Site-to-site problem

hxczero · August 3, 2017, 10:56pm

Hi everyone,

I’m facing a site-to-site issue that I couldn’t resolved yet.

IPSec show etablished, but I cannot ping / access device through the VPN.

*** External ip and secret has been changed for security ***
Fasttrack’s disable on both router.

Help would be great appreciated,
Thanks

Configs are below:

1st router
ipsec policy
1 A src-address=192.168.1.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=111.111.111.111 sa-dst-address=222.222.222.222 proposal=default ph2-count=1
proposal
0 * name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
peer
0 address=222.222.222.222/32 auth-method=pre-shared-key secret=“********” generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

2nd router
ipsec policy
1 A src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=222.222.222.222 sa-dst-address=111.111.111.111 proposal=default ph2-count=1
proposal
0 * name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
peer
0 address=111.111.111.111/32 auth-method=pre-shared-key secret=“********” generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5

holle · August 17, 2017, 3:55pm

Same issue here. I am rather new to MikroTik and IPSec but i tried almost every example found on the net…
Built a test environment with two hAP RB951Ui which were available.

Established IPsec but not able to PING or transfer.

Different sources and examples say:
a) use routing
b) do not use routing
c) use masquerade and srcnat chain
d) only use srcnat chain
e) …etc…

I am totally confused.

Is there a working example of how to connect two private networks using IPSec tunnels? Also an example for tunneling a network transparently to a second location.

Thanks
Holger

Sob · August 17, 2017, 9:46pm

Config in first post looks ok. Just make sure that you exempt tunnel traffic from NAT. Typical router these days has LAN with private addresses and uses srcnat/masquerade for outside access, with rule like:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=<WAN>

Such rule will also match traffic intended for tunnel and IPSec policy no longer matches. You need to add another rule before main NAT, e.g.:

/ip firewall nat
add action=accept src-address=<your LAN>/<mask> dst-address=<remote LAN>/<mask>

Processing for those packets will stop there, main NAT won’t touch them, and IPSec policy will match.

Another common problem is with testing. If you try to access remote LAN from router itself (e.g. ping something), you need to make sure that you set proper source address (router’s LAN address), because otherwise router will choose (most likely) WAN address and policy won’t match.