Site to Site IpSec Tunnel Mikrotik with D-Link DFL-860E

DenisK · January 16, 2014, 7:47pm

Dear Sirs!

It’s a third day I am unable to set up IpSec tunnel between routers Mikrotik RB951G and D-Link DFL-860E.
I must say that the tunnel between the two same D-Link routers works fine and with the following settings but doesn’t work with Mikrotik.
Kindly ask to help me with this issue!

There are two offices with these routers with following settings.
Router D-Link DFL-860E:
WAN ip: y.y.y.214
LAN ip: 192.168.7.1
LAN net: 192.168.7.0/24

Router Mikrotik RB951G:
WAN ip: x.x.x.76
LAN ip: 192.168.31.1
LAN net: 192.168.31.0/24

D-LInk DFL-860E setting:
General
Local Network: 192.168.7.0
Remote Network: 192.168.31.0
Remote Endpoint: x.x.x.76
Encapsulation mode: Tunnel
IKE Config Mode Pool: (None)
Algorithms
IKE Algorithms: 3DES,AES,MD5,SHA
IKE Lifetime: 28800 Seconds
IPsec Algorithms: 3DES,AES,MD5,SHA
IPsec Lifetime: 3600 seconds
IPsec Lifetime: 0 kilobytes
Authentication
Pre-shared key: Secret
Local ID Type: Auto
IKE XAuth: Off
Routing
Dynamically add route to the remote network when a tunnel is established - ON
Plaintext MTU: 1400
IP Addresses - Automatically pick the address of a local interface that corresponds to the local net
IKE settings
IKE - Aggressive - 1 DH Group [768 bit]
Perfect Forward Secrecy - NONE
Security Association - per net
NAT Traversal - On if supported and NATed
Use Dead Peer Detection - ON
Keep-alive - Auto

Router D-Link DFL-860E setting:

/interface bridge
add admin-mac=D4:CA:6D:E0:76:B9 auto-mac=no l2mtu=1598 name=bridge-local
protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128,aes-256
pfs-group=modp768
/ip pool
add name=dhcp ranges=192.168.31.10-192.168.31.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.31.1/24 comment=“default configuration” interface=wlan1
add address=x.x.x.76/24 interface=ether1-gateway
/ip dhcp-client
add comment=“default configuration” interface=ether1-gateway
/ip dhcp-server network
add address=192.168.31.0/24 comment=“default configuration” dns-server=
192.168.31.1 gateway=192.168.31.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=217.30.180.230,217.30.182.230
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=“Allow NAT-T” dst-port=4500 protocol=udp
add chain=input comment=“allow ping” protocol=icmp
add chain=output comment=“allow ping(incomming)” protocol=icmp
add chain=input comment=“Allow IKE” dst-port=500 protocol=udp
add chain=input comment=“Allow IPSec-esp” protocol=ipsec-esp
add chain=input comment=“Allow IPSec-ah” protocol=ipsec-ah
add chain=input comment=“default configuration” connection-state=established
add chain=output comment=“allow LAN to IPSEC”
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” disabled=yes
in-interface=ether1-gateway
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
/ip firewall nat
add chain=srcnat dst-address=192.168.7.0/24 src-address=192.168.31.0/24
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip ipsec peer
add address=y.y.y.214/32 dh-group=modp1536 exchange-mode=aggressive
generate-policy=yes secret=clsHEL
/ip neighbor discovery
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/ip route
add distance=1 gateway=x.x.x.254
add distance=1 dst-address=192.168.7.0/24 gateway=ether1-gateway pref-src=
192.168.31.1
/system leds
set 0 interface=wlan1
/system logging
add disabled=yes topics=debug
add disabled=yes topics=ipsec
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local

With this settings it seems that tunnel works, and i guess that in routing problem
In winbox i can monitor following:
Installed SAs showing keys with bytes nubers
IPsec policies generates automaticaly with Tunnel (yes)

tracert 192.168.31.1 from 192.168.7.12
1     *        *        *        timeout
2    58 ms    58 ms    58 ms  192.168.31.1

tracert 192.168.7.12 from 192.168.31.1
1     *         *        *        timeout
2    59 ms    60 ms    59 ms  192.168.7.12

I can access remote router Mikrotik(LAN2) from workstation(LAN1) but can’t access any host on perimeter of LAN2

Many thanks in advance for any suggestions!

plisken · January 19, 2014, 12:25pm

I think mikrotik is not compatible with the d-link

DenisK · January 20, 2014, 7:08am

Plisken, thank you for your attention!
But i don’t think so, unless the IPSec is not standard protocol that is supported by many devices?

fallenwrx · January 20, 2014, 9:05am

Hi there,

You have a few issues with your configuration

please turn on logging for IPSEC and post output

Thanks

DenisK · January 21, 2014, 9:06am

Finally it starts to work with the following configuration:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=\
    aes-128,aes-256 lifetime=30m name=default pfs-group=modp768

/ip ipsec peer
add address=y.y.y.214/32 auth-method=pre-shared-key dh-group=modp768 \
    disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=aggressive generate-policy=yes hash-algorithm=md5 \
    lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 \
    proposal-check=obey secret=password send-initial-contact=yes

/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
    interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether2-master-local path-cost=10 point-to-point=auto priority=\
    0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no

/ip firewall filter
add action=accept chain=input comment="allow ping" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no
add action=accept chain=input comment="Allow IKE" disabled=no dst-port=500 \
    protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" disabled=no protocol=\
    ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah" disabled=no protocol=\
    ipsec-ah
add action=drop chain=input comment="Drop inbound connections from Internet" \
    disabled=no in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" \
    connection-state=established disabled=no
add action=accept chain=forward comment="default configuration" \
    connection-state=related disabled=no
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=no

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no dst-address=192.168.7.0/24 out-interface=ether1-gateway src-address=\
    192.168.31.0/24

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=y.y.y.254 scope=\
    30 target-scope=10
add disabled=no distance=1 dst-address=192.168.7.0/24 gateway=bridge-local \
    pref-src=x.x.x.76 scope=30 target-scope=10

I hope that info will help someone who will setup IPsec tunnels on Mikrotik and D-Link DFL devices.
Regards!

UPD: D-Link DFL-860E was updated with firmware version 2.40.03.08-20375 (Mar 11 2013)

ditonet · January 21, 2014, 10:37pm

You don’t have IPSec policies defined.
For site-to-site IPSec VPN don’t use
generate-policy=yesbut define policy manually.

Also you must change to:
exchange-mode=mainHTH,

DenisK · January 22, 2014, 8:31am

I’ve tried to copy dynamicly assigned policies to static. Then reset connections and waited for a long - no new SA keys are been installed and no ping pass through.
So I’ve deсided to leave generate-policy=yes.

I’ve changed this option in Mikrotik and in D-Link it looks like:
IKE Settings → IKE → point on “Main DH Group”