Community discussions

 
mrkylewood
just joined
Topic Author
Posts: 1
Joined: Fri Feb 24, 2017 3:19 am

Problem with site to site vpn on mikrotik.

Fri Feb 24, 2017 3:22 am

I have a client that needs an IPsec tunnel. My side is mikrotik router and the other side is pfsense device. The tunnel comes up, but he cannot ping my devices. I've created a nat exemption rule for our subnets. I'm at a loss, this is my first ipsec config on a mikrotik.

here is the sanitized config.


# feb/23/2017 20:15:56 by RouterOS 6.37rc34
# software id = PDLM-0JM1
#
/interface bridge
add admin-mac=E4:8D:8C:4F:8B:CB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=auto mode=\
ap-bridge ssid="MD Medical Back" wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=XXXXXX \
wpa2-pre-shared-key=XXXXX
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=8h
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf
add bridge=bridge interface=wlan1
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=\
192.168.1.0
add address=12.218.118.X/29 interface=ether1 network=12.218.118.X
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=500 protocol=udp
add action=accept chain=input port=4500 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="winbox remote" dst-port=8291 protocol=\
tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=172.16.254.0/25 src-address=\
192.168.1.0/25
add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.2 to-ports=2222
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=68.187.14.X/32 enc-algorithm=3des hash-algorithm=md5 \
local-address=0.0.0.0 nat-traversal=no secret=mdmed2medtec!
/ip ipsec policy
add dst-address=172.16.254.0/25 sa-dst-address=68.187.14.X sa-src-address=\
12.218.118.X src-address=192.168.1.0/25 tunnel=yes
/ip route
add distance=1 gateway=12.218.118.9
/system clock
set time-zone-name=America/New_York
/system identity
set name=MDMedical
/system logging
add topics=ipsec
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MDMedical] >
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Problem with site to site vpn on mikrotik.

Fri Feb 24, 2017 5:19 pm

You drop incoming connections from WAN (unless they are dstnatted) with this rule:
/ip firewall filter
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
But traffic from IPSec tunnel also appears as coming from WAN (ether1) and it's not dstnatted, so you need to allow it (put it before drop rule):
/ip firewall filter
add action=accept chain=forward in-interface=ether1 ipsec-policy=in,ipsec
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1053
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: Problem with site to site vpn on mikrotik.

Fri Feb 24, 2017 6:08 pm

Also turn on logging for ipsec in case you have other issues or mismatches. That way you can post the log here and get some help with any settings that don't match up.
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com

Who is online

Users browsing this forum: MSN [Bot] and 33 guests