Site to site IPSEC VPN setup with Linux (libreswan 3.16)

zmitya · August 9, 2020, 11:12pm

Hi All,

I am a newbie to Mikrotik and my very first thing to do with it is a Site-to-site VPN with a Linux server.
Here is the topology:

10.177.177.0/24 - Mikrotik … Internet … LibreSwan - 192.168.100.0/24

The goal is to get the 2 LANs reach each other.
Here is my config:
https://pastebin.com/raw/2tWiMqPk

The connection seems to be ok, Phase2 is OK, so the policy got Active:
https://pastebin.com/raw/X0P5SEr7

But I can not send any traffic from neither of the LANs

Here is the output of the Linux side:
https://pastebin.com/raw/y6dcvP3W

How can I debug this ?

zmitya · August 10, 2020, 7:13am

it seems I had to remove the default masquerade rule for VPN packets.
It seems to be working now
(at least in 10.177.177.0/24 → 192.168.100.0/24 direction)

Trackboy · August 10, 2020, 7:35pm

You do not have to remove the masquerade rule, try this one:

ip firewall nat add chain=srcnat action=accept src-address=10.177.177.0/24 dst-address=192.168.100.0/24
ip firewall nat add chain=srcnat action=masquerade out-interface=(put here your WAN interface) This is general NAT rule to access the Internet from your LAN.

The order is important, you need to create the rules in this order.

awenger · September 11, 2020, 3:59am

Would you mind sharing your Linux config as well? I’m trying to setup the same