IPSec tunnel to a pfSense server

RouterOS General
1

hi everyone,
I’m having trouble getting an IPSec tunnel working. There seems to be some traffic, but no return. I’m not sure which side gives the trouble.

On pfSense ( ver: 2.2.4 ) I see that there is traffic going out, but no return. On both sides if I do a traceroute, both sides supposedly try to send traffic over the tunnel, but neither gets past the local ipSec tunnel.

Secondly, I followed Matthew Siemens directions to block brute force ssh, but it seems if I remove the allow firewall rule, I can’t access the port at all.

Could someone point me in the right direction for both of these?

Here’s the mikrotik side:

# aug/31/2015 20:22:20 by RouterOS 6.31
# software id = A0PB-R4V5
#
/ip ipsec mode-config
set (unknown) name=request-only send-dns=yes
/ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=yes enc-algorithms=aes-128-cbc lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1,sha256 disabled=no enc-algorithms=aes-128-cbc,blowfish lifetime=8h name=spl pfs-group=modp2048
/ip ipsec peer
add address=2.2.3.75/32 auth-method=pre-shared-key dh-group=modp2048 disabled=no dpd-interval=10s dpd-maximum-failures=5 enc-algorithm=aes-128,blowfish exchange-mode=\
    main generate-policy=no hash-algorithm=sha256 lifebytes=0 lifetime=8h local-address=2.2.2.83 nat-traversal=yes passive=no policy-template-group=default port=500 \
    proposal-check=obey secret=___secret___ send-initial-contact=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
add action=encrypt disabled=no dst-address=10.101.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=spl protocol=all sa-dst-address=2.2.3.75 \
    sa-src-address=2.2.2.83 src-address=10.103.0.0/24 src-port=any tunnel=yes


[admin@rtr] > /ip firewall export verbose 
# aug/31/2015 20:26:02 by RouterOS 6.31
# software id = A0PB-R4V5
#
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier \
    !port !priority protocol=icmp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss \
    !time !ttl
add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=500,80,8291,22 !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=tcp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-flags !tcp-mss !time !ttl
add action=drop chain=input comment="Drop SSH connection from IP addresses in ssh_blacklist address list" !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=\
    22,8291 !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !routing-mark !routing-table \
    !src-address src-address-list=ssh_blacklist !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=5d chain=input comment="Blocked IP address that attempted multiple SSH connections" \
    !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=new !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=22,8291 !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !routing-table !src-address src-address-list=ssh_attempt_3 !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=add-src-to-address-list address-list=ssh_attempt_3 address-list-timeout=1m chain=input comment="IP address that attempted to create 3 SSH connections" \
    !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=new !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=22,8291 !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !routing-table !src-address src-address-list=ssh_attempt_2 !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=add-src-to-address-list address-list=ssh_attempt_2 address-list-timeout=1m chain=input comment="IP address that attempted to create 2 SSH connections" \
    !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=new !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=22,8291 !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !routing-table !src-address src-address-list=ssh_attempt_1 !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=add-src-to-address-list address-list=ssh_attempt_1 address-list-timeout=1m chain=input comment="IP address that attempted to create an SSH connections" \
    !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=new !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=22,8291 !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=forward comment="default configuration" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=\
    established !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=forward comment="default configuration" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=\
    related !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=drop chain=forward comment="default configuration" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=\
    invalid !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier \
    !port !priority protocol=icmp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss \
    !time !ttl
add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port \
    !tcp-flags !tcp-mss !time !ttl
add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=related !connection-type !content \
    disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=accept chain=input comment="allow l2tp" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=1701 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=input comment="allow pptp" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=1723 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=input comment="allow sstp" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=443 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=drop chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port in-interface=ether1-gateway \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port \
    !tcp-flags !tcp-mss !time !ttl
/ip firewall nat
add action=accept chain=srcnet !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp dst-address=10.101.0.0/24 \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !routing-table src-address=10.103.0.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttl
add action=masquerade chain=srcnat comment="default configuration" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port out-interface=ether1-gateway !packet-mark !packet-size !per-connection-classifier !port \
    !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses \
    !to-ports !ttl
add action=masquerade chain=srcnat comment="masq. vpn traffic" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table src-address=10.103.0.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses \
    !to-ports !ttl
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
2

can no one help me with this? I find out now that if I traceroute from the RB750 to the internal IP of the other network, it goes out to the internet, not through the tunnel. Is this how it should be? Or will it behave differently if I’m behind the RB750 and running a traceroute through it to other network?

Mark

3

After more googling around, I found this article, and it helped me to get it all working and to learn which part matches to what in the 2 systems.

http://forum.mikrotik.com/t/need-help-with-ipsec-tunnel/50297/1

Thanks.