Hi folks,
I got a Mikrotikrouter. Its WAN Port is connected to the lan port of a router which connects to the internet.
So the WAN-Port of the Mikrotik gets an IP of 192.168.0.101, GW = Router IP: 192.168.0.1, the router connects to the internet with official ip 77.119.xxx.yyy.
On the LAN-side, there is a PC connected to the Mikrotik. IP 192.168.88.100, the Mikrotik has an internal IP: 192.168.88.1
If I configure a IPSec Dial up VPN, which IP-adresses would I have to use for SRC and DST SA? Should that be the official IPs of each VPN endpoint. Saying 77.119.xxx.yyy and on the other side 81.28.xxx.yyy?
No, you still specify your local address in sa-src-address field and NAT-T will do its job. If you have already configured Phase 1, you can look at Remote Peers section and those will be the addresses you must use for your Policy SA addresses.
So:
In New IPSEC Policy / General
Src Address: 192.168.88.0/24
Dst Address: (other local LAN, on the other side of the Tunnel) 10.239.xxx.yyy/24
Protocol: all
Action:
Action: encrypt, Level: require, IPsec Protocols: esp
Tunnel is ticket
SA Src: 192.168.0.101
SA Dst: 81.28.xxx.yyy
Proposal: default
Proposals:
sha1, 3des, Lifetime 1d, PFS Group modp2048 (matches settings of other side of vpn tunnel)
New IPSEC Peer / General
Address: 81.28.xxx.yyy
Port: 500
preshared key
aggressive
secret is given
Advanced
Template Group default
Send initial contact is ticked
Nat traversal is ticked
My ID Type: fqdn
MyID is given
Generate Policy no
Lifetime 1d
DPD Interval 120
DPD Maximum Failures 5
Proposal check obey
Compatibility options not checked
Encryption matches settings of other side of the vpn tunnel
Do I have to set up additional policies, NAT-Settings or routes to get it up and working?
Phase1 and Phase2 are up, but I cant get a pingreply, or a connection to the remote LAN.
Hi,
just solved.
The VPN should be set up between a Mikrotik RouterOS v6.40.4 (stable) and a Fortigate. The Mikrotik Router is configured in aggressive mode (dial up).
The problem was: I had the wrong source address in the src sa field. As said by emils, this should be the IP of the Mikrotiks WAN Port, although it was a LAN-IP, which it receives from the Internetrouter.
After correcting this setting phase2 came up, but I was unable to ping the network on the other side of the vpn (lan).
I additionally set up 2 firewallrules:
First: chain forward, ipsec policy: in, ipsec
Second: chain forward, ipsec policy: out, ipsec
Both with action accept.
So my firewallrules are now sorted like this:
dummy connection to show fasttrack counters
accept established,related, untracked
accept ICMP
accept in ipsec policy
accept out ipsec policy
fasttrack
after that there are a row of drop rules.
Still no connection. Then I tried to play with the VPN settings @ the Mikrotik and switched off NAT Traversal in IPSEC/Peers.
After that it worked. I have no clue why it is working now cause this is a NAT traversal network situation.
The only thing: The Fortigate has also set up the VPN with active NAT-Traversal setting. Should this only be active at one VPN-endpoint?