ROUTEROS 7 IPSEC NAT problem

Jotne · September 7, 2022, 5:19am

And where is v7 config. It may be that after an upgrade you have to change some in the config.
You can start over with no config and then add config step by step.

hats · September 7, 2022, 8:05am

here it is:

Config is very simple - ipsec default values - nothing changed

EDIT:
Since the forum have the space for post the config, why does it come to mind to use a third party site to host the configuration?

# sep/07/2022 10:58:27 by RouterOS 7.5
# software id = 8Y7Z-MPVF
#
# model = RB750Gr3
/interface pptp-server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
add name=pptp-in-komrat user=komrat
/interface bridge
add admin-mac=DC:2C:6E:A5:90:D5 auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
/interface l2tp-server
add name=l2tp-in-b.yurii user=b.yurii
add name=l2tp-in-bend_magazin user=bend_magazin
add name=l2tp-in-bendery user=bendery
add name=l2tp-in-bvp88 user=bvp88
add name=l2tp-in-dimasb user=dimasb
add name=l2tp-in-noodle user=noodle
add name=l2tp-in-oleg user=oleg
add name=l2tp-in-pavel.s user=pavel.s
add name=l2tp-in-rost user=rost
add name=l2tp-in-serghei_sw user=serghei_sw
/interface wireguard
add listen-port=51280 mtu=1420 name=wg-aaa
add listen-port=51281 mtu=1420 name=wg-mgmt
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.99
add name=vpn_pool ranges=10.10.66.10-10.10.66.100
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
/port
set 0 name=serial0
/ppp profile
set *0 only-one=yes
add change-tcp-mss=yes local-address=10.10.66.1 name=vpn_profile only-one=yes \
    remote-address=vpn_pool
set *FFFFFFFE only-one=yes
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=vpn_profile enabled=yes one-session-per-host=yes \
    use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=l2tp-in-bendery list=LAN
add interface=wg-aaa list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface wireguard peers
add allowed-address=10.100.9.2/32,172.16.64.0/24,172.16.48.0/24 interface=\
    wg-aaa persistent-keepalive=1m public-key=\
    "3xHf2EF8FOLsllOj/R5g0WkHKwbuLGU42tIDglyO0kA="
add allowed-address=172.16.100.1/32,172.16.128.240/28 endpoint-address=\
    xx.xx.xx.xx endpoint-port=51281 interface=wg-mgmt persistent-keepalive=\
    1m public-key="+bOAra4X60R6b2rFrU7x2hZKzrwSZpmpWcYB+GfiVj4="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=xx.xx.xx.xx/30 interface=ether1 network=xx.xx.xx.xx
add address=10.100.9.1/24 interface=wg-aaa network=10.100.9.0
add address=172.16.100.171/24 interface=wg-mgmt network=172.16.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=*2
/ip dhcp-server lease
add address=192.168.1.108 client-id=1:d0:50:99:85:31:9e mac-address=\
    D0:50:99:85:31:9E server=defconf
add address=192.168.1.106 client-id=1:e0:d5:5e:27:91:1a mac-address=\
    E0:D5:5E:27:91:1A server=defconf
add address=192.168.1.107 client-id=1:d8:5e:d3:58:6a:84 mac-address=\
    D8:5E:D3:58:6A:84 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=xx.xx.xx.xx list=admin
add address=172.16.128.240/28 list=admin
add address=10.10.66.0/24 list=allow_rdp_apteka
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input src-address-list=admin
add action=accept chain=input comment="l2tp tunnel" dst-port=500,1701,4500 \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input dst-port=51280 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx
add disabled=no distance=1 dst-address=172.16.64.0/24 gateway=wg-aaa \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.101.0/24 gateway=*18 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=172.16.128.240/28 gateway=wg-mgmt \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=172.16.136.0/24 gateway=l2tp-in-bendery
add disabled=no distance=1 dst-address=172.16.48.247/32 gateway=wg-aaa \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=172.16.2.0/24 gateway=l2tp-in-bendery \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=rost profile=vpn_profile service=l2tp
add name=komrat profile=vpn_profile service=pptp
add name=noodle profile=vpn_profile service=l2tp
add name=oleg profile=vpn_profile service=l2tp
add name=pavel.s profile=vpn_profile service=l2tp
add local-address=10.10.66.1 name=bendery profile=vpn_profile remote-address=\
    10.10.66.2 service=l2tp
add name=b.yurii profile=vpn_profile service=l2tp
add name=serghei_sw profile=vpn_profile service=l2tp
add name=bvp88 profile=vpn_profile service=l2tp
add name=dimasb profile=vpn_profile service=l2tp
add name=bend_magazin profile=vpn_profile service=l2tp
add name=qd profile=vpn_profile service=l2tp
/system clock
set time-zone-name=Europe/Chisinau
/system identity
set name=rb-core.almdn.ext
/system leds
add interface=*1 leds="" type=wireless-status
/system resource irq rps
set ether5 disabled=no
set ether4 disabled=no
set ether3 disabled=no
set ether2 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes

PUDIS · September 9, 2022, 7:07am

Can someone also test with Device: CCR1016-12G

I have this configuration:
https://help.mikrotik.com/docs/display/ROS/IPsec
#Site to Site IPsec (IKEv1) tunnel

V6.49.6 - All working OK
V7.5 - IPsec connection established - NAT not working!

Znevna · September 9, 2022, 7:19am

There’s no NAT involved in Site-to-Site config, and there shouldn’t be any.
Post your anonymized config in here or in another new topic.

hats · September 11, 2022, 1:44pm

Looks like there is nobody in mikroitk who is intrested in this issue solving. In my case i have replaced lt2p/isec server and clients with wireguard and all works as expected.

anav · September 11, 2022, 1:58pm

Glad you got a working vpn there HATS, I looked at your config and was to complex for me to figure out LOL.
Wireguard is direct and understandable, and probably adequate for any homeowner and small business.

As for the rest, if you don’t share your config for FREE assistance, suggest find another forum.

kiragun · September 17, 2022, 9:27pm

Hello there.
I swap my CHR 7.5 to hEX with 7.5 stable-release firmware, and I have NAT problem with L2TP+ipsec.
NAT with another SSTP tunnels work well.
Networking map:
—RB-7.5—(wireguard)[RB-7.5_VPN-Server]<l2tp+ipsec>—<l2tp+ipsec>[RB-6.48_VPN-Client]
Maybe, it’s trouble with hardware encrypting?
If I start ping, 1 packet per 100 maybe work correctly.

I make 1-to-1 configuration to new board:

/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes use-ipsec=required

hats · September 18, 2022, 2:59pm

Hello there.
I swap my CHR 7.5 to hEX with 7.5 stable-release firmware, and I have NAT problem with L2TP+ipsec.
NAT with another SSTP tunnels work well.
Networking map:
—RB-7.5—(wireguard)[RB-7.5_VPN-Server]<l2tp+ipsec>—<l2tp+ipsec>[RB-6.48_VPN-Client]
Maybe, it’s trouble with hardware encrypting?
If I start ping, 1 packet per 100 maybe work correctly.

I make 1-to-1 configuration to new board:
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes use-ipsec=required

I have had exact case. 99% packet loss. 10 days support ignoring my ticket. Switched from l2tp/ipsec to wireguard. I can’t wait for ages.

hats · September 19, 2022, 5:33pm

At last i have answer from support:

“Thank you for the report. We are currently investigating issues with the crypto driver on MMIPS (including hEX) devices. Hopefully, the issue can be resolved soon.”

Znevna · September 19, 2022, 5:40pm

That doesn’t sound like a NAT issue that everyone was screaming about in this topic..

hats · September 20, 2022, 12:17pm

A lot of people complain about IPSEC. You can easily find it even in topic name.

Znevna · September 20, 2022, 12:46pm

Yes, with a magic keyword “NAT”.
And the intial post was about CCR1036 that’s a totally different beast than your tiny hEX.
And recently someone else hijacked this thread with CCR1016, that again is a totally different beast than your hEX.
You found a bug on mmips, congrats, but is it related to whatever else this topic is about? we don’t know, because this topic is a pile of different unrelated issues right now thanks to all the hijackers, yourself included.

ssh88 · April 20, 2024, 12:14pm

Hello,

I’m loosing my mind over IPSec tunnel. I have three locations; routers on all three were running RouterOS 6. Everything worked flawlessly for years.

Recently we bought new router for one of the locations. This router has version 7 installed. I’ve made practically identical configuration, but the problem looks very strange.

location A: new router
location B, C: existing infrstructure

IPSec tunnels are establishet. Routers can ping each other.
_- I can connect from computer on location A to router B, winbox opens, but closes imediatelly.
If i want to log on router B from location A, the winbox hangs on “downloading descriptors”,_
I can establish remote desktop connection from location A to computers on location B and vice versa,
I can access network resources from location B to location A without problem - branch office file server.
I can access SMB network resources from A to B with IP, but can’t access them with fqdn (actually can, but it is really slow), which is strange and i can’t understand it, because the network name resolution works and is finished in a fraction of a second,

To me it looks like there are packets lost during the transmission, but i can’t figure out how - most of the configuration was copied from the old router.
Fasttrack is turned off.

add action=accept chain=forward comment=“FWD :: location A to this main subnet”
dst-address=10.77.10.0/24 src-address=10.77.20.0/24
add action=accept chain=input comment=“IN :: location A to this router”
src-address=10.77.20.0/24

add action=accept chain=forward dst-address=10.77.20.0/24 src-address=
10.77.10.0/24

Has there been some changes between 6.49 and 7.14? Can be there some compatibility issues between versions?

thank you for your help in advance and best regards

titanlv · May 31, 2024, 11:06am

Hi,
Disabled FastTrack and now Tunel works fine.
Migrated from 6.48.6->7.14.3