I’ve recently setup my MT router using the wiki article - http://wiki.mikrotik.com/wiki/IPSEC_between_Mikrotik_router_and_a_Shrew_client. I can successfully connect to the router from a remote location, but am unable to ping/browse or access anything on the remote LAN. The only change I made to my config was with the peer address. I used 0.0.0.0/0 since I want to use a “Road Warrior” style remote access to my LAN.
What am I overlooking in my configuration?
/ip ipsec installed-sa> /ip ipsec peer pr
Flags: X - disabled
0 address=0.0.0.0/0 passive=no port=500 auth-method=pre-shared-key
secret="abc123" generate-policy=port-override exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
The IPSEC parameters all indicate the tunnel is established, and I think my input and forward rules are correct.
/ip ipsec remote-peers pr
0 local-address=64.xx.yy.zz remote-address=216.64.190.250 state=established
side=responder established=34m11s
/ip ipsec installed-sa> pr
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x1C839AE src-address=216.64.190.250 dst-address=64.xx.yy.zz
auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature
auth-key="db8d814aa09348ce546c4efcf1da3d71"
enc-key="f9cf2e97163cb57054522982605326bebcbc8043136581dd"
add-lifetime=48m/1h
1 E spi=0x2B4AA3B src-address=64.xx.yy.zz dst-address=216.64.190.250
auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature
auth-key="7a294f4440c3b5533f2bd5e142db9404"
enc-key="088b6d9e72a5d16a1e5ad6ac9827aa21d6bea41195c42507"
add-lifetime=48m/1h
2 E spi=0x823C3B8 src-address=64.xx.yy.zz dst-address=216.64.190.250
auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature
auth-key="033521da1bde6e29a60233deda3f3ad0"
enc-key="da820729d265146f7d0555e698c8d761557401f48c5ab574"
add-lifetime=48m/1h
3 E spi=0xB19AA23 src-address=216.64.190.250 dst-address=64.xx.yy.zz
auth-algorithm=md5 enc-algorithm=3des replay=4 state=mature
auth-key="d07515a8713a6a3242cf653f745bf0b0"
enc-key="3dab4fdbbdcb00c82d605e46b244bea0dad109f9c35e7acc"
Disabled items have been removed for brevity.
/interface bridge pr
0 R name="lanbridge" mtu=1500 l2mtu=1600 arp=proxy-arp mac-address=00:0C:42:06:70:83 protocol-mode=none priority=0x8000
auto-mac=no admin-mac=00:0C:42:06:70:83 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
/interface bridge port pr
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 e1-lan lanbridge 0x80 10 none
1 I wlan1 lanbridge 0x80 10 none
/ip firewall filter pr
0 chain=forward action=accept in-interface=lanbridge out-interface=lanbridge
2 ;;; allow established connections
chain=forward action=accept connection-state=established
3 ;;; allow related connections
chain=forward action=accept connection-state=related
4 ;;; Allow VPN traffic (protected to protected)
chain=forward action=accept src-address-list=ProtectedIPs dst-address-list=ProtectedIPs
5 ;;; Disallow outbound to private IPs
chain=forward action=reject reject-with=icmp-network-unreachable dst-address-list=ProtectedIPs out-interface=e3-wan
6 ;;; Disallow inbound to private IPs
chain=forward action=drop dst-address-list=ProtectedIPs in-interface=e3-wan
7 ;;; Allow filter rules to deny access
chain=forward action=jump jump-target=InternetBlacklist in-interface=lanbridge out-interface=e3-wan
9 ;;; Allow Internet access if blacklist did not stop it
chain=forward action=accept in-interface=lanbridge out-interface=e3-wan
11 ;;; log everything else
chain=forward action=log log-prefix=""
12 ;;; drop everything else
chain=forward action=reject reject-with=icmp-admin-prohibited
13 ;;; Invalid Connections - sliently drop
chain=input action=drop connection-state=invalid
14 ;;; Accept all from internal LAN
chain=input action=accept in-interface=lanbridge
16 ;;; Established Connections
chain=input action=accept connection-state=established
17 ;;; Related Connections
chain=input action=accept connection-state=related
19 ;;; Allow IPSEC
chain=input action=accept protocol=ipsec-esp
20 chain=input action=accept protocol=ipsec-ah
21 chain=input action=accept protocol=udp dst-port=500
27 ;;; Allow SSH
chain=input action=accept protocol=tcp dst-port=22
28 ;;; Allow Winbox
chain=input action=accept protocol=tcp dst-port=8291
29 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=20/5s,2
30 ;;; Log and drop all else
chain=input action=log log-prefix="INDROP"
45 ;;; Record high volume SMTP sources
chain=InternetBlacklist action=add-src-to-address-list protocol=tcp address-list=listBigSenders
address-list-timeout=0s dst-port=25 connection-limit=10,32
..
/ip firewall> address-list pr
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 ;;; Static Public IP assigned by ISP
PublicIP 64.xx.yy.zz
1 ProtectedIPs 172.16.0.0/12
2 ProtectedIPs 192.168.0.0/16
3 ProtectedIPs 10.0.0.0/8
4 listSBPublics 64.xx.yy.0/20