Bring Up IPSec [Resolved]
Hi All, I have two RB751's and I have configured site to site IPSec tunnel between to two units. everything works fine once I bring up the VPN and can verify the Installed SA's. However, it is quite difficult to bring up. I would expect that I could plug a laptop into router a 10.10.1.1/24 and ping across the vpn to router b at 10.10.2.1/24 and it would detect interesting traffic and bam. The ONLY way to bring up the tunnel is for me to get onto router b remotely and ping from the Ping Tool within the RouterOS of router b. I then set ping to 10.10.1.1 which is the router a LAN IP, and select the ether2-master-local interface and it comes right up. I cannot do the same from router A to router b or from a laptop on either end. Any ideas what's going on?
Last edited by Infatuas on Wed Apr 10, 2013 8:22 pm, edited 1 time in total.
Re: Bring Up IPSec
It's hard to tell without looking at your configs. Post the /export compact of each router.
Re: Bring Up IPSec
hey Infatuas,
... to have IPsec working you need interesting traffic, and in this case - its your LAN traffic
why dont you build GRE tunnel inside the IPsec ? in that case you can set keepalives (lets say each minute), so encrypted tunnel (crypto tunnel) always stays up?
in addition - you could also transfer multicast traffic across the tunnel
I have it on my 2 home routers in different countries, works well. bridge interfaces are used as loopbacks for VPN termination
Tomas
... to have IPsec working you need interesting traffic, and in this case - its your LAN traffic
why dont you build GRE tunnel inside the IPsec ? in that case you can set keepalives (lets say each minute), so encrypted tunnel (crypto tunnel) always stays up?
in addition - you could also transfer multicast traffic across the tunnel
I have it on my 2 home routers in different countries, works well. bridge interfaces are used as loopbacks for VPN termination
Tomas
Re: Bring Up IPSec
I'd like to get this method functional. I'm actually working on documentation for each scenario. Here is the problem.
Router-A
ether1 = 65.55.45.34/29 default route = 65.55.45.33
ether2 = 10.10.1.1/24
Laptop = 10.10.1.254/24
Router-B
ether1 = 66.56.46.34/29 default route = 66.56.46.33
ether2 = 10.10.2.1/24
Laptop = 10.10.2.254/24
Peer on Router-A
Peer=66.56.46.34
defaults for rest
Peer on Router-B
Peer=65.55.45.34
defaults for rest
Policy on Router-A
src. address 10.10.1.0/24
dst. address 10.10.2.0/24
then publics for SA's as usual.
Policy on Router-B
src address 10.10.2.0/24
dst. address 10.10.1.0/24
then publics for SA's as usual.
NAT on Router-A
chain=srcnat, src. address=10.10.1.0/24, dst. address=10.10.2.0/24, action=accept
NAT on Router-B
chain=srcnat, src. address=10.10.2.0/24, dst. address=10.10.1.0/24, action=accept
As I stated, the IPSEC tunnel comes up fine in one scenario then works 100%. Scenario 4 is the only way to bring up the tunnel to get everything to work. I thought at first it had something to do with the peer setting for "Send Initial Contact" but no matter how I configure that setting on either end nothing changes. The reboot stated below simply is to clear connections, flush SA's, and kill peer connection. I am trying to recreate a clean boot that's all.
Scenario 1: Reboot Both Units, On Router-A from Laptop ping 10.10.1.1, works, ping 10.10.2.1 ipsec doesn't come up and does not set SA Installed.
Scenario 2: Reboot Both Units, On Router-B from Laptop ping 10.10.2.1, works, ping 10.10.1.1 ipsec doesn't come up and does not set SA Installed.
Scenario 3: Reboot Both Units, On Router-A from Ping Tool ping 10.10.2.1 from ether2 interface, tunnel does not come up either.
Scenario 4: Reboot Both Units, On Router-B from Ping Tool ping 10.10.1.1 from ether2 interface, tunnel comes up.
In all of these scenarios I am sending interesting traffic. I have checked and checked my configurations with no luck this far. All firmware is on latest.
Router-A
ether1 = 65.55.45.34/29 default route = 65.55.45.33
ether2 = 10.10.1.1/24
Laptop = 10.10.1.254/24
Router-B
ether1 = 66.56.46.34/29 default route = 66.56.46.33
ether2 = 10.10.2.1/24
Laptop = 10.10.2.254/24
Peer on Router-A
Peer=66.56.46.34
defaults for rest
Peer on Router-B
Peer=65.55.45.34
defaults for rest
Policy on Router-A
src. address 10.10.1.0/24
dst. address 10.10.2.0/24
then publics for SA's as usual.
Policy on Router-B
src address 10.10.2.0/24
dst. address 10.10.1.0/24
then publics for SA's as usual.
NAT on Router-A
chain=srcnat, src. address=10.10.1.0/24, dst. address=10.10.2.0/24, action=accept
NAT on Router-B
chain=srcnat, src. address=10.10.2.0/24, dst. address=10.10.1.0/24, action=accept
As I stated, the IPSEC tunnel comes up fine in one scenario then works 100%. Scenario 4 is the only way to bring up the tunnel to get everything to work. I thought at first it had something to do with the peer setting for "Send Initial Contact" but no matter how I configure that setting on either end nothing changes. The reboot stated below simply is to clear connections, flush SA's, and kill peer connection. I am trying to recreate a clean boot that's all.
Scenario 1: Reboot Both Units, On Router-A from Laptop ping 10.10.1.1, works, ping 10.10.2.1 ipsec doesn't come up and does not set SA Installed.
Scenario 2: Reboot Both Units, On Router-B from Laptop ping 10.10.2.1, works, ping 10.10.1.1 ipsec doesn't come up and does not set SA Installed.
Scenario 3: Reboot Both Units, On Router-A from Ping Tool ping 10.10.2.1 from ether2 interface, tunnel does not come up either.
Scenario 4: Reboot Both Units, On Router-B from Ping Tool ping 10.10.1.1 from ether2 interface, tunnel comes up.
In all of these scenarios I am sending interesting traffic. I have checked and checked my configurations with no luck this far. All firmware is on latest.
Re: Bring Up IPSec
So I followed this guide http://wiki.mikrotik.com/wiki/Manual:IP ... Sec_Tunnel section 14.1 Site to Site VPN. The problem was this. Although I configured it properly to the guides specs the problem was with a firewall rule which the guide does not mention. Since I am on the latest firmware and I factory reset the unit several times while configure various things for documentation the Firewall Filter has a default deny all rule or the implicit deny rule which was actually blocking ipsec traffic.
1. Complete this guide: http://wiki.mikrotik.com/wiki/Manual:IP ... Sec_Tunnel
2. Then create the below firewall rules. I added src. address and dst.address to filter a bit further.
/ip firewall filter
add chain=input protocol=ipsec-esp action=accept add chain=input protocol=udp port=500 action=accept
add chain=input protocol=ipsec-ah action=accept
Hope this helps some other. Good day!
1. Complete this guide: http://wiki.mikrotik.com/wiki/Manual:IP ... Sec_Tunnel
2. Then create the below firewall rules. I added src. address and dst.address to filter a bit further.
/ip firewall filter
add chain=input protocol=ipsec-esp action=accept add chain=input protocol=udp port=500 action=accept
add chain=input protocol=ipsec-ah action=accept
Hope this helps some other. Good day!
Re: Bring Up IPSec [Resolved]
Infatuas,
Thank you!
I have a new customer setup with hand fulls of IPSEC tunnels... was having the same issue. Their network doesnt get a consistent amount of traffic across the tunnels like some of my other customers. By adding these firewall rules the creation of the SA's are consistent every time.
Thank you!
I have a new customer setup with hand fulls of IPSEC tunnels... was having the same issue. Their network doesnt get a consistent amount of traffic across the tunnels like some of my other customers. By adding these firewall rules the creation of the SA's are consistent every time.
Who is online
Users browsing this forum: mkx and 109 guests