Site2Site IPsec problems

RouterOS Beginner Basics
1

Hello again,

first of all, i’m not a pro in network things, but i think my knowledge is quit “ok”.

Since some time, i’m using mikrotik and now i’m just trying to connect 2 mikrotiks via site2site ipsec vpn.
Its not my first time, so normaly, i should know how it works, however, with this 2, the connections is working,
everything seems to be fine, but no byte is passing the tunnel.
There must be a mistake in firewall rules.

so Here is my Config:

Both Locations having RB2011


Location A:
version: 6.21.1
Local IP Range: 192.168.0.0/24
External IP: 80.123.98.xxx/30

Location B:
version: 6.27
Local IP Range: 192.168.1.0/24
External IP: 80.121.239.xxx/30

LocA ipSec Output:

# nov/23/2015 15:25:52 by RouterOS 6.21.1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip ipsec peer
add address=80.121.239.xxx/32 enc-algorithm=aes-256 secret=\
    mysecretkey send-initial-contact=no
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=80.121.239.78 sa-src-address=\
    80.123.98.xxx src-address=192.168.0.0/24 tunnel=yes

LocA Firewall output

/ip firewall filter
add chain=input disabled=yes src-address=80.121.239.xxx
add chain=forward disabled=yes dst-address=192.168.0.0/24 src-address=\
    192.168.1.0/24
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="sstp - vpn " dst-port=1723 in-interface=ether1-gateway \
    protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add chain=input comment=Winbox dst-port=8291 log=yes protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
/ip firewall nat
add chain=srcnat comment="NAT BypassRule VPN" dst-address=192.168.0.0/24 \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq vpn traffic" src-address=\
    192.168.3.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=8006 in-interface=ether1-gateway \
    protocol=tcp src-address-list=snwat to-addresses=192.168.0.10 to-ports=8006
add action=dst-nat chain=dstnat dst-port=8022 protocol=tcp src-address-list=\
    snwat to-addresses=192.168.0.10 to-ports=22

LocB IpSec:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip ipsec peer
add address=80.123.98.xxx/32 enc-algorithm=aes-128,aes-256 nat-traversal=no \
    secret=mysecretkey
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=80.123.98.xxx sa-src-address=\
    80.121.239.xxx src-address=192.168.1.0/24 tunnel=yes

LocB Firewall:

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
/ip firewall nat
add chain=srcnat comment="NAT BypassRule VPN" dst-address=192.168.1.0/24 log=\
    yes src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes src-address=192.168.0.0/24

So remote peer is running, also SAs are installed, but no byte is crossing.

any help?

2

In input chain you must accept esp and UDP/500. I doubt that with your current firewall configuration have established phase1 not to mention phase2.

3

nope, still every ping a timeout

4

Swap src- and dst-address space in each location in the first NAT “VPN bypass rule”.
-Chris

5

I agree with cdiedrich

6

Hi,

I was able to do IPSec with this:

Location A

/ip ipsec policy> add src-address=192.168.0.0/24 dst-address=192.168.1.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.123.98.xxx sa-dst-address=80.121.239.xxx proposal=default priority=0
/ip ipsec peer> add address=80.121.239.xxx port=500 auth-method=pre-shared-key secret="prueba" exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 dpd-interval=120 dpd-maximum-failures=5
/ip firewall nat> add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.1.0/24 action=accept disabled=no

Location B

/ip ipsec policy> add src-address=192.168.1.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.121.239.xxx sa-dst-address=80.123.98.xxx proposal=default priority=0
/ip ipsec peer> add address=80.123.98.xxx port=500 auth-method=pre-shared-key secret="prueba" exchange-mode=main send-initial-contact=yes  proposal-check=obey hash-algorithm=md5 enc-algorithm=3des  dh-group=modp1024 dpd-interval=120  dpd-maximum-failures=5
/ip firewall nat> add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.0.0/24 action=accept

Regards

7

i’m sorry, i don’t understand it. it is not working.

first try to swap nat rules, not changing.

no i resetet all ipsec config, tried the expamle from downther0ad, still same result.

what i am making wrong?!

8

Really strange - as it should work perfectly with those settings.
enable ipsec debug log and post results here, we can than try to figure out what’s going wrong.
-Chris