Community discussions

MikroTik App
 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

ipsec Mikrotik to Mikrotik - newbie help needed :-(

Thu Apr 26, 2012 8:23 am

Hi all,

I am struggling since days to get to work what sounds a very easy thing to do: setup a mikrotik to mikrotik ipsec connection ("relocation home" to "home" connection).
On one side I have a 450G and on the other I have a 1100AH.

I did look thru the wiki, online videos from Greg Sowell but my setup seems to be having something else in place that prevent the ipsec connection to work properly. The link establishes nicely (no error) but then I am not able to have any traffic moving thru it

Looking at the ipsec debug messages I just see nothing strange, no error reported anywhere but my pings all timeout ...
When pinging and looking at the ipsec->Installed SAs screen at the same time in winbox, I see traffic going out on one link but never coming back, and this is true when looking at both sites ... Proposals are the same on both sides and again the link itself establishes perfectly well ...

Does anybody has any clue which tool I could use to debug this setup :-(

Thanks !!!
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Thu Apr 26, 2012 12:02 pm

 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Thu Apr 26, 2012 1:56 pm

yes :-( I followed all instructions from http://gregsowell.com/?p=1290

I am desperate ... :(
 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Thu Apr 26, 2012 2:02 pm

In fact I just noticed something strange that may help to guess the source of the issue:
I mentionned in my message that connections establish properly with no errors. Actually this is only "partialy" true ... If I kill all connections and I try to to establish a connection from the 450G to the 1100 AH (for exemple tyring to ping the remote subnet) connection fail to establish ... But if I do the exact opposite (trigger the connection by pinging remote subnet from the 1100AH) the connection does establish successfully ...
In both cases I cannot get the ping to go thru but strange enough for my poor network understanding ...
 
dison4linux
just joined
Posts: 18
Joined: Fri Apr 13, 2012 4:26 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Thu Apr 26, 2012 5:45 pm

The biggest "gotcha" that I experienced when I first setup my MikroTik-to-MikroTik IPSec Tunnel was generating the "interesting" traffic.
As you said the configuration of the IPSec tunnel is pretty straight forward, 2 tabs in IP>IPsec and the Masquerade Bypass.
Then when I went into Tools>Ping, at first I didn't realize that the "from" interface had to be set to the LAN interface of that router.
Also, I didn't realize that you had to do that from both routers... It makes sense now since traffic has to flow in both directions.

The on-going problem that I have is that the tunnel will "drop" and the only way to bring it back up again is to do the pings again.
My dirty workaround is to schedule the pings to be sent from each side. For now, 5 pings every 30 minutes is doing the trick.
 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Thu Apr 26, 2012 6:02 pm

Unfortunately (for me) i did it already. Tried using LAN interface, local bridge, and even machines connected on local network but always the same behavior :-(
Not sure what you mean by that you had to do that from both routers ?
Thanks for trying to help ! Tried again 30min tonight any potential idea and still no luck :-(
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Thu Apr 26, 2012 6:05 pm

When pinging you have to specify not interface but source address of the local network.

And you don't have to ping from both sides, only from one side if src and dst addresses are correct in icmp packet. One is initiator and other router is responder. In cases when initiator goes down (power outage) then pinging from responder side may not bring the tunnel back, you need to flush SAs and then reeestablish the tunnel.
 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Fri Apr 27, 2012 12:56 pm

Thanks mrz, I tried this way also but still no luck. Actually as mentionned I even tried to generate the ping request from my local subnet with the same results ..
Again today I noticed that after the tunnel died (lack of traffic) and when trying to reestablish it from the 450G the negociation failed "phase 2 negociation failed due to time up waiting for phase 1 ..."
If I do the opposite (from 1110AH) the connection establishes successfully ...

Could sound like a firewall issue but why is the behavior different if connection is initiated from the other side?
Please ................ :)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Fri Apr 27, 2012 1:00 pm

Which version you have? Install v5.15 , if you can repeat the problem on that version, generate supout files from both routers and send them to support.
 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Fri Apr 27, 2012 1:23 pm

Yes I run 5.15 on both routers ... I will create the supout files and send them as requested.

Thanks again
 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Sat Apr 28, 2012 8:27 am

after having extracted the spout files I checked again my firewall rules and finally found out that I need to add firewall rules on the input and forward chains to allow traffic on the wan interface from local to remote lan ...
Thanks to all for your help !
 
Drewturner
just joined
Posts: 8
Joined: Tue Aug 16, 2011 6:55 am

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Fri Sep 21, 2012 1:39 am

Ashmodai could you post an example of the firewall changes you had to make? I've made the changes in the tutorial for the firewall nat config

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.30.0/24 \
src-address=192.168.0.0/24 to-addresses=0.0.0.0

however I'm still having the same issues you were. Could you post an example of the changes you needed to make?
 
ashmodai
just joined
Topic Author
Posts: 22
Joined: Thu Jul 21, 2011 12:48 pm

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Sat Sep 22, 2012 6:01 pm

I hope I remember :-)
my two subnets are 192.168.6.0/24 and 192.168.7.0/24

on the 192.168.7 router I have the rules

/ip firewall filter add action=accept chain=forward dst-address=192.168.7.0/24 src-address=192.168.6.0/24
/ip firewall filter add action=accept chain=input dst-address=192.168.7.0/24 src-address=192.168.6.0/24

on the 192.168.6 router I have the mirror rules

/ip firewall filter add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.7.0/24
/ip firewall filter add action=accept chain=input dst-address=192.168.6.0/24 src-address=192.168.7.0/24

Also don't forget the nat bypass as mentioned by ditonet

Looking at the chain it seems that the second firewall rule above does not match any packet so it may be useless :-)
But now that it works, I am not really feeling like changing anything !

I hope it will help you ...
 
Drewturner
just joined
Posts: 8
Joined: Tue Aug 16, 2011 6:55 am

Re: ipsec Mikrotik to Mikrotik - newbie help needed :-(

Sun Sep 23, 2012 6:44 pm

I put those sets in but it did not help my situation.

It's strange but I actually ran into another users issue here:
http://forum.mikrotik.com/viewtopic.php ... 16#p333032

in the next to last post this user had to disable his NAT rules in order for the phase1 and phase2 to happen, which worked spot on for me as well. Renabling NAT allows the ipsec vpn to run as well and seems to be persistent after many reboots.

I'd like to know if this is a bug or some other reasoning for this. I didn't run into this issue on 5.10-12 software.

Drew

Who is online

Users browsing this forum: Bing [Bot] and 49 guests