IPSec VPN through RB2011 isn't passing traffic through tunnel

kbuska · August 28, 2015, 1:54pm

A few clients have complained that when we moved one of our providers onto a RB2011 temporarily, there Cisco site to site vpn’s couldn’t pass traffic. They said the connection would establish but they couldn’t pass any traffic through the tunnel. I don’t have much details as to there setup other then they use Cisco ASA or ISR on each end of the tunnel and at one point traverses the RB2011 with no firewall or nat rules. We had a netmap rule for certain blocks but have since disabled the natmap rules as the customer is using public IP on there routers within our network. Our assumption was they were using a private ip.

Our setup worked fine when we were using a Cisco router so the only change is we moved this provider to the Mikrotik device.

I can see tcp/udp and ipsec traffic from both sides of the connection but its kilobytes of data.

Most of what I read on the forum has to do with setting up IPSec using a Mikrotik router as a termination point, not simply a pass through. Since I don’t have firewall rules, and no nat translations are being performed for the referenced subnet, is there anything I need to do in order to ensure this traffic gets routed through?

Thank you for reading my post.

kbuska · August 28, 2015, 1:56pm

kbuska:

A few clients have complained that when we moved one of our providers onto a RB2011 temporarily, there Cisco site to site vpn’s couldn’t pass traffic. They said the connection would establish but they couldn’t pass any traffic through the tunnel. I don’t have much details as to there setup other then they use Cisco ASA or ISR on each end of the tunnel and at one point traverses the RB2011 with no firewall or nat rules. We had a netmap rule for certain blocks but have since disabled the natmap rules as the customer is using public IP on there routers within our network. Our assumption was they were using a private ip.

Our setup worked fine when we were using a Cisco router so the only change is we moved this provider to the Mikrotik device.

I can see tcp/udp and ipsec traffic from both sides of the connection but its kilobytes of data.

Most of what I read on the forum has to do with setting up IPSec using a Mikrotik router as a termination point, not simply a pass through. Since I don’t have firewall rules, and no nat translations are being performed for the referenced subnet, is there anything I need to do in order to ensure this traffic gets routed through?

Thank you for reading my post.

I should mention we are running the lastest 6.31 RouterOS.

patrick7 · August 28, 2015, 2:03pm

Did you exclude it from NAT and FastTrack?

kbuska · August 28, 2015, 2:18pm

exclude? I didn’t have “not” nat statements if that is what you mean.

Also I didn’t have any FastTrack statements.

mrz · August 28, 2015, 2:29pm

RouterOS forwards everything no matter if it is ipsec or any other kind of traffic unless you have firewall rules set to drop something.
You can check MTUs, maybe ciscos are configured to use a lot larger packets than standard 1500bytes.

kbuska · August 28, 2015, 2:54pm

Thank you for your reply. Our layer 2 switches are set to 1526 MTU and the Cisco interfaces were set to 1500 MTU. I need to read up more on Mikrotik MTU vs L2MTU. I read somewhere that it could have been a packet fragmentation issue but the client indicates there MTU size is set to 1500 or below.

-Ken

patrick7 · August 28, 2015, 4:42pm

If you are using NAT, you have to add an “accept” rule in the NAT table. I also had problems with using IPsec + FastTrack on the same device. I exclude all IPsec related traffic vom FastTrack:

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec connections" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec \
    new-connection-mark=ipsec

And

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-mark=!ipsec connection-state=established,related

kbuska · August 28, 2015, 5:07pm

patrick7:

If you are using NAT, you have to add an “accept” rule in the NAT table. I also had problems with using IPsec + FastTrack on the same device. I exclude all IPsec related traffic vom FastTrack:
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec connections" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec \
    new-connection-mark=ipsec
And
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-mark=!ipsec connection-state=established,related

So are you saying that it doesn’t matter if the NAT statements you use don’t apply to that subnet, if you use any NAT statements at all, you have to exclude IPSec connections in a mangle rule?

Cheers,

patrick7 · August 28, 2015, 6:36pm

The mangle rule is to exclude ipsec from FastTrack. You need the NAT-rule BEFORE any SRCNAT rules, because otherwise it will change the source address and the packet will not match any ipsec policy anymore.

kbuska · August 28, 2015, 7:32pm

[quote=“patrick7”]The mangle rule is to exclude ipsec from FastTrack. You need the NAT-rule BEFORE any SRCNAT rules, because otherwise it will change the source address and the packet will not match any ipsec policy anymore.[/quote

That is only if the NAT rule applies to that source address, yes?