IPSEC VPN between PaloAlto and Mikrotik

Hello

Been struggling with this issue for weeks and now I’m out of options and hope you can help me. So one of clients wants to have an IPSEC site-to-site tunnel and he has this PaloAlto device.
Clients WAN IP: 80.90.100.200
Clients VLAN IP: 10.124.0.0/16
My WAN IP: 8.9.10.20
My Lan: 192.168.88.0/24

But my client has also requested that all the traffic through the tunnel has to be translated to one specific IP address - 10.20.30.9 (

/ip ipsec policy set 0 dst-address=10.124.0.0/16 src-adress=10.20.30.9/32

)

So what I did so far:
First I thought: “nah I’m not gonna play with NATing” and just created a 10.20.30.0/24 subnet and set 10.20.30.9 as gateway and created a simple NAT (

/ip firewall nat add chain=srcnat dst-address=10.124.0.0/16 src-address=10.20.30.0/24 action=accept

. The tunnel was up but nothing went through it. Client said that he can see my ICMP packets, but I never recieved any replay. So I went to client office and tried to ping 10.20.30.9 at first I didn’t get anything, but I noticed that my Mikrotik is dropping packets from 80.90.100.200 as soon as I opened firewall for clients WAN IP the ping from clients office went through ( I still can’t wrap my head around this - why on earth did it need a hole in firewall?). However ping from my office to clients office still didn’t go through.
Then I reset my Mikrotik left the default settings, created the tunnel (which is up), created 10.20.30.9 attached it to ether5-slave-local Interface and created NAT (

/ip firewall nat add action=src-nat chain=srcnat dst-address=10.124.0.0/16 src-address=192.168.88.0/24 \ to-address=10.20.30.9

Of course it does not work either.
What am I missing or doing wrong?

See if http://wiki.mikrotik.com/wiki/Routing_through_remote_network_over_IPsec is of help.

Without a relevant complete export it’s just a guessing game…

Ok, here is the full export:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=proposal1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master-local name=default
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] name=default-encryption
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.88.0
add address=8.9.10.20/24 interface=ether1-gateway network=8.9.10.0
add address=10.20.30.9 interface=ether3-slave-local network=10.20.30.9
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add chain=input protocol=tcp src-port=8291
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.124.0.0/16 src-address=\
    192.168.88.0/24 to-addresses=10.20.30.9
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
/ip ipsec peer
add address=80.90.100.200/32 dpd-interval=10s dpd-maximum-failures=3 \
    enc-algorithm=aes-256 lifetime=8h nat-traversal=no secret=ABC123abc
/ip ipsec policy
add dst-address=10.124.0.0/16 proposal=proposal1 sa-dst-address=80.90.100.200 \
    sa-src-address=8.9.10.20 src-address=10.20.30.9/32 tunnel=yes
/ip route
add distance=1 gateway=8.9.10.1
/system clock
set time-zone-name=Europe/Riga
/system logging
add topics=ipsec
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool romon port
add disabled=no

As I posted this code I noticed the issue. Fixed it (also fixed it in posted code here). So now tunnel is up, PING goes through in any direction, but port 80 does not. Any rule I should apply to my Firewall?

As I posted this code I noticed the issue.

This happens more often than you think

Fixed it (also fixed it in posted code here).

What was the issue? Could you post wrong/right exports? It could be useful for others in the future.

Port 80 from where to where? Same IPs that do ping? are you using src-address when pinging?

Maybe a routing issue?

I’m actually not sure whom to blame for that issue - me for not reading manuals (probably touched something that shouldn’t be touched) or maybe it’s a Mikrotik bug:
I usually do the configuration through Winbox GUI not terminal. And if you open IP IPsec policy, there is by default a blue colored entry and everything is set to 0 there. I edited that. The result was quite strange in Winbox GUI I could see that every setting was as it should be, but as soon as I exported I got this:

/ip ipsec policy
add dst-address=10.124.0.0/16 proposal=proposal1 sa-dst-address=0.0.0.0 \
    sa-src-address=0.0.0.0 src-address=10.20.30.9 tunnel=yes

And of course that meant that my tunnel wasn’t even working it died at phase 2.

Now for the port issue:
The pinging is done from a laptop inside 192.168.88.0/24 network. I can ping 10.124.10.10. I can kinda get something back from it via port 80 - it shows the web page header, but that’s it.
The device (10.124.10.10) is also a Mikrotik router which does some port forwarding to a webserver. On site (inside the 10.124.0.0 network) everything works just fine - I can connect to that router via Winbox (port 8921) and the port forwarding also works just fine.


From PaloAlto router reports show some strange Session End Reasons like: tcp-rst-from-client or tcp-fin (whatever that means).

Default blue entry is template, indicated by T flag in winbox. Template is not the same as policy. More info on policies and policy templates are in the manual.

This is very strange. By connecting to the 10.124.10.10 ( to port 80) I can get header from the web page, but nothing more. If try to connect to the router it self (to port 8921) it takes forever, it never gives any errors or anything, it just tries to connect for hours and nothing happens. I have no more ideas… Should I call for exorcist?

you should remove default configuration when ever you configure mikrotik and do it from scratch.
Try changing:
Dns to point to google disable remote request thats important
remove default firewall config
change ip sec peer to 0.0.0.0/0 and enable Nat traversal, change policy to port override

and what kind of VPN is that l2tp or ? if so use main l2tp exchange mode. And check whats your MTU

looks like MTU problem. Set up mangle rules to change MSS.

@StefanM

1. I highly doubt DNS will solve anything, as everything is IP related. How do I disable remote request?
2. You can see in previous posts my whole router config, could you please tell me which firewall rules have to be removed?
3. It’s an IP/IPsec tunnel. So by removing peer, I will generally mes up my tunnel. And I tried NAT traversal, it does nothing in my case.

As for MTU, I went through this topic:
http://forum.mikrotik.com/t/mtu-mss-problem-on-ipsec-tunnel/59747/1

Tried some different MTUs (1418 and 1350), no luck.

You have to calculate precisely how much mtu you need, you can’t add random numbers for it.
Remove all the default config you have for firewall, your configuration is not so much clean.

OK, today I found out that my MTU is stunningly low (done some -f -l pinging) 1272+28=1300. Now I’ve kinda followed the instructions written by gsloop and added mangle:

/ip firewall mangle
add action=change-mss chain=forward dst-address=10.124.0.0/16 new-mss=1300 \
    protocol=tcp src-address=192.168.88.0/24 tcp-flags=syn tcp-mss=!0-1300

But I think I’m missing something, as I don’t see any traffic going through the mangle. I guess it’s because of this:

/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.124.0.0/16 src-address=\
    192.168.88.0/24 to-addresses=10.20.30.9

How am I to combine those two? Should I combine them? In other words, how to achieve that mangle works on tunnel in my case?
Also, what does this do?

/ip firewall filter
add chain=forward comment="default configuration" connection-state=\
    established,related

Should I really remove it?

@StefanM
Thank you! Removed Fasttrack and Forward firewall rules and everything works! Can anyone explain why?

as per http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack

Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration