ipsec vpn create SA, but no traffic from remote site to Microtik

lmax · September 15, 2023, 5:47am

Hello,
I have RB750Gr3 that connects by IpSec to remote site. After 7 hours both SA present, by there is no traffic from remote site.
Flush SA not helps, disabling policy help sometimes for 20-40 minutes, only router reboot helps for another 7 hours.
please help investigate this issue.

Larsa · September 15, 2023, 6:35am

I If you provide a config export, it would greatly help to analyse the problem.

Did you setup policies to match the correct subnets and src-nat to allow IPsec to intercept egress packets? How is the remote site configured and do you have control over it?

lmax · September 15, 2023, 7:04am

here is config:

 sep/15/2023 09:47:52 by RouterOS 6.49.10
# software id = M959-4B5W
#
# model = RB750Gr3
# serial number = <removed>
/interface bridge
add admin-mac=48:A9:8A:E1:B0:C7 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off
set [ find default-name=ether3 ] advertise=10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-full,100M-full,1000M-full speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec peer
add address=zzz.zz.z.229/32 local-address=xxx.xxx.xx.62 name=Site3
add address=vvv.vv.vv.56/32 local-address=xxx.xxx.xx.62 name=Site1
add address=bbb.bb.bb.110/32 local-address=xxx.xxx.xx.62 name="Site2"
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128,3des,des lifetime=8h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=Site1 pfs-group=none
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=xxx.xxx.xx..62/30 interface=ether1 network=xxx.xxx.xx..60
add address=yyy.yyy.yyy.202/30 interface=ether2 network=yyy.yyy.yyy.200
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="IpSec internal traffic" dst-address=10.1.1.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.11.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.11.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.0.0/24 src-address=10.1.1.0/24
add action=accept chain=input comment="rr allow" dst-port=rr protocol=tcp
add action=accept chain=input src-address=vvv.vv.vv..56
add action=accept chain=input src-address=zzz.zz.z.229
add action=accept chain=input comment="SMTP in" connection-nat-state="" disabled=yes dst-port=25 log=yes protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Change MTU for the tunel" dst-address=192.168.11.0/24 log=yes new-mss=1408 passthrough=yes protocol=tcp src-address=192.168.0.0/24 tcp-flags=syn tcp-mss=!0-1408
add action=change-mss chain=forward dst-address=192.168.0.0/24 new-mss=1408 passthrough=yes protocol=tcp src-address=192.168.11.0/24 tcp-flags=syn tcp-mss=!0-1408
add action=mark-connection chain=input comment=" ISP_ether1_inbound" in-interface=ether1 new-connection-mark=" ether1_inbound" passthrough=yes
add action=mark-connection chain=input comment=" ISP_ether2_inbound" in-interface=ether2 new-connection-mark=" ether2_inbound" passthrough=yes
add action=mark-routing chain=output comment=" ether1_outbound" connection-mark=" ether1_inbound" new-routing-mark=" ether1_outbound" passthrough=yes
add action=mark-routing chain=output comment=" ether2_outbound" connection-mark=" ether2_inbound" new-routing-mark=" ether2_outbound" passthrough=yes
add action=mark-routing chain=prerouting comment=Lan_loadBalancer2/0 dst-address-type=!local in-interface=bridge new-routing-mark=ether1_outbound passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-routing chain=prerouting comment=Lan_loadBalancer2/1 dst-address-type=!local in-interface=bridge new-routing-mark=ether2_outbound passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
/ip firewall nat
add action=dst-nat chain=dstnat comment="Incoming SMTP" dst-address=xxx.xxx.xx..62 dst-port=25 log=yes protocol=tcp to-addresses=192.168.11.100 to-ports=25
add action=src-nat chain=srcnat dst-address=192.168.11.100 dst-port=25 log=yes protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.1
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xx..62 dst-port=443 protocol=tcp to-addresses=192.168.11.100 to-ports=443
add action=src-nat chain=srcnat dst-address=192.168.11.100 dst-port=443 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.1
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=192.168.11.0/24 src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.11.0/24
add action=accept chain=srcnat dst-address=10.1.1.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip firewall raw
add action=notrack chain=output ipsec-policy=out,ipsec
add action=notrack chain=prerouting dst-address=192.168.0.2-192.168.0.254 ipsec-policy=in,ipsec src-address=192.168.11.0/24
/ip ipsec identity
add notrack-chain=prerouting peer=Site1
add notrack-chain=prerouting peer=Site3
add generate-policy=port-strict notrack-chain=prerouting peer="Site2"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.1.1.0/24 peer=Site3 src-address=192.168.0.0/24 tunnel=yes
add dst-address=192.168.11.0/24 peer=Site1 proposal=Site1 src-address=192.168.0.0/24 tunnel=yes
add dst-address=192.168.7.0/24 peer="Site2" src-address=192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=xxx.xxx.xx..61 routing-mark=ether1_outbound
add distance=1 gateway=yyy.yyy.yyy.201 routing-mark=ether2_outbound
add distance=1 gateway=yyy.yyy.yyy.201
add distance=1 gateway=xxx.xxx.xx..61
/ip service
set www port=rr
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=RouterOS
/system logging
set 0 topics=ipsec
add topics=info
add topics=interface
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1 filter-ip-address=192.168.0.1/32,192.168.11.100/32 filter-ip-protocol=tcp filter-port=smtp

remote site is Windows servers, i have control on it. i have other Mikrotik routers that connect to Windows server and they don have such problem, This router have 2 ISP connected to ether1 and ether 2. Internet for internal users working fine.

Larsa · September 15, 2023, 8:43am

Thanks. A brief description of the network topology would be helpful for getting an idea of how everything is connected and which site that is problematic, for example:

Wan xx Wan xx
Wan xx Wan xx
Wan xx Wan xx
. . .

Ps..
I’m about to travel soon so I’ll have to get back to you next week. In the meantime someone else might be able to help you out

lmax · September 15, 2023, 11:30am

Thanks Larsa for reply.
i’m interested with site1 connection.
network topology:
<hex local sub-net 192.16.0.0/24 ipsec> Wan xxx.xxx.xx.62 Wan vvv.vv.vv.56/32 <windows SITE1 ipsec local subnet 192.168.11.0/24.>

lmax · September 20, 2023, 1:59pm

Hi,
is the any suggestions to fix this problem?