Routine Ipsec Road Warrior Questions

RouterOS Beginner Basics
1

I have recently purchased a RB750Gr3 to replace my aging RB750G and am having trouble setting up a pure ipsec road warrior XAUTH PSK configuration. I achieve phase 2 (This does not work with any RC version so I rolled back to 6.37.3) and can see the ipsec debug log attempting to pass traffic but I CANNOT PING either direction through the tunnel.

My setup is a pretty simple natted gateway with default configuration, local dhcp pool 192.168.88.0/24. Ipsec has its own seperate pool to pull from, 192.168.99.0/24. The only firewall rule addition is accepting port 500,4500 on the input chain. ipsec mode-cfg is set up to split include 192.168.88.0/24.

I have exhaustively read both of these links but still have some basic questions on ipsec tunneling and packet flow with this router.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

  1. Do I need to add a srcnat rule to accept destination traffic to my ipsec pool? I have read conflicting advice on this and whether natting happens before the tunnel or after. Do I need to clear connections somehow after creating this nat rule?
  2. Do I need to add a firewall rule to allow forward traffic from my ipsec pool to my dhcp subnet or is the 500,4500 rule enough?
  3. Should my ipsec peer configuration have NAT-T enabled since I am natted?
  4. What else could be stopping me from being able to ping through the tunnel?

Thanks for any advice.

2
  1. Yes you need to accept traffic that is going to be encapsulated before NAT rule and yes if connection was already established before rule was created it need to be cleared.
  2. If you have strict forward policies that can block this traffic then yes you need to add accept rules in forward chain.
3
  1. If you have strict forward policies that can block this traffic then yes you need to add accept rules in forward chain.

I have the default forward rules so I think this may be my problem. Should this new accept rule accept all forwards from the sa-local address, the sa-remote address, or my ipsec pool? If its the remote address I am not sure how I would know that beforehand.

Thanks for your help.

4

In forward you must accept from your pool to whatever network you want to allow access. SA-local and SA remote addresses do not appear in forward chain.

5

Thanks for your help here. There were some necessary additions. Hopefully this helps someone.

  1. Default firewall config uses fastrack forwarding. Fasttrack bypasses ipsec policies causing ipsec not to work! The solution is a raw nat rule to force ipsec past fasttrack rule into normal forward rule.
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.88.0/24 src-address=192.168.99.0/24
add action=notrack chain=prerouting dst-address=192.168.99.0/24 src-address=192.168.88.0/24
  1. Also need an input rule for new incoming connections. ipsec-policy flag works here (this needs to be before first input drop rule).
/ip firewall filter
add action=accept chain=input comment="Accept new ipsec packets marked in ipsec" dst-address=192.168.88.0/24 ipsec-policy=in,ipsec src-address=192.168.99.0/24
  1. Need srcnat accept rule for ipsec outbound traffic (this needs to be before masquerade rule.)
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.99.0/24 out-interface=ether1-gateway
  1. MTU size too large. (pings would work but connections failed) Mikrotik does not use an interface for ipsec so MSS size needs to be mangled.
/ip firewall mangle
add action=change-mss chain=forward comment="MTU must be smaller over IPSEC VPN" dst-address=192.168.99.0/24 new-mss=1350 passthrough=yes protocol=tcp src-address=192.168.88.0/24 tcp-flags=syn tcp-mss=!0-1350

And now ipsec tunnel works and all traffic passes!