Community discussions

MikroTik App
  4. RouterOS
  5. General

ipsec road warrior android

Post Reply
 
volga629
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2013 6:21 am

ipsec road warrior android

Wed Sep 09, 2015 12:33 am

Hello Everyone,
Having issue where I created profile with IPsec Road Warrior connection for android clients, but can't access any resources on LAN or Server Subnet. Clients connects without any issues.
I created ipsec chain and ESP with NAT-T marking connection in mangle table to make sure allow only encrypted packet.
RouterOS ver 6.31

Input chain
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=input 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    ;;; Jump to IPsec chain
      chain=input action=jump jump-target=ipsec in-interface=WAN-eth1 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp in-interface=!WAN-eth1 dst-port=80,22,443 log=no log-prefix="" 
 4    chain=input action=accept protocol=udp in-interface=!WAN-eth1 dst-port=53,123 log=no log-prefix="" 
 5    chain=input action=accept protocol=ospf src-address=10.3.3.0/29 log=no log-prefix="" 
 6    ;;; IPsec ESP encrypted.
      chain=input action=accept packet-mark=ipsec-encrypted log=no log-prefix="" 
 7    chain=input action=reject reject-with=icmp-network-unreachable dst-address=LAN_SUBNET log=no log-prefix="" 
 8    chain=input action=drop log=yes log-prefix=""
IPsec Chain
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=ipsec
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=ipsec action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=500 log=no log-prefix="" 

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""
Here Ipsec Policy Output.

Code: Select all

[volga629@canlrt01] > /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
  
 0 T   group=RemoteAccess src-address=10.30.254.0/24 dst-address=0.0.0.0/0 protocol=all proposal=netlab-remote-access template=yes 

 1  D  src-address=0.0.0.0/0 src-port=any dst-address=10.30.254.245/32 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=my_pub_ip sa-dst-address=142.169.78.37 priority=2
Mangle table.
Code: Select all

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix="" 
[volga629@canlrt01] > /ip firewall mangle print                  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPsec encrypted ESP traffic mark
      chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=ipsec-esp in-interface=WAN-eth1 
      log=no log-prefix="" 

 1    chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=udp in-interface=WAN-eth1 
      dst-port=4500 log=no log-prefix=""
Top
 
TonyJr
Member Candidate
Member Candidate
Posts: 207
Joined: Sat Nov 12, 2011 1:30 am
Location: UK
Contact:
Contact TonyJr

Re: ipsec road warrior android

Wed Sep 09, 2015 4:25 am

Hello Everyone,
Having issue where I created profile with IPsec Road Warrior connection for android clients, but can't access any resources on LAN or Server Subnet. Clients connects without any issues.
I created ipsec chain and ESP with NAT-T marking connection in mangle table to make sure allow only encrypted packet.
RouterOS ver 6.31

Input chain
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=input 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    ;;; Jump to IPsec chain
      chain=input action=jump jump-target=ipsec in-interface=WAN-eth1 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp in-interface=!WAN-eth1 dst-port=80,22,443 log=no log-prefix="" 
 4    chain=input action=accept protocol=udp in-interface=!WAN-eth1 dst-port=53,123 log=no log-prefix="" 
 5    chain=input action=accept protocol=ospf src-address=10.3.3.0/29 log=no log-prefix="" 
 6    ;;; IPsec ESP encrypted.
      chain=input action=accept packet-mark=ipsec-encrypted log=no log-prefix="" 
 7    chain=input action=reject reject-with=icmp-network-unreachable dst-address=LAN_SUBNET log=no log-prefix="" 
 8    chain=input action=drop log=yes log-prefix=""
IPsec Chain
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=ipsec
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=ipsec action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=500 log=no log-prefix="" 

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""
Here Ipsec Policy Output.

Code: Select all

[volga629@canlrt01] > /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
  
 0 T   group=RemoteAccess src-address=10.30.254.0/24 dst-address=0.0.0.0/0 protocol=all proposal=netlab-remote-access template=yes 

 1  D  src-address=0.0.0.0/0 src-port=any dst-address=10.30.254.245/32 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=my_pub_ip sa-dst-address=142.169.78.37 priority=2
Mangle table.
Code: Select all

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix="" 
[volga629@canlrt01] > /ip firewall mangle print                  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPsec encrypted ESP traffic mark
      chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=ipsec-esp in-interface=WAN-eth1 
      log=no log-prefix="" 

 1    chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=udp in-interface=WAN-eth1 
      dst-port=4500 log=no log-prefix=""
Try opening udp port 1701 too.

tonyjr
Top
 
volga629
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2013 6:21 am

Re: ipsec road warrior android

Wed Sep 09, 2015 3:37 pm

Hello Everyone,
Having issue where I created profile with IPsec Road Warrior connection for android clients, but can't access any resources on LAN or Server Subnet. Clients connects without any issues.
I created ipsec chain and ESP with NAT-T marking connection in mangle table to make sure allow only encrypted packet.
RouterOS ver 6.31

Input chain
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=input 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=icmp log=no log-prefix="" 
 1    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 2    ;;; Jump to IPsec chain
      chain=input action=jump jump-target=ipsec in-interface=WAN-eth1 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp in-interface=!WAN-eth1 dst-port=80,22,443 log=no log-prefix="" 
 4    chain=input action=accept protocol=udp in-interface=!WAN-eth1 dst-port=53,123 log=no log-prefix="" 
 5    chain=input action=accept protocol=ospf src-address=10.3.3.0/29 log=no log-prefix="" 
 6    ;;; IPsec ESP encrypted.
      chain=input action=accept packet-mark=ipsec-encrypted log=no log-prefix="" 
 7    chain=input action=reject reject-with=icmp-network-unreachable dst-address=LAN_SUBNET log=no log-prefix="" 
 8    chain=input action=drop log=yes log-prefix=""
IPsec Chain
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=ipsec
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=ipsec action=accept protocol=ipsec-esp log=no log-prefix="" 

 1    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=500 log=no log-prefix="" 

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""
Here Ipsec Policy Output.

Code: Select all

[volga629@canlrt01] > /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
  
 0 T   group=RemoteAccess src-address=10.30.254.0/24 dst-address=0.0.0.0/0 protocol=all proposal=netlab-remote-access template=yes 

 1  D  src-address=0.0.0.0/0 src-port=any dst-address=10.30.254.245/32 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=my_pub_ip sa-dst-address=142.169.78.37 priority=2
Mangle table.
Code: Select all

 2    chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix="" 
[volga629@canlrt01] > /ip firewall mangle print                  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; IPsec encrypted ESP traffic mark
      chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=ipsec-esp in-interface=WAN-eth1 
      log=no log-prefix="" 

 1    chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=udp in-interface=WAN-eth1 
      dst-port=4500 log=no log-prefix=""
Try opening udp port 1701 too.

tonyjr

Hello Tony,
This is not l2tp ipsec remote access, this is ipsec road warrior with xauth, l2tp is 1701/udp
Top
 
Janhouse
just joined
Posts: 6
Joined: Mon Feb 15, 2016 4:56 pm

Re: ipsec road warrior android

Thu Feb 18, 2016 1:41 pm

What was the solution to this problem?
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Huy0880, mquan1984 and 137 guests
  4. RouterOS
  5. General