Community discussions

 
kryssperer
just joined
Topic Author
Posts: 1
Joined: Thu Sep 05, 2019 9:07 pm

IPSec problems - traffic isn't flowing

Fri Sep 06, 2019 1:02 pm

Hi everyone! I'm trying to bridge two networks using IPSEC for my first time.
Setup is: CCR1 (192.168.4.1/24) is in the office, ruvds (192.168.8.1/24) is in datacenter.

IPSEC ph1 and ph2 seemingly go through, however no traffic is flowing.
Src-nat rules are present (as it's the most common rules from what i gather).
What am i doing wrong?

here's config from datacenter router

Code: Select all

/interface ethernet
set [ find default-name=ether1 ] comment=WAN disable-running-check=no
set [ find default-name=ether2 ] comment=LAN disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address="wan ip of office router"/32 name=cu-office
/ip address
add address="wan ip of datacenter router"/24 interface=ether1 network="network ip of datacenter router"
add address=192.168.8.1/24 interface=ether2 network=192.168.8.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall address-list
add address=x.x.x.x list="trusted external IPs"

/ip firewall filter
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=500 protocol=udp
add action=accept chain=input port=4500 protocol=udp
add action=drop chain=forward comment="Drop invalid connections through router" \
connection-state=invalid
add action=accept chain=input comment="winbox trusted ips" connection-state=\
established,related,new dst-port=8291 in-interface=ether1 protocol=tcp \
src-address-list="trusted external IPs"
add action=accept chain=forward comment=\
"Allow established connections through router" connection-state=established
add action=accept chain=forward comment=\
"Allow related connections through router" connection-state=related
add action=drop chain=forward comment=\
"Drop all other connections through the router" in-interface=ether1 \
src-address-list="!trusted external IPs"
add action=accept chain=input comment="Allow established connections to the rou\
ter, these are OK because we aren't allowing new connections" \
connection-state=established
add action=accept chain=input comment="Allow related connections to the router, \
these are OK because we aren't allowing new connections" connection-state=\
related
add action=accept chain=input comment="Allow Everything From LAN" in-interface=\
ether2
add action=drop chain=input comment="Drop everything else to the router"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=\
192.168.8.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=cu-office
/ip ipsec policy
add dst-address=192.168.4.0/24 sa-dst-address="wan ip of office router" sa-src-address=\
"wan ip of datacenter router" src-address=192.168.8.0/24 tunnel=yes
/ip route
add check-gateway=arp distance=1 gateway="gateway of dc router"


Here's config from the office router

Code: Select all

/interface bridge
add comment="LAN Bridge" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] comment="ISP 1" speed=100Mbps
set [ find default-name=ether2 ] comment="ISP 2" speed=100Mbps
set [ find default-name=ether3 ] comment="To Core 1" speed=100Mbps
set [ find default-name=ether4 ] comment="To Core2" speed=100Mbps
set [ find default-name=ether5 ] comment="To unifi" speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=10M-full,100M-full,1000M-full

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address="wan ip of datacenter router"/32 name=ruvds-mkr

/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether3
/ip address
add address="wan ip of office router"/30 interface=ether2 network="network of office router"
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
add address=192.168.3.1/24 interface=ether6 network=192.168.3.0



/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.4.221,192.168.5.1 domain=\
centerurban.com gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,62.112.106.130

/ip firewall filter
add action=accept chain=input protocol=ipsec-ah src-address="wan ip of datacenter router"
add action=accept chain=input protocol=ipsec-esp src-address="wan ip of datacenter router"
add action=accept chain=input port=500 protocol=udp src-address="wan ip of datacenter router"
add action=accept chain=input port=4500 protocol=udp src-address="wan ip of datacenter router"
add action=accept chain=input comment="winbox trusted ips" connection-state=\
established,related,new dst-port=8291 in-interface=ether2 protocol=tcp \
src-address-list="trusted external IPs"
add action=drop chain=forward comment="Drop invalid connections through router" \
connection-state=invalid
add action=accept chain=input comment="winbox trusted ips" connection-state=\
established,related,new dst-port=8291 in-interface=ether1 protocol=tcp \
src-address-list="trusted external IPs"
add action=accept chain=forward comment=\
"Allow established connections through router" connection-state=established
add action=drop chain=forward comment=\
"Drop all other connections through the router" in-interface=ether2 \
src-address-list="!trusted external IPs"
add action=accept chain=forward comment=\
"Allow related connections through router" connection-state=related
add action=drop chain=forward comment=\
"Drop all other connections through the router" in-interface=ether1 \
src-address-list="!trusted external IPs"
add action=accept chain=input comment=\
"Allow everything from the LAN interface to the router" in-interface=\
bridge1
add action=accept chain=input comment="Allow established connections to the rou\
ter, these are OK because we aren't allowing new connections" \
connection-state=established
add action=accept chain=input comment="Allow related connections to the router, \
these are OK because we aren't allowing new connections" connection-state=\
related
add action=drop chain=input comment="Drop everything else to the router"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.8.0/24 src-address=\
192.168.4.0/24
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="forward ssh to nix1 from trusted" \
dst-address="wan ip of office router" dst-port=22 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.228 to-ports=22
add action=dst-nat chain=dstnat comment="forward zabbix to nix1 from trusted" \
dst-address="wan ip of office router" dst-port=10051 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.228 to-ports=10051
add action=dst-nat chain=dstnat comment="forward zabbix to nix1 from trusted" \
dst-address="wan ip of office router" dst-port=10050 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.228 to-ports=10050
add action=dst-nat chain=dstnat comment=\
"forward uni controller's WI to dc1 from trusted" dst-address=\
"wan ip of office router" dst-port=8443 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.221
add action=dst-nat chain=dstnat comment="forward esxi1 WI from trusted" \
dst-address="wan ip of office router" dst-port=443 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.3.251
add action=dst-nat chain=dstnat comment="forward RDP to dc1 from trusted" \
dst-address="wan ip of office router" dst-port=3389 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.221
/ip ipsec identity
add peer=ruvds-mkr
/ip ipsec policy
add dst-address=192.168.8.0/24 peer=ruvds-mkr sa-dst-address="wan ip of datacenter router" \
sa-src-address=0.0.0.0 src-address=192.168.4.0/24 tunnel=yes
/ip route
add distance=1 gateway="gateway of office router"
Any help and advice are greatly appriciated.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 28 guests