Site to site IPSec

RouterOS General
1

I'm trying to configure a site to site IPSec. I've setup a test setup on local LAN before trying to go over WAN
Main Office Router:
RB2011UiAS (6.38.5 stable)
ether1 0.77.101.201/24
ether2-master 172.22.0.1/24

Firewall NAT
0 chain=srcnat action=accept src-address=172.22.0.0/24 dst-address=192.168.88.0/24
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=10.77.101.202/32 auth-method=pre-shared-key secret="test"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 10.77.101.1 1
1 S 0.0.0.0/0 10.77.101.201 1
2 ADC 10.77.101.0/24 10.77.101.201 ether1 0
3 ADC 172.22.0.0/24 172.22.0.1 bridge 0
4 S ;;; IPSec Traffic to Client
192.168.88.0/24 192.168.88.1 1

host 172.22.0.44

Branch Office Router:
RB2011UAS-2HnD (6.38.5 stable)
ether1 0.77.101.202/24
ether2-master 192.168.88.0.1/24
Firewall NAT
0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=172.22.0.0/24
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=10.77.101.201/32 auth-method=pre-shared-key secret="test"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P

  • prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 S 0.0.0.0/0 10.77.101.202 1
1 A S 0.0.0.0/0 10.77.101.1 1
2 ADC 10.77.101.0/24 10.77.101.202 ether1 0
3 S ;;; IPSec Traffic to Server
172.22.0.0/24 172.22.0.1 1
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0
bridge

host 192.168.88.42

I have two hosts connected to each router. I get no traffic between the hosts. Routers can ping each other and hosts can ping routers. Rest of settings are left on default.

Should I create some route on hosts? What am I missing? Any help appreciated.

2

You should add filter rules on both your routers. See topic http://forum.mikrotik.com/t/vpn-ipsec-lan2lan-behind-nat/107378/1

3

I added the filters as you suggested

Main Office:
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic

1 chain=forward action=accept src-address=172.22.0.0/24 dst-address=192.168.88.0/24

2 chain=forward action=accept src-address=192.168.88.0/24 dst-address=172.22.0.0/24
..

Branch Office

1 chain=forward action=accept src-address=192.168.88.0/24 dst-
address=172.22.0.0/24

2 chain=forward action=accept src-address=172.22.0.0/24 dst-
address=192.168.88.0/24


New proposals, I also changed policies.

[admin@MikroTik] > ip ipsec proposal print
name=“proposal1” auth-algorithms=null enc-algorithms=aes-256-gcm,3des lifetime=30m pfs-group=modp4096

In logs I’m getting following:

16:32:36 ipsec,error 10.77.101.202 failed to pre-process ph2 packet.
16:32:46 ipsec,error 10.77.101.202 peer sent packet for dead phase2
16:32:56 ipsec,error 10.77.101.202 peer sent packet for dead phase2


on both routers

4

Why did you change authorisation algorithms? Now routers cannot connect. Most probably, if you check installed-SA, you will see nothing there.

5

I changed algorithms because I thought it might help with phase two.

Today I reset both routers and redid everything. Still cannot ping hosts but IPSec gets established.
12:11:30 ipsec,info initiate new phase 1 (Identity Protection): 10.77.101.201[500]<=>10.77.101.202[500]
12:11:31 ipsec,info ISAKMP-SA established 10.77.101.201[500]-10.77.101.202[500] spi:84388d480a72effa:1888683290b0c5e4
12:11:36 ipsec,info respond new phase 1 (Identity Protection): 10.77.101.201[500]<=>10.77.101.202[500]
12:11:36 ipsec,info ISAKMP-SA established 10.77.101.201[500]-10.77.101.202[500] spi:fb0333b80b809352:be444d52417bb0a6

I cannot ping hosts between subnets 192.168.88.0/24 and 172.22.0.0/24

Main Office:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=172.22.0.0/24 dst-address=192.168.88.0/24
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept src-address=172.22.0.0/24 dst-address=192.168.88.0/24
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 chain=forward action=accept src-address=192.168.88.0/24 dst-address=172.22.0.0/24
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
5 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
7 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
8 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
9 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface=ether1

Branch Office:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I -
invalid, D - dynamic
0 chain=srcnat action=accept src-
address=192.168.88.0/24 dst-address=172.22.0.0/24
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept src-address=192.168.88.0/24 dst-address=172.22.0.0/24
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 chain=forward action=accept src-address=172.22.0.0/24 dst-address=192.168.88.0/24
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
5 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
7 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
8 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
9 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1

6

I disabled all drop firewall rules first on Main Office router and then on the Branch Office router.

Now I can ping from Branch Office host 192.168.88.254 to 172.22.0.44 but not from Main Office host to Branch Office. But it’s intermittent!

Seems the chain=input action=drop in-interface=ether1 rule has something to do with no pings.

7

IF you are connected, see this - should help…
http://forum.mikrotik.com/t/vpn-ipsec-lan2lan-behind-nat/107378/1

8

I’m not sure if this is relevant to you, but I’m doing something similar like this:

  1. Transport mode IPSEC between the 2 sites.

  2. GRE tunnel with a /30 address on each side (ex: 10.0.0.1 and 10.0.0.2)

  3. Static routes pointing to the GRE tunnel address on the “other” side for whatever networks you want to route.

I’m still not 100% sure how I should set the MTU for the GRE interface for this…

9

GRE + IPSec (Transport mode) = Specific 1440 bytes, Recommended 1400 flat
GRE + IPSec (Tunnel mode) = Specific 1420 bytes, Recommended 1400 flat

+100000 to using routed VPNs over policy based VPNs. So many threads here about users having issues getting traffic to path correctly when using policy based VPNs. Use GRE with IPSec and route those packets. So much easier!

10

Thanks!

Maybe this is worth a new thread.

Question on this: I was just pinging with no fragment set until I found a size that would not ping. I was using 1420 for transport mode IPSEC + GRE. The routers stated that “actual MTU” was 1420 and this is for GRE over transport mode IPSEC.

Why use 1400 instead? I’m curious now.

After setting MTU to 1400, the maximum ping I can do from one endpoint to the other over the GRE tunnel (from my Mac to a Linux machine) is 1372 bytes, or ping -D -s 1372 x.x.x.x.

I suppose i should wireshark or sniff this to really see what’s happening.

11

IPv4 header (20 bytes) + ICMP header (8 bytes)

1400 - 20 - 8 = 1372

The 1400 value is just because it is easier to remember and allows for both IPSec modes. It also provides a little cushion for a less than 1500 link. An example that used to be fairly common here in the US were DSL circuits that had an MTU of 1492 to accommodate for PPPoE. By setting it to 1400 you’ve added enough cushion to absorb a slightly smaller DSL line without having to mentally adjust for it.

12

Ahh, I was missing the 8 bytes.

Thanks!

13

No problem! Good luck!