MikroTik

Community discussions
https://forum.mikrotik.com/

hEX VPN cliet to site (Shrew) established connection but no trafic

https://forum.mikrotik.com/viewtopic.php?t=172295

Page 1 of 1

hEX VPN cliet to site (Shrew) established connection but no trafic

Posted: Thu Feb 04, 2021 7:25 pm
by Pantomas
Hi,
I set up a VPN site to client connection using Shrew VPN as the client:
Code: Select all
   /ip ipsec profile
    add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=phase1 nat-traversal=no
    /ip ipsec peer
    add name=VPN passive=yes profile=phase1
    /ip ipsec proposal
    add enc-algorithms=3des name=phase2
    /ip ipsec identity
    add generate-policy=port-override peer=VPN secret=123
    /ip ipsec policy
    set 0 proposal=phase2
Shrew VPN config:
Code: Select all
   n:version:4
    s:network-host:xxx.xxx.xxx.xxx ### VPN SERVER ADDRESS ###
    n:network-ike-port:500
    s:client-auto-mode:pull
    n:network-mtu-size:1380
    s:client-iface:direct
    n:client-addr-auto:1
    s:network-natt-mode:disable
    n:network-natt-port:4500
    n:network-natt-rate:15
    s:network-frag-mode:disable
    n:network-frag-size:540
    n:network-dpd-enable:1
    n:client-banner-enable:1
    n:network-notify-enable:1
    n:client-dns-used:0
    n:client-dns-auto:1
    n:client-dns-suffix-auto:1
    n:client-splitdns-used:1
    n:client-splitdns-auto:1
    n:client-wins-used:0
    n:client-wins-auto:1
    s:auth-method:mutual-psk
    s:ident-client-type:address
    s:ident-server-type:any
    b:auth-mutual-psk:123
    s:phase1-exchange:main
    n:phase1-dhgroup:2
    s:phase1-cipher:3des
    s:phase1-hash:md5
    n:phase1-life-secs:86400
    n:phase1-life-kbytes:0
    n:vendor-chkpt-enable:0
    s:phase2-transform:esp-3des
    s:phase2-hmac:sha1
    s:ipcomp-transform:disabled
    n:phase2-pfsgroup:2
    n:phase2-life-secs:3600
    n:phase2-life-kbytes:0
    s:policy-level:require
    n:policy-nailed:1
    n:policy-list-auto:0
    s:policy-list-include:192.168.100.0 / 255.255.255.0

VPN connection established, Shrew inform that "tunnel enabled", policy generator working ...
Code: Select all
    [admin@MikroTik] /ip ipsec policy> print
    Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default

     #      PEER   TUNNEL   SRC-ADDRESS          DST-ADDRESS          PROTOCOL   ACTION  LEVEL    PH2-COUNT
     0 T  *                 ::/0                ::/0                  all       
     1   DA  VPN     yes    192.168.100.0/24    10.83.88.30/32        all        encrypt unique    1
srcnat with masquarade
Code: Select all
    /ip firewall nat
    add action=masquerade chain=srcnat
... but not trafic. I cant ping to any host from subnet 192.168.100.0/24
Help me!!! Please!!!

Re: hEX VPN cliet to site (Shrew) established connection but no trafic

Posted: Mon Feb 08, 2021 9:35 pm
by pukkita
Code: Select all
    /ip firewall nat
    add action=masquerade chain=srcnat
There lies your problem.

You should apply such masquerade/srcnat only to your WAN interface(s). Your router is basically srcnatting everything, i.e. changing source address of any and all connections traversing the router forward chain.

This causes unpredictable behaviour and higher (and not needed at all) load.

Best practice:

1.- Go to Interfaces, Interface list, and create a WAN Interface list, then add your WAN interface(s) to it.
2.- Then modify NAT to specify only traffic exiting by these interfaces shall have NAT applied:
Code: Select all
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface-list=WAN
almost there...

3.- IPSec "routes" by policies. If the router NATs IPSec connections, policies won't work... so any IPSec traffic shall be "opted out" of such srcnat.

To avoid NAT messing with IPSec traffic exiting via WAN interfaces, you can use the default config that comes with ROS:
Code: Select all
    /ip firewall nat
    add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
where ipsec-policy=out,none means the rule won't apply to any connections for which an IPSec policy is in place.

After this, you must either reboot the router to clean the connection tracking table, or do so manually, i.e. go to Ip > Firewall Connections tab, select all, delete.

Tip: ROS Default config firewall contains sane defaults for any firewall; you can see Default config for your router, including firewall section, by executing
Code: Select all
 /system default-configuration print

Re: hEX VPN cliet to site (Shrew) established connection but no trafic

Posted: Tue Feb 09, 2021 12:47 pm
by Pantomas
Thanks for the suggestions but unfortunately after their introduction there is no improvement. In desperate action, I set up another VPN client, Thegreenbow, but that didn't change anything. Still no traffic between subnets :-(
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/