Two IPSec Tunnels to Barracuda NG Firewalls in Azure and AWS

suchypg · December 15, 2014, 4:24pm

Hello everyone. This is my first post on this forum and I'm sure that it's not the last one.
I have one small problem that I would need your assistance with.

I'm trying to set up IPSec tunnel between three sites. The topology will look more or less like this : OFFICE (192.168.1.0/24) --> AZURE(10.0.0.0/24) --> AWS(172.31.0.0/16), with MikroTik router in the office and Barracuda NG Firewalls in Azure and AWS.
IPSec tunnel was created between the Office and Azure and Barracuda proprietary Tina tunnel was set up between Azure and AWS.
At the very moment I can ping : Office -> Azure and Azure -> AWS. I can't ping from Office to AWS, which is the main goal of this project.

I suspected that MikroTik router might have some problems with handling multiple remote subnets over one tunnel, so I've created another tunnel between Office and AWS, but I can't ping across it... All necessary Firewall/NAT rules have been specified and I can see that the tunnel itself is up and there are Installed SA's, but there is no traffic passing through.

It's very strange for me that I can't add IPSec as an interface... I've noticed a lot of people complaining about it, it's very annoying. That would sort out the problem,cause in my opinion there has to be problem in the routing table.

IPSec Configuration
Policy
1 T ;;; Link To Azure Barracuda
group=Azure src-address=192.168.1.0/24 dst-address=10.0.0.0/24
protocol=all proposal=Barracuda (Azure) template=yes

2 T ;;; To AWS Main Route
group=AWS src-address=192.168.1.0/24 dst-address=172.31.0.0/16
protocol=all proposal=Barracuda (AWS) template=yes

Peers
1 ;;; Azure Barracuda
;;; Unsafe configuration, suggestion to use certificates
address=104.45.83.128/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="xxxxxxxxxxxxxx"
generate-policy=port-strict policy-template-group=Azure
exchange-mode=aggressive send-initial-contact=yes nat-traversal=yes
proposal-check=obey hash-algorithm=md5 enc-algorithm=des
dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5

2 ;;; AWS Barracuda
;;; Unsafe configuration, suggestion to use certificates
address=54.173.188.169/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="xxxxxxxxxxxxx"
generate-policy=port-strict policy-template-group=AWS
exchange-mode=aggressive send-initial-contact=yes nat-traversal=yes
proposal-check=obey hash-algorithm=md5 enc-algorithm=des
dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5

The rest of the config related to IPSec is quite standard, but I can provide it as well.

A small peak at the routing table

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 77.107.87.1 1
1 A S 10.0.0.0/24 WAN 1
2 ADC 77.107.87.0/26 77.107.87.15 WAN 0
3 A S 172.31.0.0/16 WAN 1
4 ADC 192.168.1.0/24 192.168.1.1 bridge-local 0

I would really appreciate your quick answer and suggestions.