We recently purchased some RB2011iLs and I have an IPSec problem between one of them and a Watchguard XTM26 I’m hoping someone can help me with. I’ve reviewed the MikroTik WiKi for IPSec examples and details such as NAT bypass and even used some other online configuration examples, but I’m still not fully working. The policy shows established, but the networks can’t seen to reach each other across the IPSec tunnel.

The RB2011iL is loaded with 6.38.5 and the firmware upgraded to the 3.33. Here are the configuration settings;

The Peers are local – 123.45.67.246, remote 34.56.78.125
The networks for policy are local – 192.168.10.0/24, remote 192.168.30.0/24


[userA@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; default configuration
192.168.88.1/24 192.168.88.0 bridge-local
1 ;;; ClientA LAN
192.168.10.254/24 192.168.10.0 bridge-local
2 ;;; ClientA WAN Static IP
123.45.67.246/26 123.45.67.192 ether1-gateway

[userA@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept connection-state=established,related
src-address=192.168.10.0/24 dst-address=192.168.30.0/24

1 chain=forward action=accept connection-state=established,related
src-address=192.168.30.0/24 dst-address=192.168.10.0/24

2 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

3 ;;; Allow SSH input
chain=input action=accept protocol=tcp src-address=12.34.56.102
dst-port=22 log=no log-prefix=“”

4 ;;; Allow WINBOX Port 8291
chain=input action=accept protocol=tcp dst-port=8291

5 ;;; Allow IPSec Traffic UDP 500
chain=input action=accept protocol=udp dst-address=123.45.67.246
dst-port=500 log=no log-prefix=“”

6 ;;; Allow IPSec Traffic IPSEC-ESP
chain=input action=accept protocol=ipsec-esp dst-address=123.45.67.246
log=no log-prefix=“”

7 ;;; Allow IPSec Traffic UDP Port 4500
chain=input action=accept protocol=udp dst-address=123.45.67.246
dst-port=4500 log=no log-prefix=“”

8 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=“”

9 ;;; default configuration
chain=forward action=accept protocol=icmp log=no log-prefix=“”

10 ;;; default configuration
chain=input action=accept connection-state=established,related log=no
log-prefix=“”

11 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no
log-prefix=“”

12 ;;; default configuration
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=“”

13 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=“”

14 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

15 ;;; default configuration
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1-gateway log=no
log-prefix=“”

[userA@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Network Traffic to accept before encrypt.
chain=srcnat action=accept src-address=192.168.10.0/24
dst-address=192.168.30.0/24 log=no log-prefix=“”

1 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no
log-prefix=“”

[userA@MikroTik] > /ip firewall raw print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=notrack src-address=192.168.10.0/24
dst-address=192.168.30.0/24

1 chain=prerouting action=notrack src-address=192.168.30.0/24
dst-address=192.168.10.0/24

2 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough

[userA@MikroTik] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 ;;; ClientA VoIP Phase 1
address=34.56.78.125/32 local-address=123.45.67.246
auth-method=pre-shared-key secret=“somesecret” generate-policy=no
policy-template-group=ClientA exchange-mode=ike2
send-initial-contact=no my-id=address:123.45.67.246
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024,modp768
lifetime=8h dpd-interval=2m

[userA@MikroTik] > /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-256-ctr lifetime=8h pfs-group=modp1024

1 name=“SiteA” auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=8h
pfs-group=modp1024

[userA@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,

• • default
    0 T * ;;; default policy - disabled
    group=default src-address=0.0.0.0/32 dst-address=0.0.0.0/32
    protocol=all proposal=default template=yes

1 A src-address=192.168.10.0/24 src-port=any dst-address=192.168.30.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=123.45.67.246
sa-dst-address=34.56.78.125 proposal=Lacey priority=0 ph2-count=1

[userA@MikroTik] > /log print

<..SNIP..> Most recent logs below

08:35:51 ipsec sending dpd packet
08:35:51 ipsec,debug,packet => outgoing plain packet (size 0x1c)
08:35:51 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 00202508 00000009 0000001c
08:35:51 ipsec adding payload: ENC
08:35:51 ipsec,debug => (size 0x28)
08:35:51 ipsec,debug 00000028 b42b17bb b8ab7c23 e251f929 cf90d9a3 40775c4d c709fff8 00000028
08:35:51 ipsec,debug 7a2d3304 afa39450
08:35:51 ipsec,debug ===== sending 68 bytes from 123.45.67.246[4500] to 34.56.78.125[4500]
08:35:51 ipsec,debug 1 times of 72 bytes message will be sent to 34.56.78.125[4500]
08:35:51 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 2e202508 00000009 00000044 00000028
08:35:51 ipsec,debug,packet b42b17bb b8ab7c23 e251f929 cf90d9a3 40775c4d c709fff8 2f4f64d0 4ee905a5
08:35:51 ipsec,debug,packet e653d098
08:35:52 ipsec,debug ===== received 60 bytes from 34.56.78.125[4500] to 123.45.67.246[4500]
08:35:52 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 2e202520 00000009 0000003c 00000020
08:35:52 ipsec,debug,packet 70d04431 d16b1c6d 54b0f190 7278835d e405bf04 90cce87a 2663cdcf
08:35:52 ipsec ike2 reply, exchange: INFORMATIONAL:9 34.56.78.125[4500]
08:35:52 ipsec payload seen: ENC
08:35:52 ipsec processing payload: ENC
08:35:52 ipsec,debug => iv (size 0x8)
08:35:52 ipsec,debug 70d04431 d16b1c6d
08:35:52 ipsec,debug decrypted
08:35:52 ipsec,debug,packet => decrypted packet (size 0x0)
08:35:52 ipsec respond: info
08:35:52 ipsec,debug reply ignored
08:37:52 ipsec sending dpd packet
08:37:52 ipsec,debug,packet => outgoing plain packet (size 0x1c)
08:37:52 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 00202508 0000000a 0000001c
08:37:52 ipsec adding payload: ENC
08:37:52 ipsec,debug => (size 0x38)
08:37:52 ipsec,debug 00000038 90cce87a 2663cdcf 92145951 f2f39a4e 682bb572 1f947f14 26f4dc5d
08:37:52 ipsec,debug 2a99c798 51b2a17a fd62a1c3 21054c61 63657921 07646566
08:37:52 ipsec,debug ===== sending 84 bytes from 123.45.67.246[4500] to 34.56.78.125[4500]
08:37:52 ipsec,debug 1 times of 88 bytes message will be sent to 34.56.78.125[4500]
08:37:52 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 2e202508 0000000a 00000054 00000038
08:37:52 ipsec,debug,packet 90cce87a 2663cdcf 92145951 f2f39a4e 682bb572 1f947f14 26f4dc5d 2a99c798
08:37:52 ipsec,debug,packet 51b2a17a fd62a1c3 8c643a6b e23f805a ace98ae9
08:37:52 ipsec,debug ===== received 60 bytes from 34.56.78.125[4500] to 123.45.67.246[4500]
08:37:52 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 2e202520 0000000a 0000003c 00000020
08:37:52 ipsec,debug,packet cbfc67fa 83c1f3d7 41fe00bc 752a2691 5deda250 0c43e888 c1b44116
08:37:52 ipsec ike2 reply, exchange: INFORMATIONAL:a 34.56.78.125[4500]
08:37:52 ipsec payload seen: ENC
08:37:52 ipsec processing payload: ENC
08:37:52 ipsec,debug => iv (size 0x8)
08:37:52 ipsec,debug cbfc67fa 83c1f3d7
08:37:52 ipsec,debug decrypted
08:37:52 ipsec,debug,packet => decrypted packet (size 0x0)
08:37:52 ipsec respond: info
08:37:52 ipsec,debug reply ignored
08:39:52 ipsec sending dpd packet
08:39:52 ipsec,debug,packet => outgoing plain packet (size 0x1c)
08:39:52 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 00202508 0000000b 0000001c
08:39:52 ipsec adding payload: ENC
08:39:52 ipsec,debug => (size 0x40)
08:39:52 ipsec,debug 00000040 0c43e888 c1b44116 c227b3d8 eec1d422 b0aea62f 252d2957 5d53a757
08:39:52 ipsec,debug 47f91b35 71051d9f 5d1b7969 2ecdcb74 b7955f4c 00000001 ffffffff 00000002
08:39:52 ipsec,debug ===== sending 92 bytes from 123.45.67.246[4500] to 34.56.78.125[4500]
08:39:52 ipsec,debug 1 times of 96 bytes message will be sent to 34.56.78.125[4500]
08:39:52 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 2e202508 0000000b 0000005c 00000040
08:39:52 ipsec,debug,packet 0c43e888 c1b44116 c227b3d8 eec1d422 b0aea62f 252d2957 5d53a757 47f91b35
08:39:52 ipsec,debug,packet 71051d9f 5d1b7969 2ecdcb74 b7955f4c 7bfb0c60 c71b6313 0a06f028
08:39:53 ipsec,debug ===== received 60 bytes from 34.56.78.125[4500] to 123.45.67.246[4500]
08:39:53 ipsec,debug,packet 31f471d2 d38f867d eaba75dc a4626a42 2e202520 0000000b 0000003c 00000020
08:39:53 ipsec,debug,packet 75693e61 d5e036cd be59a01b 3581d8f2 56002f3f 2930650a af4c793d
08:39:53 ipsec ike2 reply, exchange: INFORMATIONAL:b 34.56.78.125[4500]
08:39:53 ipsec payload seen: ENC
08:39:53 ipsec processing payload: ENC
08:39:53 ipsec,debug => iv (size 0x8)
08:39:53 ipsec,debug 75693e61 d5e036cd
08:39:53 ipsec,debug decrypted
08:39:53 ipsec,debug,packet => decrypted packet (size 0x0)
08:39:53 ipsec respond: info
08:39:53 ipsec,debug reply ignored

Never rely on what you are told. IP addresses at the remote end that I was told where pingable where actually firewalled. We have successfully pinged across the tunnel. The configuration above was working.