Page 1 of 1

IPSec problems - traffic isn't flowing

Posted: Fri Sep 06, 2019 1:02 pm
by kryssperer
Hi everyone! I'm trying to bridge two networks using IPSEC for my first time.
Setup is: CCR1 (192.168.4.1/24) is in the office, ruvds (192.168.8.1/24) is in datacenter.

IPSEC ph1 and ph2 seemingly go through, however no traffic is flowing.
Src-nat rules are present (as it's the most common rules from what i gather).
What am i doing wrong?

here's config from datacenter router

Code: Select all

/interface ethernet
set [ find default-name=ether1 ] comment=WAN disable-running-check=no
set [ find default-name=ether2 ] comment=LAN disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address="wan ip of office router"/32 name=cu-office
/ip address
add address="wan ip of datacenter router"/24 interface=ether1 network="network ip of datacenter router"
add address=192.168.8.1/24 interface=ether2 network=192.168.8.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall address-list
add address=x.x.x.x list="trusted external IPs"

/ip firewall filter
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=500 protocol=udp
add action=accept chain=input port=4500 protocol=udp
add action=drop chain=forward comment="Drop invalid connections through router" \
connection-state=invalid
add action=accept chain=input comment="winbox trusted ips" connection-state=\
established,related,new dst-port=8291 in-interface=ether1 protocol=tcp \
src-address-list="trusted external IPs"
add action=accept chain=forward comment=\
"Allow established connections through router" connection-state=established
add action=accept chain=forward comment=\
"Allow related connections through router" connection-state=related
add action=drop chain=forward comment=\
"Drop all other connections through the router" in-interface=ether1 \
src-address-list="!trusted external IPs"
add action=accept chain=input comment="Allow established connections to the rou\
ter, these are OK because we aren't allowing new connections" \
connection-state=established
add action=accept chain=input comment="Allow related connections to the router, \
these are OK because we aren't allowing new connections" connection-state=\
related
add action=accept chain=input comment="Allow Everything From LAN" in-interface=\
ether2
add action=drop chain=input comment="Drop everything else to the router"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=\
192.168.8.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=cu-office
/ip ipsec policy
add dst-address=192.168.4.0/24 sa-dst-address="wan ip of office router" sa-src-address=\
"wan ip of datacenter router" src-address=192.168.8.0/24 tunnel=yes
/ip route
add check-gateway=arp distance=1 gateway="gateway of dc router"


Here's config from the office router

Code: Select all

/interface bridge
add comment="LAN Bridge" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] comment="ISP 1" speed=100Mbps
set [ find default-name=ether2 ] comment="ISP 2" speed=100Mbps
set [ find default-name=ether3 ] comment="To Core 1" speed=100Mbps
set [ find default-name=ether4 ] comment="To Core2" speed=100Mbps
set [ find default-name=ether5 ] comment="To unifi" speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=10M-full,100M-full,1000M-full

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address="wan ip of datacenter router"/32 name=ruvds-mkr

/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether3
/ip address
add address="wan ip of office router"/30 interface=ether2 network="network of office router"
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
add address=192.168.3.1/24 interface=ether6 network=192.168.3.0



/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.4.221,192.168.5.1 domain=\
centerurban.com gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,62.112.106.130

/ip firewall filter
add action=accept chain=input protocol=ipsec-ah src-address="wan ip of datacenter router"
add action=accept chain=input protocol=ipsec-esp src-address="wan ip of datacenter router"
add action=accept chain=input port=500 protocol=udp src-address="wan ip of datacenter router"
add action=accept chain=input port=4500 protocol=udp src-address="wan ip of datacenter router"
add action=accept chain=input comment="winbox trusted ips" connection-state=\
established,related,new dst-port=8291 in-interface=ether2 protocol=tcp \
src-address-list="trusted external IPs"
add action=drop chain=forward comment="Drop invalid connections through router" \
connection-state=invalid
add action=accept chain=input comment="winbox trusted ips" connection-state=\
established,related,new dst-port=8291 in-interface=ether1 protocol=tcp \
src-address-list="trusted external IPs"
add action=accept chain=forward comment=\
"Allow established connections through router" connection-state=established
add action=drop chain=forward comment=\
"Drop all other connections through the router" in-interface=ether2 \
src-address-list="!trusted external IPs"
add action=accept chain=forward comment=\
"Allow related connections through router" connection-state=related
add action=drop chain=forward comment=\
"Drop all other connections through the router" in-interface=ether1 \
src-address-list="!trusted external IPs"
add action=accept chain=input comment=\
"Allow everything from the LAN interface to the router" in-interface=\
bridge1
add action=accept chain=input comment="Allow established connections to the rou\
ter, these are OK because we aren't allowing new connections" \
connection-state=established
add action=accept chain=input comment="Allow related connections to the router, \
these are OK because we aren't allowing new connections" connection-state=\
related
add action=drop chain=input comment="Drop everything else to the router"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.8.0/24 src-address=\
192.168.4.0/24
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="forward ssh to nix1 from trusted" \
dst-address="wan ip of office router" dst-port=22 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.228 to-ports=22
add action=dst-nat chain=dstnat comment="forward zabbix to nix1 from trusted" \
dst-address="wan ip of office router" dst-port=10051 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.228 to-ports=10051
add action=dst-nat chain=dstnat comment="forward zabbix to nix1 from trusted" \
dst-address="wan ip of office router" dst-port=10050 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.228 to-ports=10050
add action=dst-nat chain=dstnat comment=\
"forward uni controller's WI to dc1 from trusted" dst-address=\
"wan ip of office router" dst-port=8443 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.221
add action=dst-nat chain=dstnat comment="forward esxi1 WI from trusted" \
dst-address="wan ip of office router" dst-port=443 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.3.251
add action=dst-nat chain=dstnat comment="forward RDP to dc1 from trusted" \
dst-address="wan ip of office router" dst-port=3389 protocol=tcp src-address-list=\
"trusted external IPs" to-addresses=192.168.4.221
/ip ipsec identity
add peer=ruvds-mkr
/ip ipsec policy
add dst-address=192.168.8.0/24 peer=ruvds-mkr sa-dst-address="wan ip of datacenter router" \
sa-src-address=0.0.0.0 src-address=192.168.4.0/24 tunnel=yes
/ip route
add distance=1 gateway="gateway of office router"
Any help and advice are greatly appriciated.