Mikrotik Ipsec VPN tunnel problem

crazydesigner · April 18, 2017, 2:04pm

I am unable to setup IPSec VPN between two mikrotik routers. Router one is: RB750r2 and router 2 is: RB750gr3. I found several tutorial but no success.
I can’t ping host from my network 192.168.0.0 (router 1) to remote network (router 2) 172.30.0.0/24 and also can’t ping router 1 hosts from router 2 network. Any ideas? What am I missing?

Here is step by step Router 1 instruction Which I use:

1 - NAT: ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=172.30.0.0/24 action=accept place-before=0

2 - Ipsec proposal: ip ipsec proposal add name=default auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none

3 - Ipsec Policies: ip ipsec policy add src-address=192.168.0.0/24 dst-address=172.30.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=11.11.11.11 sa-dst-address=22.22.22.22 proposal=default

4 - Ipsec Peers: ip ipsec peer add address=22.22.22.22 port=500 auth-method=pre-shared-key secret=my_preshared_key exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024 generate-policy=no

I used this instruction for Router 2 and IP address is reversed of course. I have no phase 1 or phase 2 error in log but as I said I am unable to ping local IP address.

tnx

idlemind · April 18, 2017, 2:42pm

Your rules indicate 192.168.0.0/24 and 172.30.0.0/24 not 192.168.0.0/24 and 192.168.1.0/24.

Which networks are correct?

crazydesigner · April 18, 2017, 2:48pm

added scenario screenshot

idlemind · April 18, 2017, 2:53pm

Doesn’t load.

crazydesigner · April 18, 2017, 3:33pm

edited. tnx

idlemind · April 18, 2017, 4:28pm

Keep following that guide you grabbed the pic from. https://firstdigest.com/2014/12/mikrotik-ipsec-vpn/.

To be triple sure. The LAN B subnet you want is 172.30.0.0/24 not 192.168.1.0/24 right? You haven’t clearly stated it yet.

The next step is to add firewall rules to all the SA to be negotiated and built.

ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0

After that you may need to add an input rule to accept src-address of either side respectively to let traffic actually flow.

Van9018 · April 19, 2017, 12:54am

Turning on Logging can help. System > Logging, add topics: IPSEC

In IP > IPSec, Installed SAs you should see two lines indicating a tunnel was successful. If there are no lines, then check your config again. Or consult the logs for a helpful message.

crazydesigner · April 19, 2017, 2:38pm

idlemind:

Keep following that guide you grabbed the pic from. https://firstdigest.com/2014/12/mikrotik-ipsec-vpn/.

To be triple sure. The LAN B subnet you want is 172.30.0.0/24 not 192.168.1.0/24 right? You haven’t clearly stated it yet.

The next step is to add firewall rules to all the SA to be negotiated and built.
ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0
After that you may need to add an input rule to accept src-address of either side respectively to let traffic actually flow.

yes I already did this instruction without success. LAn B is 172.30.0.0/24. about network 192.168.1.0/24 was my mistake when I wrote this post.

crazydesigner · April 19, 2017, 5:19pm

Yes I see installed sas on both router. here is log from router 2:

21:18:15 ipsec,debug ===== received 92 bytes from 11.11.11.11[500] to 22.22.22.22[500] 
21:18:15 ipsec,debug,packet 41e2aefb 9d30783f 22640374 4165cd25 08100501 85522b0f 0000005c 007a1599 
21:18:15 ipsec,debug,packet bef3f378 7505bf74 ae7c7ad3 fae7a012 e9bdc3c7 8b4e1fe9 3529305a d74df69a 
21:18:15 ipsec,debug,packet e6f8adb8 2baf2dc2 a5015257 7d77b1c1 fc76a7a2 9ae0001d df845cb5 
21:18:15 ipsec receive Information. 
21:18:15 ipsec,debug compute IV for phase2 
21:18:15 ipsec,debug phase1 last IV: 
21:18:15 ipsec,debug 7c9cec2e f15e1278 3fb9cdf4 5a759483 85522b0f 
21:18:15 ipsec,debug hash(sha1) 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug phase2 IV computed: 
21:18:15 ipsec,debug 00c18e57 b5a0a75a f77df849 ee2e9a60 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug IV was saved for next processing: 
21:18:15 ipsec,debug 7d77b1c1 fc76a7a2 9ae0001d df845cb5 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug with key: 
21:18:15 ipsec,debug 2fba9654 41a7aa2f dd522e60 c8bdd0ec 
21:18:15 ipsec,debug decrypted payload by IV: 
21:18:15 ipsec,debug 00c18e57 b5a0a75a f77df849 ee2e9a60 
21:18:15 ipsec,debug decrypted payload, but not trimed. 
21:18:15 ipsec,debug 0b000018 f8faa003 89f81ef1 31c34f58 7d72e77e a7feacb2 00000020 00000001 
21:18:15 ipsec,debug 01108d28 41e2aefb 9d30783f 22640374 4165cd25 00000ed9 9ba5e5bd b4afaf07 
21:18:15 ipsec,debug padding len=8 
21:18:15 ipsec,debug skip to trim padding. 
21:18:15 ipsec,debug decrypted. 
21:18:15 ipsec,debug 41e2aefb 9d30783f 22640374 4165cd25 08100501 85522b0f 0000005c 0b000018 
21:18:15 ipsec,debug f8faa003 89f81ef1 31c34f58 7d72e77e a7feacb2 00000020 00000001 01108d28 
21:18:15 ipsec,debug 41e2aefb 9d30783f 22640374 4165cd25 00000ed9 9ba5e5bd b4afaf07 
21:18:15 ipsec,debug HASH with: 
21:18:15 ipsec,debug 85522b0f 00000020 00000001 01108d28 41e2aefb 9d30783f 22640374 4165cd25 
21:18:15 ipsec,debug 00000ed9 
21:18:15 ipsec,debug hmac(hmac_sha1) 
21:18:15 ipsec,debug HASH computed: 
21:18:15 ipsec,debug f8faa003 89f81ef1 31c34f58 7d72e77e a7feacb2 
21:18:15 ipsec,debug hash validated. 
21:18:15 ipsec,debug begin. 
21:18:15 ipsec,debug seen nptype=8(hash) len=24 
21:18:15 ipsec,debug seen nptype=11(notify) len=32 
21:18:15 ipsec,debug succeed. 
21:18:15 ipsec 11.11.11.11 notify: R_U_THERE 
21:18:15 ipsec,debug 11.11.11.11 DPD R-U-There received 
21:18:15 ipsec,debug compute IV for phase2 
21:18:15 ipsec,debug phase1 last IV: 
21:18:15 ipsec,debug 7c9cec2e f15e1278 3fb9cdf4 5a759483 9644438e 
21:18:15 ipsec,debug hash(sha1) 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug phase2 IV computed: 
21:18:15 ipsec,debug 23820596 dbb5487d 6c9534c2 88878692 
21:18:15 ipsec,debug HASH with: 
21:18:15 ipsec,debug 9644438e 00000020 00000001 01108d29 41e2aefb 9d30783f 22640374 4165cd25 
21:18:15 ipsec,debug 00000ed9 
21:18:15 ipsec,debug hmac(hmac_sha1) 
21:18:15 ipsec,debug HASH computed: 
21:18:15 ipsec,debug 0244185a 354f9003 f51fb3de a437653f 485e0598 
21:18:15 ipsec,debug begin encryption. 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug pad length = 8 
21:18:15 ipsec,debug 0b000018 0244185a 354f9003 f51fb3de a437653f 485e0598 00000020 00000001 
21:18:15 ipsec,debug 01108d29 41e2aefb 9d30783f 22640374 4165cd25 00000ed9 2d0cba2f b6f5d907 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug with key: 
21:18:15 ipsec,debug 2fba9654 41a7aa2f dd522e60 c8bdd0ec 
21:18:15 ipsec,debug encrypted payload by IV: 
21:18:15 ipsec,debug 23820596 dbb5487d 6c9534c2 88878692 
21:18:15 ipsec,debug save IV for next: 
21:18:15 ipsec,debug b36bb63d b803e481 dcee8b71 34ce19ac 
21:18:15 ipsec,debug encrypted. 
21:18:15 ipsec,debug 92 bytes from 22.22.22.22[500] to 11.11.11.11[500] 
21:18:15 ipsec,debug 1 times of 92 bytes message will be sent to 11.11.11.11[500] 
21:18:15 ipsec,debug,packet 41e2aefb 9d30783f 22640374 4165cd25 08100501 9644438e 0000005c bee5f980 
21:18:15 ipsec,debug,packet 4df820f8 0f75a88e c64d002b ac33b2d3 ff66b4f2 e2fd61f1 5101a6d0 0033a734 
21:18:15 ipsec,debug,packet 7e788a4e ae8c12ce 61516998 b36bb63d b803e481 dcee8b71 34ce19ac 
21:18:15 ipsec sendto Information notify. 
21:18:15 ipsec,debug received a valid R-U-THERE, ACK sent 
21:18:15 ipsec,debug 11.11.11.11 DPD monitoring.... 
21:18:15 ipsec,debug compute IV for phase2 
21:18:15 ipsec,debug phase1 last IV: 
21:18:15 ipsec,debug 7c9cec2e f15e1278 3fb9cdf4 5a759483 86600ab2 
21:18:15 ipsec,debug hash(sha1) 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug phase2 IV computed: 
21:18:15 ipsec,debug 1a16698a 611667bf bead45ee e6842db4 
21:18:15 ipsec,debug HASH with: 
21:18:15 ipsec,debug 86600ab2 00000020 00000001 01108d28 41e2aefb 9d30783f 22640374 4165cd25 
21:18:15 ipsec,debug 00000aac 
21:18:15 ipsec,debug hmac(hmac_sha1) 
21:18:15 ipsec,debug HASH computed: 
21:18:15 ipsec,debug 4eb4b190 9b1a2bcb e9bc0d91 7fc88091 900d62f5 
21:18:15 ipsec,debug begin encryption. 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug pad length = 8 
21:18:15 ipsec,debug 0b000018 4eb4b190 9b1a2bcb e9bc0d91 7fc88091 900d62f5 00000020 00000001 
21:18:15 ipsec,debug 01108d28 41e2aefb 9d30783f 22640374 4165cd25 00000aac d1da4995 6eb7c307 
21:18:15 ipsec,debug encryption(aes) 
21:18:15 ipsec,debug with key: 
21:18:15 ipsec,debug 2fba9654 41a7aa2f dd522e60 c8bdd0ec 
21:18:15 ipsec,debug encrypted payload by IV: 
21:18:15 ipsec,debug 1a16698a 611667bf bead45ee e6842db4 
21:18:15 ipsec,debug save IV for next: 
21:18:15 ipsec,debug 55450edf 42cd9d68 ade010ed 00a44788 
21:18:15 ipsec,debug encrypted. 
21:18:15 ipsec,debug 92 bytes from 22.22.22.22[500] to 11.11.11.11[500] 
21:18:15 ipsec,debug 1 times of 92 bytes message will be sent to 11.11.11.11[500] 
21:18:15 ipsec,debug,packet 41e2aefb 9d30783f 22640374 4165cd25 08100501 86600ab2 0000005c 658ce5be 
21:18:15 ipsec,debug,packet b35057d5 8d23f97f d97c7754 7ee58e6c 97aa70c1 ceb7a258 ec9a1170 df972a79 
21:18:15 ipsec,debug,packet f8e1267a 7b18e856 833de6ce 55450edf 42cd9d68 ade010ed 00a44788 
21:18:15 ipsec sendto Information notify. 
21:18:15 ipsec,debug 11.11.11.11 DPD R-U-There sent (0) 
21:18:15 ipsec,debug 11.11.11.11 rescheduling send_r_u (5).

pe1chl · April 19, 2017, 5:36pm

Normally the problem in such setups is that the routers are doing NAT as well (for internet access from the local networks)
and the NAT rules are written in such a way that the traffic between the networks is NATted as well. That causes the
tunnel to fail. You will need to modify the NAT rule (or add extra NAT rules) to avoid that, or you can abandon this whole
method and use an IPIP tunnel with IPsec protection between the routers, with a /30 network address on the endpoints,
and either static routes or some autorouting (e.g. BGP) to add the proper routes to the routing table.
As you now have a dedicated interface for the tunnel, the NAT problem (caused by a generic “masquerade what goes
out on ether1”) no longer occurs.

huntah · April 19, 2017, 6:51pm

Do you have fasttrack enabled?
If so disable it for IPSEC traffic.

crazydesigner · April 19, 2017, 7:11pm

tnx for advice and what is solution to my configuration?

pe1chl · April 19, 2017, 8:38pm

What I wrote above.
So:

remove what you have done until now
at each end configure a IPIP tunnel with the external addresses and an IPsec secret
at each end add an IP address to the endpoint of the tunnel, e.g. 10.0.0.1/30 and 10.0.0.2/30
(you can use any private address that is not part of your networks)
at each end add IP route(s) to the subnets at the other end via gateway that is the remote tunnel address
or: at each end add a BGP Peer to the other remote tunnel and a BGP Network that is the local network(s).

idlemind · April 19, 2017, 9:16pm

Why the BGP peers? Does IPIP not support multicast/broadcast? If not you can use GRE and run OSPF over those for easier configuration. I prefer GRE but I came from Cisco land so it may just be a go-with-what-ya-know reflex.

pe1chl · April 20, 2017, 9:34am

OSPF easier than BGP? how?
GRE can be used but has more overhead so don’t do that when not required for some reason…

crazydesigner · April 20, 2017, 11:46am

fasttrack is disabled