I’m learning how to set up an IPsec between two sites. Both are using Mikrotik routers with 6.38.5 firmware.
Site A has a fixed public IP. Site B has dynamic IP and can (in some cases) also get behind provider’s NAT.
I have set up Site A to accept all peers (0.0.0.0/0) and create dynamic policies.
On site B I set up a peer to Site A IP address, and a policy to send traffic from site B’s internal network to Site A.
I have also added Firewall & NAT rules to allow traffic to flow between internal networks. Here’s the complete firewall configuration:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow router access from 192.168.0.0/24" src-address=192.168.0.0/24
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
Basically, IPsec link works. In policy’s status, I can see PH2 state = established. I can ping site B router from site A, and vice versa.
Despite this, the traffic doesn’t seem to flow properly. Data transfer from Site A to Site B (and vice versa) is extremely slow, and sessions get dropped regularly. When I use Winbox to open Site B router from within Site A, connection opens but Winbox doesn’t show any data (Winbox windows are just empty). And then after some seconds Winbox session terminates.
This doesn’t seem to be right, as both routers have 100 Mbps links to the Internet Provider. When they are connected via L2TP/IPsec (instead of plain IPsec), the VPN speed is perfectly fine.
Without having looked at the exact problem you are facing here: I always advise that second solution (L2TP/IPsec, IPIP/IPsec or GRE/IPsec)
combined with a simple autorouting setup e.g. with BGP instead of the direct IPsec tunnels.
It is so much easier to setup and maintain, especially with multiple branches and changing networks.
It is also much easier to maintain firewall settings. You won’t need to make exceptions for NAT (when your NAT config is to masquerade
everything going out on the internet interface) and you can easily setup relaxed rules for traffic between branches while having strict
firewalls on the internet interface.
Well, I partially agree. I thought I would wrap my head around the IPsec itself first, and then will learn how to use it in IPIP tunnels. I didn’t understand how to make an IPIP tunnel when only one IP address is known (and other side has dynamic IP and / or NATed), so I thought I would postpone this part.
Therefore, I would really like to understand what is wrong with my current setup… I read many guides on the Internet, but so far I couldn’t figure out the problem in my configuration…
Hugh… I think I found the problem. If I disable fasttrack rule on Site B firewall, the IPsec link starts to behave normally - the speed and everything seem to be fine.
As soon as I enable that fasttrack rule, IPsec link gets terribly slow again (I can’t even call it “slow” - it simply doesn’t work, despite the status saying connection is established).
This fasttrack rule is there by-default. I guess I need to read the Wiki for the details on how it works and what it actually does.
Ok I don’t know if IPsec cannot work at all with fasttrack or only in some circumstances.
I use L2TP/IPsec (that you already got working) in combination with BGP for some “mobile” VPN routers at work.
Just setup the L2TP server as usual, assign fixed remote addresses to the user(s) you have so the endpoint
IP address for the L2TP user will be fixed. The internet IP does not need to be fixed.
Then, setup BGP peers in the central system like this:
Also, on each system you go into bgp networks and add the network(s) known locally:
/routing bgp network
add network=192.168.88.0/24
Of course you have different networks at each location.
That is all! After your L2TP connection comes up, the BGP session will be connected within a minute and
all routes are exchanged and everything works.
Much easier than fiddling with IPsec policies, I think, especially when you have like 5 branches and you want
them all to connect and routing between them.
It is also possible to do the same with IPIP or GRE but you need to set a /30 network on each tunnel and use
those addresses in the above instead of the L2TP addresses.
Thanks for the hints!
Since i got the IPsec working, I will look into the routing protocols right after I learn some more about the fasttrack feature.
So far it seems that fasttrack is skipping most of the NAT / Firewall checks, and that’s why it may become an issue when using IPsec. Though, I’m still not sure why it worked fine with L2TP.
Need to dig further on this.