Community discussions

MikroTik App
 
pacen
just joined
Topic Author
Posts: 2
Joined: Thu Nov 23, 2017 10:40 am

Connect to LAN behind mikrotik router over ipsec

Thu Nov 23, 2017 11:25 am

Hello.

I am new to Mikrotik so please do not burn me to much. :)

I have a problem with connection to a LAN that is behind a Mikrotik router.
The connetion works betwen our HQ and the dislocated Mikrotik network over IpSec.
Example 1:
HQ(192.168.10.0/24)<==ipsec==>Mikrotik LAN(192.168.80.0/24)

- This layout works.

It does not work between a another dislocated unit and the Mikrotik network.
Example 2:
Dislocated unit(192.168.9.0/24) <==ipsec==> HQ(192.168.10.0/24) <==ipsec==> Mikrotik LAN(192.168.80.0/24)

- This does not work. I cannot get a connection from 192.168.9.0/24 to 192.168.80.0/24.
-We have other layouts with the exact same layout but it does not use Mikrotik and it works.

Mikrotik firewall configuration:

[admin@MikroTik] >>ip firewall filter print   
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 
 1    chain=input action=accept protocol=udp port=500 log=no log-prefix="" 
 2    chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp log=no log-prefix="" 
 4    chain=output action=accept out-interface-list=all log=no log-prefix="" 
 5    chain=input action=accept log=no log-prefix="" 
 6    chain=forward action=accept log=no log-prefix="" 


[admin@MikroTik] >> ip firewall nat print   
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade log=no log-prefix="" 

 1    chain=srcnat action=accept out-interface=lte1 log=no log-prefix="" 

 2    chain=srcnat action=accept log=no log-prefix="" 

 3    chain=srcnat action=accept src-address=192.168.80.0/24 dst-address=192.168.10.0/24 log=no log-prefix="" 

 4 X  chain=srcnat action=accept src-address=10.212.134.0/24 dst-address=192.168.80.0/24 log=no log-prefix="" 

 5    chain=srcnat action=accept src-address=192.168.10.0/24 dst-address=192.168.80.0/24 log=no log-prefix="" 

Mikrotik IPsec configuratin:

[admin@MikroTik] >> ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=192.168.80.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=222.222.222.222 sa-dst-address=111.111.111.111 proposal=proposal1 priority=0 
       ph2-count=1 
       
[admin@MikroTik] >> ip ipsec peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0     address=111.111.111.111/32 auth-method=pre-shared-key secret="SomeRandonPSK" generate-policy=no policy-template-group=default 
       exchange-mode=main send-initial-contact=no nat-traversal=yes proposal-check=claim hash-algorithm=sha1 enc-algorithm=3des 
       dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
       
 [admin@MikroTik] >> ip ipsec proposal print 
Flags: X - disabled, * - default 
 0 X* name="default" auth-algorithms=sha512 enc-algorithms=aes-192-cbc,des lifetime=1h pfs-group=modp1024 

 1    name="proposal1" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=none





Any help would be apreciated.

Best regards
 
F1le
just joined
Posts: 16
Joined: Tue Nov 21, 2017 1:35 am

Re: Connect to LAN behind mikrotik router over ipsec

Sat Nov 25, 2017 7:03 pm

And from 80 to 9 you can get the response?
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Connect to LAN behind mikrotik router over ipsec

Sat Nov 25, 2017 9:33 pm

Show us routing tables on both sides. I assume your routers do not know where are remote neworks, so they are sending traffic via default routes.
I have bigger routing table.
 
pacen
just joined
Topic Author
Posts: 2
Joined: Thu Nov 23, 2017 10:40 am

Re: Connect to LAN behind mikrotik router over ipsec

Fri Jan 19, 2018 12:03 pm

Hello,

sorry for the long time to reply. Things were crazy

Here is my routing table on my Mikrotik:

[admin@MikroTik] > ip route print     
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        		PREF-SRC        	GATEWAY            	DISTANCE
 0 ADS  0.0.0.0/0                          			222.222.222.223         1
 1 ADC  222.222.222.222/30		222.222.222.224   	lte1                    0
 2 ADC  192.168.80.0/24    		192.168.80.1    	bridge                  0
Maybe the distance of route no. 1 should be 0, but the GUI does not let me enter a zero.

Best regards
 
User avatar
acruhl
Member
Member
Posts: 368
Joined: Fri Jul 03, 2015 7:22 pm

Re: Connect to LAN behind mikrotik router over ipsec

Fri Jan 19, 2018 3:40 pm

Show us routing tables on both sides. I assume your routers do not know where are remote neworks, so they are sending traffic via default routes.
+1

Start simple. You're assuming this might be ipsec but there's no proof that routing is working. Has it ever worked?

What you showed us doesn't line up with your original example, so we don't know what router this is. Not only that, we need to see routes on all routers.

Start with that. Do traceroutes to see where packets are going, if anywhere.

This setup looks too complicated to me, but I might be missing something. I do transport mode ipsec between public IP addresses then route over GRE tunnels. It's very simple and clean, much less to go wrong. It's just simple IP routing.
Stuff.

Who is online

Users browsing this forum: conax, cybersholt, MKxTi and 38 guests