Community discussions

 
cornekus
just joined
Topic Author
Posts: 4
Joined: Tue May 31, 2016 2:15 pm

Ipsec site to site communication don't work.

Wed Nov 06, 2019 4:51 pm

Hello,
I have this subnets connected with ipsec (miktotik).

Base 192.168.1.0/24
Site A 192.168.8.0/24
Site B 192.168.7.0/24

Ping from Base to Site A work without problems. Vice-versa work also (Site A to Base)


Ping from Base to Site B work without problems. Vice-versa work also (Site B to Base)

I can't ping Site A to Site B or vice-versa.

Can you please help me to resolve this?



Sent from my SM-N975F using Tapatalk

 
Sob
Forum Guru
Forum Guru
Posts: 4784
Joined: Mon Apr 20, 2009 9:11 pm

Re: Ipsec site to site communication don't work.

Wed Nov 06, 2019 6:52 pm

It's better to provide more details (current config for example), but maybe it's something like this:

Need help to configure two IPSec Tunnels in chain

?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1120
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Ipsec site to site communication don't work.

Thu Nov 07, 2019 3:49 am

Your issue will most likely be in wrongly configured policies on the site routers.

You will need to post at least output from "/ip ipsec policy export" of all 3 sites in order for us to help tho :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
cornekus
just joined
Topic Author
Posts: 4
Joined: Tue May 31, 2016 2:15 pm

Re: Ipsec site to site communication don't work.

Thu Nov 07, 2019 2:18 pm

    Thanks for your replies.

    Form Base to Site A ping ok
    From Site A to Base ping ok

    Form Base to Site B ping ok
    From Site B to Base ping ok

    From Site B to Site A ping don't work and the networks can't comnunicate.

    I can do another ipsec tunnel directly from Site B to Site A to resolve the problem but i have many sites(10 sites in total like A and B) and is not a valid option .
    To many configurations to add. ( A-B, A-C, B-C if i use only tree sites)

    I need to route traffic from A to B directly from Base because all sites have a direct ipsec with the Base.


    #########################################Base Configuration below
    # nov/07/2019 08:20:40 by RouterOS 6.45.7
    # software id = C8FI-D21V
    #
    # model = RB4011iGS+
    # serial number = AAB10A53655E
    /interface bridge
    add name=bridge
    /interface ethernet
    set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full loop-protect=on mac-address=00:0C:42:56:98:66
    set [ find default-name=ether7 ] loop-protect=on
    set [ find default-name=ether10 ] loop-protect=on
    /interface ethernet switch port
    set 0 default-vlan-id=0
    set 1 default-vlan-id=0
    set 2 default-vlan-id=0
    set 3 default-vlan-id=0
    set 4 default-vlan-id=0
    set 5 default-vlan-id=0
    set 6 default-vlan-id=0
    set 7 default-vlan-id=0
    set 8 default-vlan-id=0
    set 9 default-vlan-id=0
    set 10 default-vlan-id=0
    set 11 default-vlan-id=0
    /interface list
    add comment=Maxi name=WAN
    add comment=Maxi name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /ip ipsec profile
    set [ find default=yes ] dh-group=modp1024 dpd-interval=2s enc-algorithm=aes-256,3des
    add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=2 enc-algorithm=aes-128 hash-algorithm=sha256 name=profile1
    add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=2 enc-algorithm=3des hash-algorithm=sha256 name=L2TP_profile
    /ip ipsec peer
    add address=(hide ip site B) name=20th profile=profile1 send-initial-contact=no
    add address=(hide ip site A) name=Ivasiuc profile=profile1 send-initial-contact=no
    /ip ipsec proposal
    set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1d
    add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=proposalBaza
    add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des name="L2TP Proposal"
    /ip pool
    add name=default-dhcp ranges=192.168.0.1-192.168.0.254
    add name=VPN-L2TP ranges=10.10.10.10-10.10.10.254
    /ip dhcp-server
    add add-arp=yes address-pool=default-dhcp always-broadcast=yes authoritative=after-2sec-delay bootp-lease-time=lease-time bootp-support=dynamic disabled=no interface=bridge lease-time=2d1s name=Maxi
    /ppp profile
    set *0 dns-server=8.8.8.8 use-encryption=required
    add bridge=bridge dns-server=8.8.8.8 local-address=10.10.10.1 name=VPN-L2TP remote-address=VPN-L2TP use-encryption=required
    set *FFFFFFFE local-address=10.10.10.2 remote-address=default-dhcp
    /system logging action
    add email-start-tls=yes email-to=contact@maxi-marketus.ro name=email target=email
    /interface bridge port
    add bridge=bridge comment=Maxi interface=ether2
    add bridge=bridge comment=Maxi interface=ether3
    add bridge=bridge comment=Maxi interface=ether4
    add bridge=bridge comment=Maxi interface=ether5
    add bridge=bridge comment=Maxi interface=ether6
    add bridge=bridge comment=Maxi interface=ether7
    add bridge=bridge comment=Maxi interface=ether8
    add bridge=bridge comment=Maxi interface=ether9
    add bridge=bridge comment=Maxi interface=ether10
    add bridge=bridge comment=Maxi interface=sfp-sfpplus1
    /interface detect-internet
    set detect-interface-list=all
    /interface l2tp-server server
    set allow-fast-path=yes default-profile=VPN-L2TP enabled=yes use-ipsec=required
    /interface list member
    add interface=ether1 list=WAN
    add interface=bridge list=LAN
    /interface ovpn-server server
    set auth=sha1 cipher=aes256 default-profile=VPN-L2TP require-client-certificate=yes
    /ip address
    add address=(hide ip) comment=WAN interface=ether1 network=(hide ip)
    add address=192.168.0.1/24 comment=Maxi interface=bridge network=192.168.0.0
    
    set store-leases-disk=immediately
    
    /ip dhcp-server network
    add address=192.168.0.0/24 comment=Maxi dns-server=8.8.8.8 gateway=192.168.0.1
    /ip dns
    set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
    /ip dns static
    add address=192.168.0.1 name=Router.one
    /ip firewall filter
    add action=accept chain=forward comment="Maxi: accept out ipsec policy" ipsec-policy=out,ipsec
    add action=accept chain=forward comment="Maxi: accept in ipsec policy" ipsec-policy=in,ipsec
    add action=accept chain=input comment="VPN L2TP UDP 500" dst-port=500 in-interface=ether1 protocol=udp
    add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1701 in-interface=ether1 protocol=udp
    add action=accept chain=input comment="VPN L2TP 4500" dst-port=4500 in-interface=ether1 protocol=udp
    add action=accept chain=input comment="VPN L2TP ESP" disabled=yes in-interface=ether1 protocol=ipsec-esp
    add action=accept chain=input comment="VPN L2TP AH" disabled=yes in-interface=ether1 protocol=ipsec-ah
    add action=accept chain=forward disabled=yes dst-address=192.168.5.0/24 src-address=10.10.10.0/24
    add action=accept chain=forward disabled=yes dst-address=192.168.0.0/24 src-address=10.10.10.0/24
    add action=fasttrack-connection chain=forward comment="Maxi: fasttrack" connection-state=established,related
    add action=accept chain=forward comment="Maxi: accept established,related, untracked" connection-state=established,related,untracked
    add action=drop chain=forward comment="Maxi: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="Maxi:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    /ip firewall nat
    add action=masquerade chain=srcnat comment="NAT L2TP/IPsec" dst-address=192.168.3.0/24 log=yes src-address=10.10.10.0/24
    add action=masquerade chain=srcnat comment="NAT L2TP/IPsec" dst-address=192.168.4.0/24 log=yes src-address=10.10.10.0/24
    add action=masquerade chain=srcnat comment="NAT L2TP/IPsec" dst-address=192.168.5.0/24 log=yes src-address=10.10.10.0/24
    add action=masquerade chain=srcnat comment="NAT L2TP/IPsec" dst-address=192.168.6.0/24 log=yes src-address=10.10.10.0/24
    add action=masquerade chain=srcnat comment="NAT L2TP/IPsec" dst-address=192.168.7.0/24 log=yes src-address=10.10.10.0/24
    add action=masquerade chain=srcnat comment="NAT L2TP/IPsec" dst-address=192.168.8.0/24 log=yes src-address=10.10.10.0/24
    add action=masquerade chain=srcnat comment="Maxi: masquerade" ipsec-policy=out,none out-interface-list=WAN
    /ip ipsec identity
    add peer=Ivasiuc
    add peer=20th
    /ip ipsec policy
    add dst-address=192.168.7.0/24 peer=Ivasiuc proposal=proposalBaza sa-dst-address=(hide ip site B) sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yes
    add dst-address=192.168.8.0/24 peer=20th proposal=proposalBaza sa-dst-address=(hide ip site A) sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yes
    /ip route
    add distance=1 gateway=(hide ip)
    add distance=1 dst-address=192.168.7.0/24 gateway=bridge
    add distance=1 dst-address=192.168.8.0/24 gateway=bridge
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www disabled=yes
    set ssh disabled=yes
    set api disabled=yes
    set api-ssl disabled=yes
    /ip ssh
    set allow-none-crypto=yes forwarding-enabled=remote
    /ppp secret
    add name=maxi profile=VPN-L2TP service=l2tp
    /system clock
    set time-zone-name=Europe
    /system identity
    set name=Router
    /system logging
    add disabled=yes prefix="L2TPDBG===>" topics=l2tp
    add disabled=yes prefix="IPSECDBG===>" topics=ipsec
    add action=email topics=critical
    add disabled=yes prefix="IPSECDBG===>" topics=ipsec
    add prefix="L2TPDBG===>" topics=l2tp
    



    ###################################################Site A config below
    # nov/06/2019 21:34:52 by RouterOS 6.45.6
    # software id = 5DU9-VKRF
    #
    # model = RBD52G-5HacD2HnD
    # serial number = A6470A556291
    /interface bridge
    add fast-forward=no name=Bridge
    /interface ethernet
    set [ find default-name=ether1 ] loop-protect=off
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no frequency=auto mode=ap-bridge ssid=UPC664767A wireless-protocol=802.11 wps-mode=disabled
    set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto installation=indoor mode=ap-bridge ssid=UPC664767A5GHZ wireless-protocol=802.11 wps-mode=disabled
    /interface list
    add comment=Maxi name=WAN
    add comment=Maxi name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
    /ip hotspot profile
    set [ find default=yes ] html-directory=flash/hotspot
    /ip ipsec profile
    add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=2 enc-algorithm=aes-128 hash-algorithm=sha256 name=profile1
    /ip ipsec peer
    add address=((base_ip)/32 name=peer1 profile=profile1
    /ip ipsec proposal
    set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
    /ip pool
    add name=dhcp_pool1 ranges=192.168.8.2-192.168.8.254
    add name=dhcp_pool2 ranges=192.168.8.2-192.168.8.254
    /ip dhcp-server
    add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no interface=Bridge name=dhcp1
    /snmp community
    set [ find default=yes ] addresses=0.0.0.0/0
    /interface bridge port
    add bridge=Bridge hw=no interface=ether2
    add bridge=Bridge hw=no interface=ether3
    add bridge=Bridge hw=no interface=ether4
    add bridge=Bridge interface=wlan1
    add bridge=Bridge hw=no interface=ether5
    add bridge=Bridge interface=wlan2
    /interface detect-internet
    set detect-interface-list=all wan-interface-list=dynamic
    /interface list member
    add interface=ether1 list=WAN
    add interface=Bridge list=LAN
    /ip address
    add address=192.168.8.1/24 comment="ip lan" interface=Bridge network=192.168.8.0
    /ip dhcp-client
    add dhcp-options=hostname,clientid disabled=no interface=ether1
    /ip dhcp-server network
    add address=192.168.8.0/24 gateway=192.168.8.1
    /ip dns
    set servers=8.8.8.8
    /ip firewall filter
    add action=accept chain=input comment="Maxi: accept established,related,untracked" connection-state=established,related,untracked
    add action=accept chain=input comment="Maxi: accept ICMP" protocol=icmp
    add action=accept chain=input comment="WinBox Wan Administration" dst-port=8291 protocol=tcp
    add action=accept chain=forward comment="Maxi: accept out ipsec policy" ipsec-policy=out,ipsec
    add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=ether1 protocol=ipsec-esp
    add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" connection-mark="" dst-port=500,1701,4500 in-interface=ether1 protocol=udp
    add action=accept chain=forward comment="Maxi: accept in ipsec policy" ipsec-policy=in,ipsec
    add action=fasttrack-connection chain=forward comment="Maxi: fasttrack" connection-state=established,related
    add action=accept chain=forward comment="Maxi: accept established,related, untracked" connection-state=established,related,untracked
    add action=drop chain=input comment="Maxi: drop all not coming from LAN" in-interface-list=!LAN log=yes
    add action=drop chain=input comment="Maxi: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="Maxi: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="Maxi:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    /ip firewall nat
    add action=accept chain=srcnat dst-address=192.168.0.0/24 log=yes src-address=192.168.8.0/24
    add action=dst-nat chain=dstnat comment="My cloud WD -ftp in from WAN" dst-address=!192.168.8.0/24 dst-port=21 log=yes protocol=tcp src-port="" to-addresses=192.168.8.250 to-ports=21
    add action=masquerade chain=srcnat comment="Local wd" dst-port=21 log=yes protocol=tcp src-address=192.168.8.0/24 to-ports=21
    add action=masquerade chain=srcnat out-interface-list=WAN
    /ip ipsec identity
    add peer=peer1
    /ip ipsec policy
    add dst-address=192.168.0.0/24 peer=peer1 sa-dst-address=(base_ip) sa-src-address=0.0.0.0 src-address=192.168.8.0/24 tunnel=yes
    /ip route
    add check-gateway=ping distance=1 dst-address=192.168.0.0/24 gateway=Bridge
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www disabled=yes
    set ssh disabled=yes
    /ip ssh
    set allow-none-crypto=yes forwarding-enabled=remote
    /system clock
    set time-zone-name=Europe/Bucharest
    /system identity
    set name=20Th
    /system ntp client
    set enabled=yes
    





    ###################################################Site B config below
    # nov/06/2019 21:34:52 by RouterOS 6.45.6
    # software id = 5DU9-VKRF
    #
    # model = RBD52G-5HacD2HnD
    # serial number = A6470A556291
    /interface bridge
    add fast-forward=no name=Bridge
    /interface ethernet
    set [ find default-name=ether1 ] loop-protect=off
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no frequency=auto mode=ap-bridge ssid=UPC664767A wireless-protocol=802.11 wps-mode=disabled
    set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto installation=indoor mode=ap-bridge ssid=UPC664767A5GHZ wireless-protocol=802.11 wps-mode=disabled
    /interface list
    add comment=Maxi name=WAN
    add comment=Maxi name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
    /ip hotspot profile
    set [ find default=yes ] html-directory=flash/hotspot
    /ip ipsec profile
    add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=2 enc-algorithm=aes-128 hash-algorithm=sha256 name=profile1
    /ip ipsec peer
    add address=((base_ip)/32 name=peer1 profile=profile1
    /ip ipsec proposal
    set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
    /ip pool
    add name=dhcp_pool1 ranges=192.168.7.2-192.168.7.254
    add name=dhcp_pool2 ranges=192.168.7.2-192.168.7.254
    /ip dhcp-server
    add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no interface=Bridge name=dhcp1
    /snmp community
    set [ find default=yes ] addresses=0.0.0.0/0
    /interface bridge port
    add bridge=Bridge hw=no interface=ether2
    add bridge=Bridge hw=no interface=ether3
    add bridge=Bridge hw=no interface=ether4
    add bridge=Bridge interface=wlan1
    add bridge=Bridge hw=no interface=ether5
    add bridge=Bridge interface=wlan2
    /interface detect-internet
    set detect-interface-list=all wan-interface-list=dynamic
    /interface list member
    add interface=ether1 list=WAN
    add interface=Bridge list=LAN
    /ip address
    add address=192.168.7.1/24 comment="ip lan" interface=Bridge network=192.168.7.0
    /ip dhcp-client
    add dhcp-options=hostname,clientid disabled=no interface=ether1
    /ip dhcp-server network
    add address=192.168.7.0/24 gateway=192.168.7.1
    /ip dns
    set servers=8.8.8.8
    /ip firewall filter
    add action=accept chain=input comment="Maxi: accept established,related,untracked" connection-state=established,related,untracked
    add action=accept chain=input comment="Maxi: accept ICMP" protocol=icmp
    add action=accept chain=input comment="WinBox Wan Administration" dst-port=8291 protocol=tcp
    add action=accept chain=forward comment="Maxi: accept out ipsec policy" ipsec-policy=out,ipsec
    add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=ether1 protocol=ipsec-esp
    add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" connection-mark="" dst-port=500,1701,4500 in-interface=ether1 protocol=udp
    add action=accept chain=forward comment="Maxi: accept in ipsec policy" ipsec-policy=in,ipsec
    add action=fasttrack-connection chain=forward comment="Maxi: fasttrack" connection-state=established,related
    add action=accept chain=forward comment="Maxi: accept established,related, untracked" connection-state=established,related,untracked
    add action=drop chain=input comment="Maxi: drop all not coming from LAN" in-interface-list=!LAN log=yes
    add action=drop chain=input comment="Maxi: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="Maxi: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="Maxi:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    /ip firewall nat
    add action=accept chain=srcnat dst-address=192.168.0.0/24 log=yes src-address=192.168.7.0/24
    add action=dst-nat chain=dstnat comment="My cloud WD -ftp in from WAN" dst-address=!192.168.7.0/24 dst-port=21 log=yes protocol=tcp src-port="" to-addresses=192.168.7.250 to-ports=21
    add action=masquerade chain=srcnat comment="Local wd" dst-port=21 log=yes protocol=tcp src-address=192.168.7.0/24 to-ports=21
    add action=masquerade chain=srcnat out-interface-list=WAN
    /ip ipsec identity
    add peer=peer1
    /ip ipsec policy
    add dst-address=192.168.0.0/24 peer=peer1 sa-dst-address=(base_ip) sa-src-address=0.0.0.0 src-address=192.168.7.0/24 tunnel=yes
    /ip route
    add check-gateway=ping distance=1 dst-address=192.168.0.0/24 gateway=Bridge
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www disabled=yes
    set ssh disabled=yes
    /ip ssh
    set allow-none-crypto=yes forwarding-enabled=remote
    /system clock
    set time-zone-name=Europe/Bucharest
    /system identity
    set name=20Th
    /system ntp client
    set enabled=yes
     
    User avatar
    tomaskir
    Trainer
    Trainer
    Posts: 1120
    Joined: Sat Sep 24, 2011 2:32 pm
    Location: Slovakia

    Re: Ipsec site to site communication don't work.

    Thu Nov 07, 2019 2:43 pm

    As I mentioned in my previous post, your issue is that you don't have site B in ipsec policies of site A (and vice-versa).
    You will need to add all destinations for which traffic should be tunneled into policies.

    Of course, make sure you also adjust NAT bypass rules and any firewalls rules necessary (particulary on the base router) for the traffic to flow.
    Unimus - configuration management, automation and backup solution
    Mass Config Push, network-wide RouterOS upgrades, and more!
     
    pe1chl
    Forum Guru
    Forum Guru
    Posts: 5913
    Joined: Mon Jun 08, 2015 12:09 pm

    Re: Ipsec site to site communication don't work.

    Thu Nov 07, 2019 3:11 pm

    It is possible to get this working, but when you want a scalable (i.e. also working when you add more and more sites) and maintainable solution I suggest a different approach.
    Basically that is:
    - make GRE/IPsec tunnels between central site and each other site (or even between sites when you have lots of traffic between those sites)
    - put /30 addresses on those tunnels
    - at each site, configure BGP peers to the other site(s) for which you have tunnels (only need to add a peer, set the AS number 65530, and peer address from those GRE tunnels)
    - at each site, put the local network in BGP networks

    Then it will all work OK without having to fiddle with IPsec policies, NAT exclusion rules, etc.

    Who is online

    Users browsing this forum: No registered users and 10 guests