Community discussions

MikroTik App
 
linkomatas
just joined
Topic Author
Posts: 16
Joined: Thu Sep 19, 2019 1:47 pm

VPN routes

Fri Oct 23, 2020 9:22 am

Hello,

I'm kind of struggling with IP sec site-to-site VPN traffic. A little bit of background, VPN itself is established, but I can't ping between routers and between netowrks. But if I ping from site A computer to site B computer then traffic flows fine. Reboot routers and then traffic dies but if I ping again from computers from different sites, traffic flows fine again. I don't think that it should be this way since I need to ping each time if I want traffic to flow trough tunnel :D

My other thoughts is because of network 192.168.0.0/24. I'm thinking of changing it to something else 192.168.2.0/24 e.g. But I'm not sure if that may help.

I tried to config VPN routes but all I get is timeout. looking forward for some tips. Thanks.

For better understanding, below is my config:

Site A:
# oct/23/2020 09:13:10 by RouterOS 6.47.4
# software id = RLRF-39GH
#
# model = 2011UiAS-2HnD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf fast-forward=no \
    name=bridge
add fast-forward=no name=bridge-voip protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] loop-protect=on name=ether2-master speed=\
    100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-master
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=lithuania disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Teo-F53A3B-Greitasis station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan5-ext vlan-id=5
add interface=ether10 name=vlan5-int vlan-id=5
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=BEA0B08F7A \
    wpa2-pre-shared-key=BEA0B08F7A
/ip ipsec peer
add address= exchange-mode=ike2 name=
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.1.15-192.168.1.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge name=defconf
/ppp profile
add local-address=10.30.0.1 name=ovpn remote-address=10.30.0.2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-voip interface=vlan5-ext
add bridge=bridge-voip interface=vlan5-int
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=vlan5-ext list=discover
add interface=vlan5-int list=discover
add interface=bridge-voip list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=CA cipher=aes128 default-profile=ovpn enabled=yes \
    port=52210
/ip address
add address=192.168.1.254/24 interface=ether2-master network=192.168.1.0
add address= interface=ether1 network=
/ip dhcp-server lease
add address=192.168.1.117 always-broadcast=yes mac-address=
add address=192.168.1.189 mac-address=
/ip dhcp-server network
add address=192.168.1.0/24 comment=lan dns-server=\
    212.59.1.1,212.59.2.2,8.8.8.8 gateway=192.168.1.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.254 name=router
/ip firewall address-list
add address= disabled=yes list=
add address= list=
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=52210 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input disabled=yes src-address=91.224.135.250
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    GBSistemos
add action=accept chain=input disabled=yes in-interface=*F00002
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward disabled=yes in-interface=*F00002 \
    out-interface=bridge
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=dst-nat chain=dstnat comment=8080 dst-port=8080 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.243 to-ports=80
add action=dst-nat chain=dstnat comment="NVR" dst-port=37777 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=37777
add action=dst-nat chain=dstnat comment=snd-esp dst-port=4500 in-interface=\
    ether1 protocol=udp to-addresses=192.168.1.240
add action=dst-nat chain=dstnat comment=snd-ike dst-port=500 in-interface=\
    ether1 protocol=udp to-addresses=192.168.1.240
add action=dst-nat chain=dstnat comment=snd-esp2 in-interface=ether1 \
    protocol=ipsec-esp to-addresses=192.168.1.240
add action=dst-nat chain=dstnat disabled=yes dst-port=8292 in-interface=\
    ether1 protocol=tcp src-address-list=adminai to-addresses=192.168.1.240 \
    to-ports=8291
add action=dst-nat chain=dstnat dst-port=37781 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.33 to-ports=37781
add action=dst-nat chain=dstnat dst-address= dst-port=443,5001 \
    protocol=tcp to-addresses=192.168.1.10 to-ports=5001
add action=dst-nat chain=dstnat dst-address= dst-port=6690 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.10 to-ports=6690
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.1.0/24
/ip ipsec identity
add peer=secret=
/ip ipsec policy
add dst-address=192.168.0.0/24 peer= sa-dst-address= \
    sa-src-address= src-address=192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=bridge \
    pref-src=
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd pin
set pin-number=4455
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
    ,ether7,ether8,ether9,ether10"
/ppp secret
add name=rem1 password= profile=ovpn
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add name="upgrade OS" on-event=":log info (\"Rebooted Mikrotik. Installing upd\
    ates...\")\r\
    \n:delay 2s;\r\
    \n/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/17/2020 start-time=02:06:08
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=*F00002

Site B:
# oct/23/2020 09:13:40 by RouterOS 6.47.4
# software id = RHKS-AFAN
#
# model = RBwAPGR-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=lithuania disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=lithuania disabled=\
    no installation=indoor mode=ap-bridge ssid=station-roaming=\
    enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn= authentication=chap default-route-distance=1 \
    name=telia password=omni user=omni
/interface lte
set [ find ] apn-profiles=telia name=lte1 pin=
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address= exchange-mode=ike2 name=
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether1 network=\
    192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address= list=allow
add address= list=allow
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    allow
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8000 protocol=tcp to-addresses=\
    192.168.0.100 to-ports=8000
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=\
    192.168.0.100 to-ports=554
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp src-address-list=\
    allow to-addresses=192.168.0.100 to-ports=80
/ip ipsec identity
add peer= secret=
/ip ipsec policy
add dst-address=192.168.1.0/24 peer= sa-dst-address= \
    sa-src-address= src-address=192.168.0.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=bridge \
    pref-src=192.168.1.254
/system clock
set time-zone-name=
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add name=schedule1 on-event=":log info (\"Rebooted Mikrotik. Installing update\
    s...\")\r\
    \n:delay 2s;\r\
    \n/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/17/2020 start-time=01:06:52
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN routes

Fri Oct 23, 2020 5:25 pm

So, on Site A, what's 192.168.1.240 and why do you dstnat IPSec traffic to it, when you need it for this router?
 
linkomatas
just joined
Topic Author
Posts: 16
Joined: Thu Sep 19, 2019 1:47 pm

Re: VPN routes

Tue Nov 10, 2020 10:39 pm

Thanks @Sob for reply. I found the problem which was incorrect firewall configuration. Now tunnel seems working fine.

Who is online

Users browsing this forum: No registered users and 20 guests