Community discussions

MikroTik App
 
abubin
newbie
Topic Author
Posts: 47
Joined: Fri Aug 03, 2012 12:47 pm

Need help with VPN setup

Wed Sep 15, 2021 6:45 am

Please bear with me, I am very noob at this. I am trying to connect mikrotik to AWS on VPN. The guide I found are a bit old for firmware 6.36. Trying to connect from behind NAT.

There is one guide found which have newer guide but it is slightly different from what I am doing. So far, I am unable to connect to AWS with phase 1.
Here are the details:

192.168.10.0/24 --> Mikrotik VPN --> Mikrotik firewall (only have 1 public IP) --> AWS VPN gateway --> 10.0.0./16

So far getting Phase1 failed due to send error.

It there something I need to configure in Mikrotik firewall like port forwarding? Mikrotik VPN is NATted and able to go out to internet. Can ping AWS VPN IP.

Please let me know if more information is needed. Thank you for kindly looking into this.
aws-mikrotikvpn01.jpg
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related 

 3    ;;; allow winbox on wan
      chain=input action=accept protocol=tcp dst-port=8291 log=yes 
      log-prefix="" 

 4    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 

 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 

 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related 

 7    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 8    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1 
/ip firewall nat print   
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 

 1    chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=10.0.0.0/16 log=no 
      log-prefix="" 

 2    chain=srcnat action=accept src-address=169.254.30.78 dst-address=169.254.30.77 log=no 
      log-prefix="" 
/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                      
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    ether2-master                  
 1   192.168.10.23/24   192.168.10.0    ether1                         
 2   169.254.30.78/30   169.254.30.76   ether1 
/ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.10.226            1
 1 ADC  169.254.30.76/30   169.254.30.78   ether1                    0
 2 ADC  192.168.10.0/24    192.168.10.23   ether1                    0
 3  DC  192.168.88.0/24    192.168.88.1    ether2-master           255
/routing bgp peer print   
Flags: X - disabled, E - established 
 #   INSTANCE                         REMOTE-ADDRESS                                                  REMOTE-AS  
 0   default                          169.254.30.77                                                   64512  
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=192.168.88.0/24 src-port=any dst-address=10.0.0.0/16 dst-port=any protocol=all action=encrypt 
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=175.141.41.143 sa-dst-address=x.x.19.152 
       proposal=aws-proposal priority=0 

 2     src-address=169.254.30.78/32 src-port=any dst-address=169.254.30.77/32 dst-port=any protocol=all 
       action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=175.141.41.143 
       sa-dst-address=x.x.19.152 proposal=aws-proposal priority=0 
/ip ipsec peer print  
Flags: X - disabled, D - dynamic 
 0    address=x.x.19.152/32 local-address=175.141.41.143 passive=no port=500 auth-method=pre-shared-key 
      secret="secretsecretsecret" generate-policy=no policy-template-group=default 
      exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=aes-128 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=10s dpd-maximum-failures=3
You do not have the required permissions to view the files attached to this post.
 
abubin
newbie
Topic Author
Posts: 47
Joined: Fri Aug 03, 2012 12:47 pm

Re: Need help with VPN setup

Wed Sep 15, 2021 9:41 am

Does this means phase1 is success?

How to check phase2 successful or not? I still can't ping any IPs in AWS side. Can't even ping the localhost ip 169.254.30.77 of AWS.

BTW, I have downgraded the firmware to 6.36.3 using netinstall. I am thinking maybe should upgrade to latest firmware version.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7705
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need help with VPN setup

Wed Sep 15, 2021 10:19 am

What you show does indeed indicate phase 1 success.

And yes, 6.36.whatever is very old and a device running that version must not be exposed to internet - if it was connected to internet without tight enough firewall rules, netinstall it again (not just upgrade) to a current long-term version (6.47.10 as of writing this), and never use the password you've used for the 6.36 anywhere again. See the recent outburst (the Mēris botnet) leveraging on the old vulnerability allowing to retrieve plaintext passwords.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
abubin
newbie
Topic Author
Posts: 47
Joined: Fri Aug 03, 2012 12:47 pm

Re: Need help with VPN setup

Wed Sep 15, 2021 10:35 am

Manage to get something showing...but AWS there still showings connection down.

Any idea what to check?
aws-mikrotikvpn03.jpg
You do not have the required permissions to view the files attached to this post.
 
abubin
newbie
Topic Author
Posts: 47
Joined: Fri Aug 03, 2012 12:47 pm

Re: Need help with VPN setup

Wed Sep 15, 2021 11:08 am

So I upgraded to latest firmware 6.48.4. Did a change on the IPsec policy.

PH2 State: established.
aws-mikrotikvpn04.jpg
However, still unable to communicate between the 2 sides. Probably routing and firewall issue...again, do I have to do anything at the Mikrotik firewall side? Maybe AWS is trying to knock on my public IP address but no reply since nothing is forwarded into the Mikrotik vpn.

Any suggestions highly appreciated.
You do not have the required permissions to view the files attached to this post.
 
abubin
newbie
Topic Author
Posts: 47
Joined: Fri Aug 03, 2012 12:47 pm

Re: Need help with VPN setup

Wed Sep 15, 2021 11:09 am

What you show does indeed indicate phase 1 success.

And yes, 6.36.whatever is very old and a device running that version must not be exposed to internet - if it was connected to internet without tight enough firewall rules, netinstall it again (not just upgrade) to a current long-term version (6.47.10 as of writing this), and never use the password you've used for the 6.36 anywhere again. See the recent outburst (the Mēris botnet) leveraging on the old vulnerability allowing to retrieve plaintext passwords.
Thanks for the advice. Already upgraded to 6.48.4 and will change the secret key and passwords once all these VPN stuffs are done.
 
abubin
newbie
Topic Author
Posts: 47
Joined: Fri Aug 03, 2012 12:47 pm

Re: Need help with VPN setup

Wed Sep 15, 2021 11:31 am

aws-mikrotikvpn05.jpg
I am wondering if line number 4 is needed with firmware 6.48.4. Anyway, I tried with and without that line and still doesn't work.

update:

something to do with the BGP setting? And the internal IP used? (169.254.30.76/30). I am not sure what these IPs are called. They seems to be internal IP used by IPsec to communicated.
aws-mikrotikvpn06.jpg
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], gittubaba, mirk, smitas3400, TengNding, theory, zaiklo and 207 guests