vpn ipsec lan2lan behind nat

balves · March 23, 2017, 2:35pm

Hi, I have this setup, 2 mikrotik routers and i can’t make the vpn between work at 100%

I can make the vpn start but only ping the router not the network.

From Casapai

[admin@MikroTik] > ping 172.10.9.200
SEQ HOST SIZE TTL TIME STATUS
0 172.10.9.200 56 64 1ms
1 172.10.9.200 56 64 1ms
2 172.10.9.200 56 64 3ms
sent=3 received=3 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=3ms
[admin@MikroTik] > ping 172.30.7.254
SEQ HOST SIZE TTL TIME STATUS
0 172.30.7.254 timeout
1 172.30.7.254 timeout
2 172.30.7.254 timeout
sent=3 received=0 packet-loss=100%

From balves

[admin@MikroTik] > ping 172.10.9.254
SEQ HOST SIZE TTL TIME STATUS
0 172.10.9.254 56 64 17ms
1 172.10.9.254 56 64 12ms
sent=2 received=2 packet-loss=0% min-rtt=12ms avg-rtt=14ms max-rtt=17ms

[admin@MikroTik] > ping 172.10.9.200
SEQ HOST SIZE TTL TIME STATUS
0 172.10.9.200 timeout
1 172.10.9.200 timeout
sent=2 received=0 packet-loss=100%

This is my setup!

Mikrotik balves

[admin@MikroTik] /ip ipsec> peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; Unsafe configuration, suggestion to use certificates 
       address=213.***.***.150/32 auth-method=pre-shared-key secret="***********" generate-policy=no policy-template-group=default exchange-mode=aggressive 
       send-initial-contact=yes nat-traversal=yes my-id=user-fqdn proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d 
       dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

 [admin@MikroTik] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  IA  src-address=172.30.7.0/24 src-port=any dst-address=172.10.9.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 
       sa-dst-address=213.***.***.150 proposal=default priority=0 ph2-count=1

[admin@MikroTik] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=172.30.7.0/24 dst-address=172.10.9.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=172.30.7.0/24 log=no log-prefix="" 

 2 XI  chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=172.30.7.0/24 dst-address=172.10.9.0/24 log=no log-prefix="" 

 3    chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=192.168.7.222 dst-address=172.10.9.254 log=no log-prefix=""

Mikrotik casapai

[admin@MikroTik] /ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; Unsafe configuration, suggestion to use certificates
       address=89.***.***.146/32 auth-method=pre-shared-key secret="**********" generate-policy=no policy-template-group=default exchange-mode=aggressive 
       send-initial-contact=yes nat-traversal=yes my-id=user-fqdn proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d 
       dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

[admin@MikroTik] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=172.10.9.0/24 src-port=any dst-address=172.30.7.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
       sa-src-address=0.0.0.0 sa-dst-address=89.***.***.146 proposal=default priority=0 ph2-count=1

[admin@MikroTik] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=172.10.9.0/24 dst-address=172.30.7.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=172.10.9.0/24 log=no log-prefix="" 

 2 XI  chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=172.10.9.0/24 dst-address=172.30.7.0/24 log=no log-prefix="" 

 3    chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=192.168.1.250 dst-address=172.10.9.0/24 log=no log-prefix="" 

 4    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 5    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix="" 
[admin@MikroTik] /ip firewall>

What I’m doing wrong? Can any one help me?

Thanks in advance!

eine · March 24, 2017, 10:58am

Please say a little more about you network connections (what type, medium, is there NAT or firewall).

balves · March 24, 2017, 11:08am

About the network i have on both sides isp routers with full nat “dmz” to Mikrotik wan ip.

balves · March 28, 2017, 7:36am

Anyone know what the problem is?

matiaszon · March 28, 2017, 2:49pm

First of all - are they really connected?

/ip ipsec installed-sa print

Mask your public IPs if you don’t want to show them.

Then, I can’t see your firewall filters

/ip firewall filter export hide-sensitive

balves · March 29, 2017, 8:33am

As you requested, here is the print

BALVES

[admin@MikroTik] >> /ip ipsec  installed-sa print                 
Flags: A - AH, E - ESP 
 0 E spi=0xAF03FC src-address=89.***.***.146:4500 dst-address=192.168.1.250:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="20d26e204f4d9a5dab334a****e456936ceef5f" enc-key="2be94eee23e2726623d9*****ce3c3bd89976ef9f8f9cd35" add-lifetime=24m/30m replay=128 

 1 E spi=0xCCFDFAC src-address=192.168.1.250:4500 dst-address=89.***.***.146:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="4200e504fe8f0****d30553633aba50d55e2a414" enc-key="47cea4031e187****8630d96bd3f04d61f09886f70c98a08" add-lifetime=24m/30m replay=128

[admin@MikroTik] > /ip firewall filter export hide-sensitive
# mar/29/2017 09:31:39 by RouterOS 6.38.5
# software id = L4I8-PDXH
#
/ip firewall filter
add action=accept chain=input connection-state=new disabled=yes in-interface=ether1-gateway
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8728 protocol=tcp
add action=accept chain=input connection-state=new dst-port=500 protocol=udp
add action=accept chain=input connection-state=new dst-port=4500 protocol=udp
add action=accept chain=input connection-state=new dst-port=1701 protocol=udp
add action=accept chain=input connection-state="" protocol=ipsec-esp
add action=accept chain=input connection-state="" src-address=172.10.9.0/24
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=input dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
    ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=drop chain=forward comment="default configuration" connection-state=invalid

CASAPAI

	 
[admin@MikroTik] > /ip ipsec  installed-sa print                                                                                                                            
Flags: A - AH, E - ESP 
 0 E spi=0x45E3027 src-address=213.***.***.150:4500 dst-address=192.168.7.222:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="cf02d1e5439a3*****1477d84f8c668a751e3b7f" enc-key="5179de1945f23****fa0778e079a2650c00dac493929f998" add-lifetime=24m/30m replay=128 

 1 E spi=0x7F5B1E3 src-address=192.168.7.222:4500 dst-address=213.***.***.150:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="086cb64e7f62a769081e****04126960b07763f9" enc-key="4e6c2d2e978b79171248****7ffe812f8d3d4387f6c3dad6" add-lifetime=24m/30m replay=128

[admin@MikroTik] >> /ip firewall filter export hide-sensitive        
# mar/29/2017 09:23:46 by RouterOS 6.38.5
# software id = 3JHK-4KKC
#
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8728 protocol=tcp
add action=accept chain=input dst-port=500 protocol=tcp
add action=accept chain=input dst-port=4500 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

matiaszon · March 29, 2017, 2:05pm

One more thing I forgot to ask:

/ip address export

balves · March 29, 2017, 3:22pm

BALVES

[admin@MikroTik] > /ip address export
# mar/29/2017 16:27:29 by RouterOS 6.38.5
# software id = L4I8-PDXH
#
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface=bridge-local network=192.168.88.0
add address=192.168.7.222/24 comment="Rede NOS - Antiga rede casa" interface=ether1-gateway network=192.168.7.0
add address=172.30.7.254/24 comment="Rede Casa" interface=ether2-master-local network=172.30.7.0
add address=10.20.30.1/24 comment="hotspot network" interface=wlan3 network=10.20.30.0

CASAPAI

[admin@MikroTik] > /ip address export
# mar/29/2017 16:20:43 by RouterOS 6.38.5
# software id = 3JHK-4KKC
#
/ip address
add address=172.10.9.254/24 comment=defconf interface=ether2-master network=172.10.9.0
add address=192.168.1.250/24 interface=ether1 network=192.168.1.0

matiaszon · March 29, 2017, 9:38pm

There is something inconsistent between your pic and IP addresses (can’t find any 192.168.1.0/24 network on the pic in casapai), but OK, I know which routers are mikrotik, and assume, that you want to have an access from balves, which LAN range is 172.30.7.0/24 to casapai, which LAN range is 172.10.9.0/24 and of course in other direction.

First of all, I assume, that your both mikrotiks are routing the traffic, and and the other routers on the pic above them are forwarding all traffic to them. If so, I think that you need to add 2 rules in each of your filter firewall.

In balves:

/ip firewall filter add chain=forward src-address=172.30.7.0/24 dst-address=172.10.9.0/24 action=accept place-before=0
/ip firewall filter add chain=forward src-address=172.10.9.0/24 dst-address=172.30.7.0/24 action=accept place-before=1

In casapai

/ip firewall filter add chain=forward src-address=172.10.9.0/24 dst-address=172.30.7.0/24 action=accept place-before=0
/ip firewall filter add chain=forward src-address=172.30.7.0/24 dst-address=172.10.9.0/24 action=accept place-before=1

I know the 2nd line may look strange, but in my case, when they were not added, I could ping all devices on both sides, but for example couldn’t get to remote desktop on Windows SQL Server. It was opening very, very slowly, or not opening at all. After adding the 2nd line on both mikrotiks it works like a charm,

balves · March 31, 2017, 7:34am

That work,

Thanks for your help, but now one thing is happen, i can’t ping from router to other network, but from network to network i can.

I think is something related with the snat (i think the ip is going with the wan ip and not with the lan ip, or is not going truth vpn). how can i monitor all the traffic, like snort or ngrep on linux servers?

matiaszon · March 31, 2017, 12:02pm

Try to ping using proper interface. It probably tries to use “WAN” interface.

ping remote_ip_LAN interface=your_local_LAN_interface

You can also define in routes which gateway to use to communicate with the other network.

balves · March 31, 2017, 1:13pm

Thanks, but i solve the problem, just create a new rule on firewall

on BALVES

chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=192.168.7.222 dst-address=172.10.9.254 log=no log-prefix=""

On Casapai

 0    chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=192.168.1.250 dst-address=172.30.7.0/24 log=no log-prefix=""

Thanks for your help!

idlemind · April 2, 2017, 6:21pm

balves:

Thanks, but i solve the problem, just create a new rule on firewall

on BALVES

chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=192.168.7.222 dst-address=172.10.9.254 log=no log-prefix=""

On Casapai

 0    chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=192.168.1.250 dst-address=172.30.7.0/24 log=no log-prefix=""

Thanks for your help!

So you’re NAT’ing in RFC1918 space. Seems like an extremely unnecessary step. Use GRE wrapped in IPSec and route packets instead of NAT’ing them.

balves · April 4, 2017, 11:16am

Hi, Can you tell me how can i do that?

I try to do like this https://www.manitonetworks.com/mikrotik/2016/3/5/gre-over-ipsec-tunnels, but have always the same error

CasaPai GRE transmit loop detected, downing interface for 60 seconds