Mikrotik + Sophos + Ipsec

KurnosovAK · March 25, 2014, 3:02am

Trying to establish site-to-site VPN connection. My sophos utm 9 is present in Remote Peers.

Sophos Ipsec log

2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: received Vendor ID payload [RFC 3947]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: ignoring Vendor ID payload [Cisco-Unity]
2014:03:25-13:51:30 gw pluto[5907]: packet from mikrotik-ip: received Vendor ID payload [Dead Peer Detection]
2014:03:25-13:51:30 gw pluto[5907]: “S_vgmu<->gw.7733.ru”[18] 37.230.229.228 #9933: responding to Main Mode from unknown peer mikrotik-ip
2014:03:25-13:51:30 gw pluto[5907]: “S_vgmu<->gw.7733.ru”[18] 37.230.229.228 #9933: NAT-Traversal: Result using RFC 3947: no NAT detected
2014:03:25-13:51:30 gw pluto[5907]: “S_vgmu<->gw.7733.ru”[18] 37.230.229.228 #9933: Peer ID is ID_USER_FQDN: ‘mikrotik-id’
2014:03:25-13:51:30 gw pluto[5907]: “S_vgmu<->gw.7733.ru”[19] 37.230.229.228 #9933: Dead Peer Detection (RFC 3706) enabled
2014:03:25-13:51:30 gw pluto[5907]: “S_vgmu<->gw.7733.ru”[19] 37.230.229.228 #9933: sent MR3, ISAKMP SA established

End nothing anymore.

My other remote servers usualy send

Quick Mode messages after that

Mikrotik config:

ip ipsec peer print
Flags: X - disabled
0 address=37.230.229.253/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret=“GfhjkmLkzGjlrk.xtybzFgntr”
generate-policy=port-override exchange-mode=main
send-initial-contact=yes nat-traversal=yes
my-id-user-fqdn=“VGMU.7733.ru” proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp768 lifetime=1h lifebytes=0
dpd-interval=2m dpd-maximum-failures=5

Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=md5 enc-algorithms=3des lifetime=1h
pfs-group=modp768

plisken · March 26, 2014, 5:32pm

Have you router upgrade to the last version 6.11?

KurnosovAK · March 27, 2014, 1:30am

Yes. Frankly speaking i am already solve this problem. I will write the manual in the near future.

plisken · March 27, 2014, 7:09am

Great

megasohaib · March 30, 2014, 11:27am

Hello Team, I hope you are all fine.

I have some problem with my Ipsec vpn between multiple sites. my 5 sites are connected with same ISP through MIKROTIOK ROUTER IPSEC TUNNEL. sites are a,b,c,d,e. a site is my head office and b,c,d,e sites is my clients(branches). all clients are connected with head office (a) through ipsec tunnel and working properly.But problem is that (b) not connected to (c,d,e) and (c) not connected to (b,d,e) and (d) not connected to (b,c,e) and (e) not connected to (b,c,d). Other words is (b,c,d,e) are not connected to eachother. All sites have different subnets.
Kindly give me some help that what i do work on my head office mikrotik router (a).

Although i was add subnet on routes opetion of my branches. but issed are same.

Regards
Sohaib

Msosa · June 17, 2017, 1:56pm

Ok, last reply 25 march, im wondering if it is possible to connect a mikrotik router whit a sophos router trough IPSEC VPN.
I hope you guys can help me.

This what i got on the sophos side:
-WAN: Static public IP
-LAN: Port1 to Switch 192.168.2.0/24

And this on the Mikrotik side:
WAN: PPPoE Dynamic Public IP
LAN: Bridge (Ether2, Ether3,Ether4, Ether5)

I was trying to connect both sucursals trough a PPTP VPN but only works in one direction (Mikrotik to Sophos)

That´s all, regards

Msosa · June 17, 2017, 2:02pm

Did you? im trying to connect a mikrotik and a sophos trough VPN

madmucho · October 9, 2017, 2:03pm

Dear Msosa,
we using sophos UTM HW Appliance v 9.5 as IPSEC Concentrator and Mikrotiks versions 6.38.1 to latest 6.40.4 and is working Central side have directly mapped static ip on interface

Mikrotik side is not public routable address (O2 LTE) dynamic or behind NAT local wifi provider, all this configurations works, but it is not two side establish able connection, for full by direction tunel we need two public ip address.
But its works, we getting P2 up using mikrotik Netwatch p2 segments.

On sophos side create this

Policy name Mikrotik, i use our working setting like this:
P1
IKE enc AES 256
IKE auth SHA2 256
IKE SA lifetime 7800
IKE DH G2 1024
P2
Ipsec enc AES 256
Ipsec aa SHA2 256
Ipsec sa 3600
IPSec PFS group 2 1024

Strict policy checked
Compression unchecked.

Remote Gateway setting as respond only (this will initiate probing for preshared key)
Key put your unique preshared key, do not share it with other clients
Remote network: put there a lan side of IPsec Client, in our case is mikrotik LAN segment.

Advanced check Support path MTU discovery.

Connections
Remote gateway > we created it, select it.
Local interface> wan interface of Sophos UTM
Policy > we created it select it.

Local network, select all network segments to which mikrotik as ipsec client will have access, count number of them, same count of P2 you Later create in mikrotik side for same segments.
Check Automatic Firewall rules
Check Strict routing.

Sophos Site-to-site > IPsec > Advanced settings

Preshared key settings
check enable probing of preshare keys
Apply
Dead peer Detection, check
Apply
NAT Traversal NAT-T (if you have client or are behind nat)
Apply

Mikrotik Side steps:
1 src NAT Action Accept at top nat table for each segment source and target network range from view of mikrotik router, same P2 count, you do same in sophos before.
2 IP > IPSEC > Proposals
/ip ipsec proposal set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=poh.cz
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc lifetime=1h
name=proposal1

3 IP > IPSec > Peers
add address=xxx.xxx.xxx.xx/32 dpd-interval=10s enc-algorithm=aes-256
generate-policy=port-override hash-algorithm=sha256 lifetime=8h
proposal-check=strict secret=verysecretpassword

(xx is ip of second side | verysecretpassword change to your preshared key same on sophos side | lifetime=8h is more than on sophos P1 side, works better, dont ask me why)

At this point mikrotik will log to log ipsec succes on Phase 1 if not do not continue, you must fix that.
(ipsec port allow on upstream router or ipsec passtrough or similar) mikrotik will log all its attempt to log

4 IP > IPSec > Policies
create entry for every subnet which needs to be avalible from remote side here, same count:
Legend:
rrr.rrr.rrr.rrr/rr = remote subnet with mask
http://www.www.www.www = wan ip address of remote endpoint
mmm.mmm.mmm.mmm = mikrotik wan ip segment, if you are behind nat here put there this segment if you have direct public ip here put this ip here.
sss.sss.sss.sss/ss = source ip segment this segment initialize ipsec request which match, this is mikrotiks client lan segment same segment is on sophos, must match

add dst-address=rrr.rrr.rrr.rrr/rr level=unique priority=1 proposal=proposal1
sa-dst-address=www.www.www.www sa-src-address=mmm.mmm.mmm.mmm src-address=
sss.sss.sss.sss/ss tunnel=yes

At this point Phase 2 for each subnet here will be initiated, you can check them in winbox ip > ipsec > policies and show column PH2 State, should be established.
5 Set route at mikrotik so remote subnet will use bridge as gateway.

Test with ping from mikrotik, source interface bridge, target remote segment ip, pings work ok you win.

belmont · October 21, 2017, 5:38pm

madmucho:

Dear Msosa,
we using sophos UTM HW Appliance v 9.5 as IPSEC Concentrator and Mikrotiks versions 6.38.1 to latest 6.40.4 and is working Central side have directly mapped static ip on interface

Mikrotik side is not public routable address (O2 LTE) dynamic or behind NAT local wifi provider, all this configurations works, but it is not two side establish able connection, for full by direction tunel we need two public ip address.
But its works, we getting P2 up using mikrotik Netwatch p2 segments.

On sophos side create this

Policy name Mikrotik, i use our working setting like this:
P1
IKE enc AES 256
IKE auth SHA2 256
IKE SA lifetime 7800
IKE DH G2 1024
P2
Ipsec enc AES 256
Ipsec aa SHA2 256
Ipsec sa 3600
IPSec PFS group 2 1024

Strict policy checked
Compression unchecked.

Remote Gateway setting as respond only (this will initiate probing for preshared key)
Key put your unique preshared key, do not share it with other clients
Remote network: put there a lan side of IPsec Client, in our case is mikrotik LAN segment.

Advanced check Support path MTU discovery.

Connections
Remote gateway > we created it, select it.
Local interface> wan interface of Sophos UTM
Policy > we created it select it.

Local network, select all network segments to which mikrotik as ipsec client will have access, count number of them, same count of P2 you Later create in mikrotik side for same segments.
Check Automatic Firewall rules
Check Strict routing.

Sophos Site-to-site > IPsec > Advanced settings

Preshared key settings
check enable probing of preshare keys
Apply
Dead peer Detection, check
Apply
NAT Traversal NAT-T (if you have client or are behind nat)
Apply

Mikrotik Side steps:
1 src NAT Action Accept at top nat table for each segment source and target network range from view of mikrotik router, same P2 count, you do same in sophos before.
2 IP > IPSEC > Proposals
/ip ipsec proposal set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=poh.cz
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc lifetime=1h
name=proposal1

3 IP > IPSec > Peers
add address=xxx.xxx.xxx.xx/32 dpd-interval=10s enc-algorithm=aes-256
generate-policy=port-override hash-algorithm=sha256 lifetime=8h
proposal-check=strict secret=verysecretpassword

(xx is ip of second side | verysecretpassword change to your preshared key same on sophos side | lifetime=8h is more than on sophos P1 side, works better, dont ask me why)

At this point mikrotik will log to log ipsec succes on Phase 1 if not do not continue, you must fix that.
(ipsec port allow on upstream router or ipsec passtrough or similar) mikrotik will log all its attempt to log

4 IP > IPSec > Policies
create entry for every subnet which needs to be avalible from remote side here, same count:
Legend:
rrr.rrr.rrr.rrr/rr = remote subnet with mask
http://www.www.www.www = wan ip address of remote endpoint
mmm.mmm.mmm.mmm = mikrotik wan ip segment, if you are behind nat here put there this segment if you have direct public ip here put this ip here.
sss.sss.sss.sss/ss = source ip segment this segment initialize ipsec request which match, this is mikrotiks client lan segment same segment is on sophos, must match

add dst-address=rrr.rrr.rrr.rrr/rr level=unique priority=1 proposal=proposal1
sa-dst-address=www.www.www.www sa-src-address=mmm.mmm.mmm.mmm src-address=
sss.sss.sss.sss/ss tunnel=yes

At this point Phase 2 for each subnet here will be initiated, you can check them in winbox ip > ipsec > policies and show column PH2 State, should be established.
5 Set route at mikrotik so remote subnet will use bridge as gateway.

Test with ping from mikrotik, source interface bridge, target remote segment ip, pings work ok you win.

could you make a youtube tutorial on this? Extremely interesting

madmucho · November 22, 2017, 12:10pm

belmont:

madmucho:

Dear Msosa,
we using sophos UTM HW Appliance v 9.5 as IPSEC Concentrator and Mikrotiks versions 6.38.1 to latest 6.40.4 and is working Central side have directly mapped static ip on interface

Mikrotik side is not public routable address (O2 LTE) dynamic or behind NAT local wifi provider, all this configurations works, but it is not two side establish able connection, for full by direction tunel we need two public ip address.
But its works, we getting P2 up using mikrotik Netwatch p2 segments.

On sophos side create this

Policy name Mikrotik, i use our working setting like this:
P1
IKE enc AES 256
IKE auth SHA2 256
IKE SA lifetime 7800
IKE DH G2 1024
P2
Ipsec enc AES 256
Ipsec aa SHA2 256
Ipsec sa 3600
IPSec PFS group 2 1024

Strict policy checked
Compression unchecked.

Remote Gateway setting as respond only (this will initiate probing for preshared key)
Key put your unique preshared key, do not share it with other clients
Remote network: put there a lan side of IPsec Client, in our case is mikrotik LAN segment.

Advanced check Support path MTU discovery.

Connections
Remote gateway > we created it, select it.
Local interface> wan interface of Sophos UTM
Policy > we created it select it.

Local network, select all network segments to which mikrotik as ipsec client will have access, count number of them, same count of P2 you Later create in mikrotik side for same segments.
Check Automatic Firewall rules
Check Strict routing.

Sophos Site-to-site > IPsec > Advanced settings

Preshared key settings
check enable probing of preshare keys
Apply
Dead peer Detection, check
Apply
NAT Traversal NAT-T (if you have client or are behind nat)
Apply

Mikrotik Side steps:
1 src NAT Action Accept at top nat table for each segment source and target network range from view of mikrotik router, same P2 count, you do same in sophos before.
2 IP > IPSEC > Proposals
/ip ipsec proposal set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=poh.cz
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc lifetime=1h
name=proposal1

3 IP > IPSec > Peers
add address=xxx.xxx.xxx.xx/32 dpd-interval=10s enc-algorithm=aes-256
generate-policy=port-override hash-algorithm=sha256 lifetime=8h
proposal-check=strict secret=verysecretpassword

(xx is ip of second side | verysecretpassword change to your preshared key same on sophos side | lifetime=8h is more than on sophos P1 side, works better, dont ask me why)

At this point mikrotik will log to log ipsec succes on Phase 1 if not do not continue, you must fix that.
(ipsec port allow on upstream router or ipsec passtrough or similar) mikrotik will log all its attempt to log

4 IP > IPSec > Policies
create entry for every subnet which needs to be avalible from remote side here, same count:
Legend:
rrr.rrr.rrr.rrr/rr = remote subnet with mask
http://www.www.www.www = wan ip address of remote endpoint
mmm.mmm.mmm.mmm = mikrotik wan ip segment, if you are behind nat here put there this segment if you have direct public ip here put this ip here.
sss.sss.sss.sss/ss = source ip segment this segment initialize ipsec request which match, this is mikrotiks client lan segment same segment is on sophos, must match

add dst-address=rrr.rrr.rrr.rrr/rr level=unique priority=1 proposal=proposal1
sa-dst-address=www.www.www.www sa-src-address=mmm.mmm.mmm.mmm src-address=
sss.sss.sss.sss/ss tunnel=yes

At this point Phase 2 for each subnet here will be initiated, you can check them in winbox ip > ipsec > policies and show column PH2 State, should be established.
5 Set route at mikrotik so remote subnet will use bridge as gateway.

Test with ping from mikrotik, source interface bridge, target remote segment ip, pings work ok you win.

could you make a youtube tutorial on this? Extremely interesting

Sorry i do not have time to create youtube video for this.

I hope description is enough for setting up working connection.

Did u have any concrete problem in your setting? Any error messages in log or problem in settings ?
I will try to help you if i know where is problem.

Kuzma · August 31, 2018, 9:41am

Hi, mudmucho. Thanks for description.
Connection is working, but ping not. I can ping any PC from sophos to mikrotik but can’t ping any PC from mikrotik to sophos. Mikrotik don’t know where is Sophos local network.

davidbqzt · September 20, 2018, 5:15pm

Hi @kuzma,

I have the same problem as you, did you solve it? how?

Thank you.