[SOLVED] IPSec problem

evince · July 9, 2012, 8:56am

Hi all,

I have an IPsec tunnel between 2 Mikrotik RB751G. The tunnel is UP, i can ping the devices from both sites, by the way i cannot access the shared folders, the websites hosted in the remote site.

I have tested with a Sonicwall, and i have full acces.

Can you help me please?

Sorry for my bad english.

Bests Regards,

Vincent.

antkamidiv · July 9, 2012, 9:27am

Hello!

First of all check Your policy settings. It might affects inaccessibility of resources.
Do You have any rules in a nat table to access your site?
How do You access shared folders? For example, if You are trying to open it through windows networking environment You should create specifiс rules in a firewall for port 445 .

evince · July 9, 2012, 10:08am

Dear,

Thank you for your reply.

Here is my NAT rule : 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.

Do i have to create : 2 chain=input action=accept protocol=tcp src-address=192.168.88.0/24 dst-port=445 ?

Thank you in advance.

antkamidiv · July 9, 2012, 1:06pm

Ok. It will be easier if you describe an entire scheme of Your networks on both sites: LAN addresses, IPSec addresses and etc.

evince · July 9, 2012, 1:28pm

Here you are :

Site 1 :

LAN : 10.5.0.0/24
ETH2 : 10.5.0.254/24
VLAN15 : 10.15.0.0/24

# jul/09/2012 15:25:07 by RouterOS 5.18
# software id = 9V5C-CE34
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name="to lu" pfs-group=modp1024
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=****** \
    send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.88.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
    proposal="to lu" protocol=all sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=10.0.0.0/8 \
    src-port=any tunnel=yes
add action=encrypt disabled=yes dst-address=10.10.10.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
    proposal=default protocol=all sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=10.5.0.0/24 \
    src-port=any tunnel=yes

Site 2 :

LAN : 192.168.88.0/24
ETH2 : 192.168.88.1/24

 jan/05/1970 04:41:13 by RouterOS 5.18
# software id = 3EFE-FKCD
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=\
    "to vince" pfs-group=modp1024
/ip ipsec peer
add address=yyy.yyy.yyy.yyy/32 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
    enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
    md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 \
    proposal-check=obey secret=****** send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=yes dst-address=10.0.0.0/8 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal="to vince" \
    protocol=all sa-dst-address=yyy.yyy.yyy.yyy sa-src-address=21xxx.xxx.xxx.xxx \
    src-address=192.168.88.0/24 src-port=any tunnel=yes

Thak you for your help

antkamidiv · July 9, 2012, 2:08pm

Well, all settings are correct. PC’s are be accessible by IP. How do You try to access shared folders?

evince · July 9, 2012, 2:33pm

I try with \10.5.0.11 and via http://10.5.0.11/mywebsite.

Thank you

antkamidiv · July 9, 2012, 2:49pm

Do You have such rules?
Site 1: 0 chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.88.0/24.
Site 2: 0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=10.0.0.0/8.

antkamidiv · July 9, 2012, 2:52pm

Oh, This is a stupid question. Of course, You do have these rules.

I don’t understand. You can ping 10.5.0.11?

The only suggestion is that firewall filter rules block port 445. Enable this port on both sites.

evince · July 9, 2012, 3:07pm

Yes, i can ping my entire network, the only problem is shared folder and http access to my nas (both of them)

It should have a problem in the SITE 2 because when i plug a Sonicwall i do not have any problem.

evince · July 9, 2012, 3:15pm

I just made a test. I tried to connect to my remote website, the page can display, by the way the pictures are not showed and i do not have any error message.

Strange…

andriys · July 9, 2012, 3:21pm

Sounds like a possible PMTUD problem. Do you happen to block any of the ICMP messages?

evince · July 9, 2012, 3:25pm

I don’t know yet what is PMTUD but i don’t block anything at the moment

jandafields · July 9, 2012, 11:43pm

Maybe your ISP is blocking 445 or other file sharing ports.

Maybe the sonicwall is using ipsec over l2tp so it works because it doens’t use those ports, while you are using straight ipsec (not over l2tp) which will require those 445/file sharing ports…

evince · July 10, 2012, 6:29am

Thank you for your reply. My ISP does not block the port 445 as i work for my ISP

What is strange, is that i can not display the pictures of my remote website.

Thank you all for your help, i’m lost

evince · July 11, 2012, 2:31pm

Problem solved, i have reduced the MTU

Thank you very much.