Community discussions

MikroTik App
 
F1le
just joined
Topic Author
Posts: 16
Joined: Tue Nov 21, 2017 1:35 am

IPSec GRE Tunnel and lack of response of some hosts  [SOLVED]

Tue Nov 21, 2017 1:52 am

I needed to link 2 networks. Mostly because of NAS which is located in one site (Both RB962). The tunnel seems to work fine, I by-passed NAT for local networks, so it looks like this :

Image

And got couple of noobie questions :

1/ Can I leave only IpSec removing tunnel at all?
2/ How can I check if current GRE tunnel is encypted on IpSec?
3/ My nightmare :

Have no idea why, but on 10.0.1.250/24 I have 4 access points with static IP. I am not able to reach those 4 access points from 192.168.0.1/24. I'm not able to assign them DHCP (they require static IP in Access Point mode), but it's also curious, as I have my computer running on also static IP 10.0.1.252 which I can easily reach from 192.168.0.1/24. All hosts from 192.168.0.1/24 are visible under 10.0.1.250/24

That's too much for me, I was removing tunnels, trying with firewall, etc, but no chances to reach those 4 access points (10.0.1.251, 10.0.1.249, 10.0.1.248, 10.0.1.247) from 192.168.0.1/24
 
F1le
just joined
Topic Author
Posts: 16
Joined: Tue Nov 21, 2017 1:35 am

Re: IPSec GRE Tunnel and lack of response of some hosts

Tue Nov 21, 2017 11:38 am

I found the issue was created by 3xAP which with netmask /24 na IP addresses made static (they are routeres, so they can't get IP address via DHCP) :
10.0.1.251
10.0.1.248
10.0.1.249

They can't be accessed via 192.168.0.1/24, as all addresses from different sites are by-passed NAT.

I can change current 192.168.0.1/24 addresses to 10.0.2.0/24 and force those 3 IP addresses to use wider netmask and probably it will start to work, but I'm curious so much how to force those 3 IP addresses to work. Probably I need to go NAT before I enter them, can anybody help me what type of firewall rules I need to make them avaliable from 192.168.0.1/24 ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 7048
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec GRE Tunnel and lack of response of some hosts

Tue Nov 21, 2017 11:46 am

Your approach with the GRE tunnel is good, but you forget to set routes to the network on the other side.
So you need to add a route to 10.0.1.0/24 via 172.16.1.2 at the left router, and a route to 192.168.0.0/24 via 172.16.1.1 at the right router.
 
F1le
just joined
Topic Author
Posts: 16
Joined: Tue Nov 21, 2017 1:35 am

Re: IPSec GRE Tunnel and lack of response of some hosts

Tue Nov 21, 2017 4:01 pm

This is how it looks, my static route. That's from the 10.0.1.250/24 172.16.1.2 side. I think last entry in the static route is this what you're talking about :
Your approach with the GRE tunnel is good, but you forget to set routes to the network on the other side.
So you need to add a route to 10.0.1.0/24 via 172.16.1.2 at the left router, and a route to 192.168.0.0/24 via 172.16.1.1 at the right router.
Image

Anything to add? I just can't access in 10.0.1.250/24 network 3 IP addresses as I suppose they are static IP fixed with 255.255.255.0 subnet mask, and packets that flow towards this 10.0.1.250/24 network from 192.168.0.1/24 are not-NATed so I assume those 3 IP addresses see that packets outside of subnet want to access them and they do not respond.

This is how I think it looks like and trying to fix. Probably I can set 10.0.2.0/24 IP address instead of 192.168.0.1/24 so I can have 2 networks with :

10.0.1.0/24
10.0.2.0/24

and if I could have set 255.255.0.0 mask all should work but I'm just guessing and I'm just curious how to fix this current problem without changing IP range in one site.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7048
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec GRE Tunnel and lack of response of some hosts

Tue Nov 21, 2017 4:37 pm

Ok you use OSPF to set the routes. Is it OK at the other side as well?
It may be frustrating but it is not possible to debug such things via a forum. You need to understand routing, sit at the controls, and see what is going wrong.
But normally it would work, I have many routers in operation like that.
 
F1le
just joined
Topic Author
Posts: 16
Joined: Tue Nov 21, 2017 1:35 am

Re: IPSec GRE Tunnel and lack of response of some hosts

Tue Nov 21, 2017 5:03 pm

second site

Image

Routes are OK. I think if I would have had a possibility to change in those 3 Access Points IP address to DHCP or set them gateways it would have solved the problem, but this is the problem I need to deal with. I think I need to cheat those 3 IPs and create NAT to all traffic from second network to those 3 addresses, and that's the problem. I can't do it and looking for help.
 
F1le
just joined
Topic Author
Posts: 16
Joined: Tue Nov 21, 2017 1:35 am

Re: IPSec GRE Tunnel and lack of response of some hosts

Tue Nov 21, 2017 7:02 pm

Ok solved. Loved when I solve a problem by myself, as it's my 3rd day with Mikrotik :)

I added NAT rule and it worked out, so destination to 3 IP addresses 10.0.1.251, 10.0.1.248. 10.0.1.249 are NATted :

Based on 1 IP : 10.0.1.251 (I'll create a list with the exceptions) :

By-pass NAT :
Image
with an exception :
Image
and accept
Image

Now NAT this nasty 10.0.1.251 address :
Image
Image

DONE, all works fine!

Who is online

Users browsing this forum: Google [Bot] and 26 guests