IPsec VPN between two MikroTik Routers

ericw · September 10, 2008, 3:11pm

Hi,

i would like to built a ipsec vpn connection between two mikrotik routers with PSK.

LAN1 (192.168.1.0/24) <—> MikroTik1 <—> Internet <—> MikroTik2 <—> LAN2 (192.168.2.0/24)

The private IP on MikroTik1 is 192.168.1.1 (ether1).
The public IP on MikroTik1 is 172.16.0.1/24 (ether2).
The private IP on MikroTik2 is 192.168.2.1 (ether1).
The public IP on MikroTik2 is 172.16.0.2/24 (ether2).

So, I tried the following configuration after a system reset-configuration:

MikroTik1:

ip ipsec proposal print
→
0 name=“default” auth-algorithms=md5,sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

ip ipsec peer print
→
0 address=172.16.0.2/32:500 auth-method=pre-shared-key
secret=“asdfasdfasdf” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=20s dpd-maximum-failures=1

ip ipsec policy print
→
0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=172.16.0.1 sa-dst-address=172.16.0.2
proposal=default manual-sa=none priority=0

MikroTik2:

ip ipsec proposal print
→
0 name=“default” auth-algorithms=md5,sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

ip ipsec peer print
→
0 address=172.16.0.1/32:500 auth-method=pre-shared-key
secret=“asdfasdfasdf” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=20s dpd-maximum-failures=1

ip ipsec policy print
→
0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=172.16.0.2 sa-dst-address=172.16.0.1
proposal=default manual-sa=none priority=0

That’s my configuration. If I try a ping from 192.168.1.1 to 192.168.2.1 I get “no route to host”. If I add a default gateway to an adress, that doesn’t exist, the vpn-tunnel get startet and is established. Now I can ping from 192.168.1.1 to 192.168.2.1, but I CAN’T ping from 192.168.2.1 to 192.168.1.1 (TimeOut).

What should I do to ping in both directions? Is there any possibility to start up or abort the tunnel like “ipsec auto --verbose --down connectionname”? Please help me. I try this example since 4 weeks…

Eric

mrz · September 11, 2008, 6:20am

add routes

Router1
/ip route
add dst-address=192.168.2.0/24 gateway=172.16.0.2

Router2
/ip route
add dst-address=192.168.1.0/24 gateway=172.16.0.1

Now I can ping from 192.168.1.1 to 192.168.2.1, but I CAN’T ping from 192.168.2.1 to 192.168.1.1 (TimeOut).

If you are trying to ping from router then it is possible that you will get ping timeout. If you ping from device behind router then it should work.

ericw · September 11, 2008, 7:51am

Thank you very much, but is it really necessary to add routes? I think it’s IPsec’s job to add policies add routes, that must not appear in “/ip route print”.

Is it a bug? I often try a ping from MikroTik1 (private IP) to MikroTik2 (private IP) to test the vpn connection to know if it’s established? It’s my monitoring for a vpn connection.

mrz · September 11, 2008, 8:35am

Yes, it is necessary to add routes. Ipsecs job is to add policies, encapsulate and encrypt data. And there are no ipsec routes that are not visible in /ip route table.

s it a bug? I often try a ping from MikroTik1 (private IP) to MikroTik2 (private IP) to test the vpn connection to know if it’s established?

I’m not sure if it is a bug. You are unable to ping only from ipsec responders side, everything else should work fine.