Community discussions

 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

IPSEC Issues

Wed Jun 27, 2018 1:53 pm

Hey guys,


I have been having trouble the past few days trying to setup an ipsec vpn to a remote location, somebody might be able to point me in the right direction.
I can get the ipsec connection to establish on phase2 and can ping the remote server from the mikrotik device itself but not from my pc cmd prompt using ping.

Setup
IPSEC is setup on an CPE SXT Lite5 ac (mipsbe),
Static public IP address on the pppoe-out1 interface
Dhcp network is 192.168.0.0/24 running on ether1
My PC is on the ether1 and is direct into the CPE itself.
Internet works fine until I enable the IPSEC VPN and then I have no connection.

I can disable default route 0.0.0.0/0 gateway pppoe-out1 and the IPSEC connection will still establish and I can ping remote server still on the CPE but not on the PC.
As I added the gateway route to the remote server.

Is there a rule that is missing to route the traffic out the tunnel on the ether1 ?

Router firewall rules

Package version is V6.42.4

/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add chain=input comment="IPSec ESP" protocol=ipsec-esp
add chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol= tcp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=pppoe-out1 log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=accept chain=input comment="Allow DNS for trusted network" dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=accept chain=input comment="Allow DNS for trusted network" dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input comment="Allow local network" src-address=192.168.0.0/24
add action=drop chain=input connection-state=new dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=pppoe-out1 protocol=tcp

/ip firewall nat
add action=accept chain=srcnat protocol=udp src-port=500,4500 place-before=0
add action=masquerade chain=srcnat out-interface=pppoe-out1



Thanks in advance
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1051
Joined: Fri Jul 28, 2017 2:53 pm

Re: IPSEC Issues

Wed Jun 27, 2018 3:16 pm

Can remote server ping it's ipsec gateway or PC behind Tik?
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: IPSEC Issues

Wed Jun 27, 2018 3:48 pm

Hi Anumrak,

Remote side admin told me that an extra firewall policy or route might be needed so traffic from PCs on the LAN can pass through the IPSEC


Thanks
 
tippenring
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: IPSEC Issues

Wed Jun 27, 2018 4:52 pm


/ip firewall nat
add action=accept chain=srcnat protocol=udp src-port=500,4500 place-before=0
add action=masquerade chain=srcnat out-interface=pppoe-out1
It sure looks like you're NATing the traffic that would be destined for the remote network. You need an accept rule to prevent NAT from happening on that traffic.
add action=accept chain=srcnat dst-address-list=non-routable src-address=10.10.6.0/24
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1051
Joined: Fri Jul 28, 2017 2:53 pm

Re: IPSEC Issues

Wed Jun 27, 2018 5:05 pm

I managed L2TP/IPsec server, so there is not need in accept NAT rule. Just try to ping Tik IPsec gateway from remote server and then try to ping your PC behind Tik in LAN. Also you have to be sure that remote server have a static route to your LAN via ipsec gateway IP.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: IPSEC Issues

Thu Jun 28, 2018 3:32 am

The admin said everything is in order at there end and can see my pings hitting the webserver from the mikrotik router, but I cant ping from my PC or reach the webserver via browser.

VPN requirements;
Route Based VPN's are the standard VPN build i.e not Policy Based VPN's. VPN selectors should be 0.0.0.0/0.0.0.0
It is recommended to use Public IP addressing instead to ensure no IP addressing conflict occurs

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Private Lan

Public IP to Public Internet >> VPN Gateway >> Webportal
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1051
Joined: Fri Jul 28, 2017 2:53 pm

Re: IPSEC Issues

Thu Jun 28, 2018 10:55 am

The admin said everything is in order at there end and can see my pings hitting the webserver from the mikrotik router, but I cant ping from my PC or reach the webserver via browser.

VPN requirements;
Route Based VPN's are the standard VPN build i.e not Policy Based VPN's. VPN selectors should be 0.0.0.0/0.0.0.0
It is recommended to use Public IP addressing instead to ensure no IP addressing conflict occurs

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Private Lan

Public IP to Public Internet >> VPN Gateway >> Webportal
Perhaps the firewall on PC blocks ICMP replies.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: IPSEC Issues

Thu Jun 28, 2018 6:56 pm

When the IPSEC tunnel is established, I have no internet on PC that I am trying to ping from, so I cant actually ping anything I guess or even browse to the remote webserver.

When I disabled the IPSEC tunnel internet returns to normal.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: IPSEC Issues

Fri Jun 29, 2018 1:14 am

Note: It is recommend that the IPSEC address is NATed to public IP addressing.

My nat rules
/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 action=src-nat to-addresses=x.x.x.x out-interface=pppoe-out1
/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 action=src-nat to-addresses=x.x.x.x
/ip firewall nat add chain=dstnat dst-address=x.x.x.x action=dst-nat to-addresses=192.168.0.0/24

x.x.x.x is my public IP address above

I tried my laptop and that is same as PC, cant ping or browse to webserver.
Turned off firewall on PC and enabled ICMP ping

Command prompt on windows to enable ICMP
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: IPSEC Issues

Fri Jun 29, 2018 4:19 pm

I managed L2TP/IPsec server, so there is not need in accept NAT rule. Just try to ping Tik IPsec gateway from remote server and then try to ping your PC behind Tik in LAN. Also you have to be sure that remote server have a static route to your LAN via ipsec gateway IP.
Hi Anumrak,


When IPSEC is enabled, I cant ping my PC from the Tik devcie
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: IPSEC Issues

Sat Jun 30, 2018 12:38 am

Is it correct to have 0.0.0.0/0 in Src. Address and 0.0.0.0/0 in Dst. Address, looking at the wiki guides local private network address and remote private network should be used.
I wasn't given a remote private network address to use and the tunnel wont establish unless 0.0.0.0/0 in Src. Address and 0.0.0.0/0 in Dst. Address is used.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: IPSEC Issues

Sat Jun 30, 2018 7:29 pm

Anyone have any experience with solving this problem, the remote ends equipment used is Fortigate.

Is Mikrotik compatible with Fortigate?

Who is online

Users browsing this forum: No registered users and 24 guests