IPSec VPN (Sonciwall to MTK)

htikeaungkyaw · July 11, 2019, 8:54am

Hi all,
I’d like to discuss about site to site IKE VPN (Sonicwall to MTK). I used aggressive mode because one of the site is behind double NAT. I successfully established the VPN. Now my problem is I can able to reach from the Sonicwall LAN to MTK LAN but I can’t reach from MTK LAN to Sonicwall LAN. I think there’s no Route to Sonicwall LAN. In the /ip route, I can see reachable. Is anybody got experience like this? I’m also attach my whole config below. I’m wondering if you can share me…
Thank you

[admin@MikroTik] /ip> ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0xD03602A src-address=158.140.147.9:4500 dst-address=192.168.8.100:4500 state=dying
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key=“4622762400aede9bb7af27413172537a2cde6072”
enc-key=“c1b061ba2c499a2a60672d53a2db8eb5f01a8173eb14e32b” addtime=jul/11/2019 18:28:09
expires-in=4m46s add-lifetime=24m/30m current-bytes=9660 current-packets=115 replay=128

1 E spi=0xDCAB5202 src-address=192.168.8.100:4500 dst-address=158.140.147.9:4500 state=dying
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key=“28c4519ae1066429b177179af9cc82f4c65e6746”
enc-key=“06450d5cf8a4630fa997c6e2fdfd30be53a341cb870c4202” addtime=jul/11/2019 18:28:09
expires-in=4m46s add-lifetime=24m/30m current-bytes=9660 current-packets=115 replay=128

2 E spi=0xDFDE972 src-address=158.140.147.9:4500 dst-address=192.168.8.100:4500 state=mature
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key=“16db606d0f0fa9af171aa0d1ecf332794ed97295”
enc-key=“c90e53ed761ccf98fe0c27b5bf2ab73b0b34ba8a48977c80” add-lifetime=24m/30m replay=128

3 E spi=0x8FDBD202 src-address=192.168.8.100:4500 dst-address=158.140.147.9:4500 state=mature
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key=“2e7643348d0563f06dfc401652aaa103278dba82”
enc-key=“ccb3f80a0307e4e8b0129a0676372b603f75ebb4a5407f94” add-lifetime=24m/30m replay=128
MTK.rsc (2.93 KB)

cdiedrich · July 11, 2019, 11:01am

On first sight I see two issues:

Your default masquerade rule is way too loose - it will masquerade everything from anywhere to anywhere. Add your local subnet as src-address and add your WAN-interface as out-interface.
Move your NAT accept rules before your masquerade rule.

and as a side note:
Your firewall looks wide open to WAN. Maybe that is the first point to start securing your router before you do anything else.

-Chris

htikeaungkyaw · July 11, 2019, 3:23pm

Thank you Chris. I’ll make sure close the loophole later. Actually it’s still testing in my lab. Again thank you for replying my post. Do you have any idea on the route which I can’t reach to Sonicwall’s LAN subnet?

cdiedrich · July 12, 2019, 7:21am

I’m pretty sure it’s related to your loose masquerade rule.
Traffic from Sonicwall to your subnet works b/c traffic is NATed to your routers internal IP address which is known to your site.
And I guess that traffic towards the Sonicwall is mostt likely NATed to your WAN IP address so that traffic will be blocked in the Sonicwall.
-Chris