iluvar
November 11, 2012, 11:20am
1
Hi!
I try create IPSec Tunnel between two Mikrotik 5.21 (MT1 and MT2) in test lab Oracle VirtualBox, but i cant see any udp500 or ipsec-esp traffic
0 10.0.0.1/24 10.0.0.0 ether2 wan
[MT2] > ip address print
0 10.0.0.2/24 10.0.0.0 ether2 wan
[MT1] > ip route print
0 ADC 10.0.0.0/24 10.0.0.1 ether2 wan 0
[MT2] > ip route print
0 ADC 10.0.0.0/24 10.0.0.2 ether2 wan 0
[MT1] > ip firewall nat print
[MT2] > ip firewall nat print
[MT2] > ip ipsec policy print
[MT1] > ip ipsec peer print
[MT2] > ip ipsec peer print
iluvar
November 11, 2012, 11:25am
2
P. S. All interfaces in virtual box are internal (private “wan”, “lan1”, “lan2”)
The tunnels wont establist unless there is traffic flowing which needs the tunnels.
For example, do a ping from MK2 like this:
Send initial contact means if the mikrotik is to establish a tunnel if its not established yet. Basicly it controls which side of the tunnel is allowed to establish it. Usefull when one side has a dynamic IP.
iluvar
November 11, 2012, 11:55am
4
tomaskir:
The tunnels wont establist unless there is traffic flowing which needs the tunnels.
For example, do a ping from MK2 like this:
Send initial contact means if the mikrotik is to establish a tunnel if its not established yet. Basicly it controls which side of the tunnel is allowed to establish it. Usefull when one side has a dynamic IP.
tomaskir, big tnx!
[MT2] > ping address=192.168.1.1 interface=“ether2 wan”
iluvar
November 11, 2012, 1:25pm
5
I was wrong, sorry
[admin@MT2] > ping address=192.168.1.1 interface=“ether1 lan2”
Now i see peers and installed SA`s, but cant ping other subnet
Delete the SAs on both sides, see if it re-negotiates properly again and works after that.
Also, turning on DPD with reasonable values will help this. Like 5 sec and 2 failures.
iluvar
November 11, 2012, 1:41pm
7
tomaskir:
Delete the SAs on both sides, see if it re-negotiates properly again and works after that.
Also, turning on DPD with reasonable values will help this. Like 5 sec and 2 failures.
I do it, but nothing.
May be need create routes to 192.168.1.0/24 and 192.168.2.0/24? Then through which gateway?
mixig
November 11, 2012, 2:37pm
8
create static route on each mkt for remote network, or put default route (your wan interface), right now your router doesn t know where to send packet for remote network (in routing table you have only directly connected networks)
mixig:
create static route on each mkt for remote network, or put default route (your wan interface), right now your router doesn t know where to send packet for remote network (in routing table you have only directly connected networks)
You do NOT need routes when using Policy based IPSec.
Look at the packet flow, the router internally resolves where to send packets for policy based IPSec.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Did new SAs get negotiated and ping doesnt work, or did it not negotiate new SAs?
iluvar
November 11, 2012, 3:01pm
10
New SAs get negotiated and ping doesnt work
But in firewall connection i see unreplied icmp-packets
[MT2] > ip firewall connection print
0 SA udp 10.0.0.1:500 10.0.0.2:500 2m58s
iluvar
November 11, 2012, 3:06pm
11
[MT1] > ip firewall connection print
0 icmp 192.168.2.2 192.168.1.1 7m47s
You said it worked in the first post. What have you done since then?
Have you tried disabling policy and peer on both routers and then enabling them again?
iluvar
November 11, 2012, 3:50pm
13
In first post i ping from wan interface (directly connected to second router) and ping working.
Yes, i do it
iluvar
November 11, 2012, 4:54pm
14
I have created two host machine in subnets
[PC1] 192.168.1.11
[PC2] 192.168.2.22
a ping from them
[PC2] > tool traceroute 192.168.1.1
1 192.168.2.2 1ms 1ms 1ms network unreach…
[PC2] > ping 192.168.1.1
[PC2] > ping 192.168.1.11
And SA`s didnt created on Mikrotiks, remote peers also were clear
Please post whole “/export compact” from both Mikrotiks.
iluvar
November 11, 2012, 7:16pm
16
[admin@MT1] > export compact
# nov/11/2012 19:14:40 by RouterOS 5.21
# software id = LNA6-2PWP
#
/interface ethernet
set 0 name="ether1 lan1"
set 1 arp=proxy-arp name="ether2 wan"
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=\
owner signup-allowed=no time-zone=-00:00
/ip address
add address=10.0.0.1/24 interface="ether2 wan"
add address=192.168.1.1/24 interface="ether1 lan1"
/ip firewall filter
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=8291 protocol=tcp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=input
add chain=forward
add chain=output
/ip firewall nat
add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface="ether2 wan"
/ip ipsec peer
add address=10.0.0.2/32 dpd-interval=5s dpd-maximum-failures=2 nat-traversal=yes secret=Qwer1234
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=10.0.0.2 sa-src-address=10.0.0.1 src-address=192.168.1.0/24 tunnel=yes
/ip neighbor discovery
set "ether1 lan1" disabled=yes
set "ether2 wan" disabled=yes
#error
#error
#error
/system identity
set name=MT1
[admin@MT2] > export compact
# nov/11/2012 19:15:13 by RouterOS 5.21
# software id = KDKA-N3RK
#
/interface ethernet
set 0 name="ether1 lan2"
set 1 arp=proxy-arp name="ether2 wan"
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=\
owner signup-allowed=no time-zone=-00:00
/ip address
add address=10.0.0.2/24 interface="ether2 wan"
add address=192.168.2.2/24 interface="ether1 lan2"
/ip firewall filter
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=8291 protocol=tcp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=related
add chain=forward connection-state=established
add chain=input
add chain=output
add chain=forward
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface="ether2 wan"
/ip ipsec peer
add address=10.0.0.1/32 dpd-interval=5s dpd-maximum-failures=2 nat-traversal=yes secret=Qwer1234
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=192.168.2.0/24 tunnel=yes
/ip neighbor discovery
set "ether1 lan2" disabled=yes
set "ether2 wan" disabled=yes
#error
#error
#error
/system identity
set name=MT2
Turn OFF proxy-arp and NAT traversal.
I would reccomend restarting the routers after turning off those, to clear all caches (arp table, SAs, etc)
Other then that, the config is fine. I would guess proxy arp was causing the issues.
iluvar
November 11, 2012, 8:03pm
18
tomaskir:
Turn OFF proxy-arp and NAT traversal.
I would reccomend restarting the routers after turning off those, to clear all caches (arp table, SAs, etc)
Nothing has changed
[admin@MT1] > export compact
file hide-sensitive
[admin@MT1] > export compact
# nov/11/2012 20:01:52 by RouterOS 5.21
# software id = LNA6-2PWP
#
/interface ethernet
set 0 name="ether1 lan1"
set 1 name="ether2 wan"
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=\
owner signup-allowed=no time-zone=-00:00
/ip address
add address=10.0.0.1/24 interface="ether2 wan"
add address=192.168.1.1/24 interface="ether1 lan1"
/ip firewall filter
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=8291 protocol=tcp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=input
add chain=forward
add chain=output
/ip firewall nat
add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface="ether2 wan"
/ip ipsec peer
add address=10.0.0.2/32 dpd-interval=5s dpd-maximum-failures=2 secret=Qwer1234
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=10.0.0.2 sa-src-address=10.0.0.1 src-address=192.168.1.0/24 tunnel=yes
/ip neighbor discovery
set "ether1 lan1" disabled=yes
set "ether2 wan" disabled=yes
#error
#error
#error
/system identity
set name=MT1
[admin@MT2] > export compact
# nov/11/2012 20:02:26 by RouterOS 5.21
# software id = KDKA-N3RK
#
/interface ethernet
set 0 name="ether1 lan2"
set 1 name="ether2 wan"
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=\
owner signup-allowed=no time-zone=-00:00
/ip address
add address=10.0.0.2/24 interface="ether2 wan"
add address=192.168.2.2/24 interface="ether1 lan2"
/ip firewall filter
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=8291 protocol=tcp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=related
add chain=forward connection-state=established
add chain=input
add chain=output
add chain=forward
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface="ether2 wan"
/ip ipsec peer
add address=10.0.0.1/32 dpd-interval=5s dpd-maximum-failures=2 secret=Qwer1234
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=192.168.2.0/24 tunnel=yes
/ip neighbor discovery
set "ether1 lan2" disabled=yes
set "ether2 wan" disabled=yes
#error
#error
#error
/system identity
set name=MT2
One more thing you need. You are getting network unreachable ICMP from the routers. How to solve this: as I mentioned before, you dont need routes to oposite side subnets, however, you do need a default route. According to the packet flow diagram, a routing decision is before the IPSec Policy lookup. That is why you are getting ICMP network unreachable, because at the time of a routing decision, packets destined for the other subnet are discarded. Add a default route, it doesnt really have to work, it just needs to be there. At the time of IPSec policy, the packets will be routed properly internally by the router. We need the default route just so the packets are not discarded during the routing decision.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
iluvar
November 12, 2012, 3:13am
20
tomaskir:
One more thing you need. You are getting network unreachable ICMP from the routers. How to solve this: as I mentioned before, you dont need routes to oposite side subnets, however, you do need a default route. According to the packet flow diagram, a routing decision is before the IPSec Policy lookup. That is why you are getting ICMP network unreachable, because at the time of a routing decision, packets destined for the other subnet are discarded. Add a default route, it doesnt really have to work, it just needs to be there. At the time of IPSec policy, the packets will be routed properly internally by the router. We need the default route just so the packets are not discarded during the routing decision.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
May be add provider router?
[admin@Provider] > export compact
# nov/12/2012 03:11:54 by RouterOS 5.21
# software id = 2984-3G6F
#
/interface ethernet
set 0 name="ether1 wan2"
set 1 name="ether2 wan1"
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=\
owner signup-allowed=no time-zone=-00:00
/ip address
add address=10.0.1.254/24 interface="ether2 wan1"
add address=10.0.2.254/24 interface="ether1 wan2"
/system identity
set name=Provider
[admin@MT1] > export compact
# nov/12/2012 03:12:18 by RouterOS 5.21
# software id = LNA6-2PWP
#
/interface ethernet
set 0 name="ether1 lan1"
set 1 name="ether2 wan1"
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=\
owner signup-allowed=no time-zone=-00:00
/ip address
add address=10.0.1.1/24 interface="ether2 wan1"
add address=192.168.1.1/24 interface="ether1 lan1"
/ip firewall filter
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=8291 protocol=tcp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=input
add chain=forward
add chain=output
/ip firewall nat
add chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface="ether2 wan1"
/ip ipsec peer
add address=10.0.2.2/32 dpd-interval=5s dpd-maximum-failures=2 secret=Qwer1234
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=10.0.2.2 sa-src-address=10.0.1.1 src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.1.254
#error
#error
#error
/system identity
set name=MT1
[admin@MT2] > export compact
# nov/12/2012 03:12:35 by RouterOS 5.21
# software id = KDKA-N3RK
#
/interface ethernet
set 0 name="ether1 lan2"
set 1 name="ether2 wan2"
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin password="" \
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
permissions=owner signup-allowed=no time-zone=-00:00
/ip address
add address=10.0.2.2/24 interface="ether2 wan2"
add address=192.168.2.2/24 interface="ether1 lan2"
/ip firewall filter
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=8291 protocol=tcp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=related
add chain=forward connection-state=established
add chain=input
add chain=output
add chain=forward
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface="ether2 wan2"
/ip ipsec peer
add address=10.0.1.1/32 dpd-interval=5s dpd-maximum-failures=2 secret=\
Qwer1234
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=10.0.1.1 sa-src-address=\
10.0.2.2 src-address=192.168.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.0.2.254
#error
#error
#error
/system identity
set name=MT2