accept place-before=1
src-address=192.168.2.0/24 dst-address=192.168.1.0/24 connection-state=established,related
add chain=forward action=accept place-before=1
src-address=192.168.1.0/24 dst-address=192.168.2.0/24 connection-state=established,related
/ip firewall raw
add action=notrack chain=prerouting src-address=192.168.2.0/24 dst-address=192.168.1.0/24
add action=notrack chain=prerouting src-address=192.168.1.0/24 dst-address=192.168.2.0/24
(2A)
##########################################################
####################### - SITE 01 - #######################
##########################################################
# aug/29/2016 17:56:57 by RouterOS 6.36
# software id = XXXXXXXXXX
#
/interface bridge
add admin-mac= XXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid= XXXXXXXXXX \
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=tkip mode=\
dynamic-keys unicast-ciphers=tkip wpa-pre-shared-key= XXXXXXXXXX \
wpa2-pre-shared-key= XXXXXXXXXX
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2-master network=\
192.168.2.0
add address=XXXXXXXXXX/29 interface=ether1 network=XXXXXXXXXX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.2.1 name=router
/ip firewall filter
add action=accept chain=forward
add action=accept chain=forward
add action=accept chain=forward
add action=accept chain=forward
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="defconf: accept ICMP" log-prefix="" \
protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related log-prefix=""
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
ether1 log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related log-prefix=""
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related log-prefix=""
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid log-prefix=""
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log-prefix=""
/ip firewall nat
add action=accept chain=srcnat dst-address= XXXXXXXXXX/24 src-address=\
192.168.2.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXXX /24 src-address=\
192.168.2.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXXX /24 src-address=\
192.168.2.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXXX /24 src-address=\
192.168.2.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXXX /24 src-address=\
192.168.2.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXXX /24 src-address=\
XXXXXXXXXX/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 log-prefix="" \
src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="" \
out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=notrack chain=prerouting dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=notrack chain=prerouting dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
/ip ipsec peer
add address=XXXXXXXXXX/32 secret=XXXXXXXXXX
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=XXXXXXXXXX sa-src-address=\
XXXXXXXXXX src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=XXXXXXXXXX
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master,e\
ther7,ether8,ether9,ether10"
/system clock
set time-zone-name= XXXXXXXXXX
/system logging
add topics=ipsec
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
##########################################################
####################### - SITE 02 - #######################
##########################################################
[admin@MikroTik] > /export
# oct/13/2016 21:55:02 by RouterOS 6.36.3
# software id = XXXXXXXXX
#
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address= XXXXXXXXX
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="united states" disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid= XXXXXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface pptp-server
add name=VPN user=""
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
wpa-pre-shared-key= XXXXXXXXX wpa2-pre-shared-key= XXXXXXXXX
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add name=demo
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=demo enabled=yes
/ip address
add address=192.168.1.253/24 comment=defconf interface=ether2-master network=\
192.168.1.0
add address= XXXXXXXXX/30 interface=ether1 network= XXXXXXXXX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.253 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.2
/ip dns static
add address=192.168.1.253 name=router
/ip firewall filter
add action=accept chain=forward
add action=accept chain=forward
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
XXXXXXXXX /24
add action=accept chain=srcnet
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=notrack chain=prerouting dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip ipsec peer
add address= XXXXXXXXX /32 secret= XXXXXXXXX
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address= XXXXXXXXX sa-src-address=\
XXXXXXXXX src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway= XXXXXXXXX
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master,e\
ther7,ether8,ether9,ether10"
/ppp secret
add local-address=192.168.1.1 name= XXXXXXXXX password= XXXXXXXXX profile=demo \
remote-address=192.168.1.69
add name= XXXXXXXXX password= XXXXXXXXX
add name= XXXXXXXXX password= XXXXXXXXX profile=demo service=pptp
/system clock
set time-zone-name=America/ XXXXXXXXX
/system logging
add topics=ipsec
add topics=pptp,debug,packet
add
add topics=pptp,debug,packet
add topics=ipsec
add topics=pptp,debug,packet
add
add topics=pptp,debug,packet
add topics=pptp,debug,packet
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
(3A)
[admin@MikroTik] > /export
# oct/13/2016 21:55:02 by RouterOS 6.36.3
# software id = XXXXXXXXX
#
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address= XXXXXXXXX
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="united states" disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid= XXXXXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface pptp-server
add name=VPN user=""
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
wpa-pre-shared-key= XXXXXXXXX wpa2-pre-shared-key= XXXXXXXXX
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add name=demo
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=demo enabled=yes
/ip address
add address=192.168.1.253/24 comment=defconf interface=ether2-master network=\
192.168.1.0
add address= XXXXXXXXX/30 interface=ether1 network= XXXXXXXXX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.253 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.2
/ip dns static
add address=192.168.1.253 name=router
/ip firewall filter
add action=accept chain=forward
add action=accept chain=forward
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address= XXXXXXXXX /24 src-address=\
XXXXXXXXX /24
add action=accept chain=srcnet
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=notrack chain=prerouting dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip ipsec peer
add address= XXXXXXXXX /32 secret= XXXXXXXXX
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address= XXXXXXXXX sa-src-address=\
XXXXXXXXX src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway= XXXXXXXXX
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master,e\
ther7,ether8,ether9,ether10"
/ppp secret
add local-address=192.168.1.1 name= XXXXXXXXX password= XXXXXXXXX profile=demo \
remote-address=192.168.1.69
add name= XXXXXXXXX password= XXXXXXXXX
add name= XXXXXXXXX password= XXXXXXXXX profile=demo service=pptp
/system clock
set time-zone-name=America/ XXXXXXXXX
/system logging
add topics=ipsec
add topics=pptp,debug,packet
add
add topics=pptp,debug,packet
add topics=ipsec
add topics=pptp,debug,packet
add
add topics=pptp,debug,packet
add topics=pptp,debug,packet
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge