Community discussions

MikroTik App
 
linkomatas
just joined
Topic Author
Posts: 16
Joined: Thu Sep 19, 2019 1:47 pm

VPN routes

Fri Oct 23, 2020 9:22 am

Hello,

I'm kind of struggling with IP sec site-to-site VPN traffic. A little bit of background, VPN itself is established, but I can't ping between routers and between netowrks. But if I ping from site A computer to site B computer then traffic flows fine. Reboot routers and then traffic dies but if I ping again from computers from different sites, traffic flows fine again. I don't think that it should be this way since I need to ping each time if I want traffic to flow trough tunnel :D

My other thoughts is because of network 192.168.0.0/24. I'm thinking of changing it to something else 192.168.2.0/24 e.g. But I'm not sure if that may help.

I tried to config VPN routes but all I get is timeout. looking forward for some tips. Thanks.

For better understanding, below is my config:

Site A:
# oct/23/2020 09:13:10 by RouterOS 6.47.4
# software id = RLRF-39GH
#
# model = 2011UiAS-2HnD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf fast-forward=no \
    name=bridge
add fast-forward=no name=bridge-voip protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] loop-protect=on name=ether2-master speed=\
    100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=lithuania disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Teo-F53A3B-Greitasis station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan5-ext vlan-id=5
add interface=ether10 name=vlan5-int vlan-id=5
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=BEA0B08F7A \
    wpa2-pre-shared-key=BEA0B08F7A
/ip ipsec peer
add address= exchange-mode=ike2 name=
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.1.15-192.168.1.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge name=defconf
/ppp profile
add local-address=10.30.0.1 name=ovpn remote-address=10.30.0.2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-voip interface=vlan5-ext
add bridge=bridge-voip interface=vlan5-int
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=vlan5-ext list=discover
add interface=vlan5-int list=discover
add interface=bridge-voip list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=CA cipher=aes128 default-profile=ovpn enabled=yes \
    port=52210
/ip address
add address=192.168.1.254/24 interface=ether2-master network=192.168.1.0
add address= interface=ether1 network=
/ip dhcp-server lease
add address=192.168.1.117 always-broadcast=yes mac-address=
add address=192.168.1.189 mac-address=
/ip dhcp-server network
add address=192.168.1.0/24 comment=lan dns-server=\
    212.59.1.1,212.59.2.2,8.8.8.8 gateway=192.168.1.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.254 name=router
/ip firewall address-list
add address= disabled=yes list=
add address= list=
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=52210 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input disabled=yes src-address=91.224.135.250
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    GBSistemos
add action=accept chain=input disabled=yes in-interface=*F00002
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward disabled=yes in-interface=*F00002 \
    out-interface=bridge
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=dst-nat chain=dstnat comment=8080 dst-port=8080 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.243 to-ports=80
add action=dst-nat chain=dstnat comment="NVR" dst-port=37777 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=37777
add action=dst-nat chain=dstnat comment=snd-esp dst-port=4500 in-interface=\
    ether1 protocol=udp to-addresses=192.168.1.240
add action=dst-nat chain=dstnat comment=snd-ike dst-port=500 in-interface=\
    ether1 protocol=udp to-addresses=192.168.1.240
add action=dst-nat chain=dstnat comment=snd-esp2 in-interface=ether1 \
    protocol=ipsec-esp to-addresses=192.168.1.240
add action=dst-nat chain=dstnat disabled=yes dst-port=8292 in-interface=\
    ether1 protocol=tcp src-address-list=adminai to-addresses=192.168.1.240 \
    to-ports=8291
add action=dst-nat chain=dstnat dst-port=37781 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.33 to-ports=37781
add action=dst-nat chain=dstnat dst-address= dst-port=443,5001 \
    protocol=tcp to-addresses=192.168.1.10 to-ports=5001
add action=dst-nat chain=dstnat dst-address= dst-port=6690 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=6690
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24
/ip ipsec identity
add peer=secret=
/ip ipsec policy
add dst-address=192.168.0.0/24 peer= sa-dst-address= \
    sa-src-address= src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=bridge \
    pref-src=
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd pin
set pin-number=4455
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
    ,ether7,ether8,ether9,ether10"
/ppp secret
add name=rem1 password= profile=ovpn
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add name="upgrade OS" on-event=":log info (\"Rebooted Mikrotik. Installing upd\
    ates...\")\r\
    \n:delay 2s;\r\
    \n/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/17/2020 start-time=02:06:08
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=*F00002

Site B:
# oct/23/2020 09:13:40 by RouterOS 6.47.4
# software id = RHKS-AFAN
#
# model = RBwAPGR-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=lithuania disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=lithuania disabled=\
    no installation=indoor mode=ap-bridge ssid=station-roaming=\
    enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn= authentication=chap default-route-distance=1 \
    name=telia password=omni user=omni
/interface lte
set [ find ] apn-profiles=telia name=lte1 pin=
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address= exchange-mode=ike2 name=
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether1 network=\
    192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address= list=allow
add address= list=allow
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    allow
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8000 protocol=tcp to-addresses=\
    192.168.0.100 to-ports=8000
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=\
    192.168.0.100 to-ports=554
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp src-address-list=\
    allow to-addresses=192.168.0.100 to-ports=80
/ip ipsec identity
add peer= secret=
/ip ipsec policy
add dst-address=192.168.1.0/24 peer= sa-dst-address= \
    sa-src-address= src-address=192.168.0.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=bridge \
    pref-src=192.168.1.254
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add name=schedule1 on-event=":log info (\"Rebooted Mikrotik. Installing update\
    s...\")\r\
    \n:delay 2s;\r\
    \n/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/17/2020 start-time=01:06:52
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 6474
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN routes

Fri Oct 23, 2020 5:25 pm

So, on Site A, what's 192.168.1.240 and why do you dstnat IPSec traffic to it, when you need it for this router?
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
linkomatas
just joined
Topic Author
Posts: 16
Joined: Thu Sep 19, 2019 1:47 pm

Re: VPN routes

Tue Nov 10, 2020 10:39 pm

Thanks @Sob for reply. I found the problem which was incorrect firewall configuration. Now tunnel seems working fine.

Who is online

Users browsing this forum: perlasnialex and 26 guests