Community discussions

 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

vpn ipsec lan2lan behind nat

Thu Mar 23, 2017 4:35 pm

ink.png
Hi, I have this setup, 2 mikrotik routers and i can't make the vpn between work at 100%

I can make the vpn start but only ping the router not the network.

From Casapai
[admin@MikroTik] > ping 172.10.9.200
SEQ HOST SIZE TTL TIME STATUS
0 172.10.9.200 56 64 1ms
1 172.10.9.200 56 64 1ms
2 172.10.9.200 56 64 3ms
sent=3 received=3 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=3ms
[admin@MikroTik] > ping 172.30.7.254
SEQ HOST SIZE TTL TIME STATUS
0 172.30.7.254 timeout
1 172.30.7.254 timeout
2 172.30.7.254 timeout
sent=3 received=0 packet-loss=100%
From balves
[admin@MikroTik] > ping 172.10.9.254
SEQ HOST SIZE TTL TIME STATUS
0 172.10.9.254 56 64 17ms
1 172.10.9.254 56 64 12ms
sent=2 received=2 packet-loss=0% min-rtt=12ms avg-rtt=14ms max-rtt=17ms

[admin@MikroTik] > ping 172.10.9.200
SEQ HOST SIZE TTL TIME STATUS
0 172.10.9.200 timeout
1 172.10.9.200 timeout
sent=2 received=0 packet-loss=100%
This is my setup!

Mikrotik balves
[admin@MikroTik] /ip ipsec> peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; Unsafe configuration, suggestion to use certificates 
       address=213.***.***.150/32 auth-method=pre-shared-key secret="***********" generate-policy=no policy-template-group=default exchange-mode=aggressive 
       send-initial-contact=yes nat-traversal=yes my-id=user-fqdn proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d 
       dpd-interval=2m dpd-maximum-failures=5 
[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024 
 [admin@MikroTik] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  IA  src-address=172.30.7.0/24 src-port=any dst-address=172.10.9.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 
       sa-dst-address=213.***.***.150 proposal=default priority=0 ph2-count=1 
[admin@MikroTik] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=172.30.7.0/24 dst-address=172.10.9.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=172.30.7.0/24 log=no log-prefix="" 

 2 XI  chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=172.30.7.0/24 dst-address=172.10.9.0/24 log=no log-prefix="" 

 3    chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=192.168.7.222 dst-address=172.10.9.254 log=no log-prefix="" 
Mikrotik casapai
[admin@MikroTik] /ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; Unsafe configuration, suggestion to use certificates
       address=89.***.***.146/32 auth-method=pre-shared-key secret="**********" generate-policy=no policy-template-group=default exchange-mode=aggressive 
       send-initial-contact=yes nat-traversal=yes my-id=user-fqdn proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d 
       dpd-interval=2m dpd-maximum-failures=5 
[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024 
[admin@MikroTik] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=172.10.9.0/24 src-port=any dst-address=172.30.7.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
       sa-src-address=0.0.0.0 sa-dst-address=89.***.***.146 proposal=default priority=0 ph2-count=1 
[admin@MikroTik] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=172.10.9.0/24 dst-address=172.30.7.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=172.10.9.0/24 log=no log-prefix="" 

 2 XI  chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=172.10.9.0/24 dst-address=172.30.7.0/24 log=no log-prefix="" 

 3    chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=192.168.1.250 dst-address=172.10.9.0/24 log=no log-prefix="" 

 4    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 5    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix="" 
[admin@MikroTik] /ip firewall> 

What I'm doing wrong? Can any one help me?

Thanks in advance!
You do not have the required permissions to view the files attached to this post.
 
eine
just joined
Posts: 16
Joined: Thu Sep 10, 2015 9:50 pm

Re: vpn ipsec lan2lan behind nat

Fri Mar 24, 2017 12:58 pm

Please say a little more about you network connections (what type, medium, is there NAT or firewall).
 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

Re: vpn ipsec lan2lan behind nat

Fri Mar 24, 2017 1:08 pm

About the network i have on both sides isp routers with full nat "dmz" to Mikrotik wan ip.
 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

Re: vpn ipsec lan2lan behind nat

Tue Mar 28, 2017 10:36 am

Anyone know what the problem is?
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: vpn ipsec lan2lan behind nat

Tue Mar 28, 2017 5:49 pm

First of all - are they really connected?
/ip ipsec installed-sa print
Mask your public IPs if you don't want to show them.

Then, I can't see your firewall filters
/ip firewall filter export hide-sensitive
 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

Re: vpn ipsec lan2lan behind nat

Wed Mar 29, 2017 11:33 am

As you requested, here is the print


BALVES
[admin@MikroTik] >> /ip ipsec  installed-sa print                 
Flags: A - AH, E - ESP 
 0 E spi=0xAF03FC src-address=89.***.***.146:4500 dst-address=192.168.1.250:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="20d26e204f4d9a5dab334a****e456936ceef5f" enc-key="2be94eee23e2726623d9*****ce3c3bd89976ef9f8f9cd35" add-lifetime=24m/30m replay=128 

 1 E spi=0xCCFDFAC src-address=192.168.1.250:4500 dst-address=89.***.***.146:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="4200e504fe8f0****d30553633aba50d55e2a414" enc-key="47cea4031e187****8630d96bd3f04d61f09886f70c98a08" add-lifetime=24m/30m replay=128 
[admin@MikroTik] > /ip firewall filter export hide-sensitive
# mar/29/2017 09:31:39 by RouterOS 6.38.5
# software id = L4I8-PDXH
#
/ip firewall filter
add action=accept chain=input connection-state=new disabled=yes in-interface=ether1-gateway
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8728 protocol=tcp
add action=accept chain=input connection-state=new dst-port=500 protocol=udp
add action=accept chain=input connection-state=new dst-port=4500 protocol=udp
add action=accept chain=input connection-state=new dst-port=1701 protocol=udp
add action=accept chain=input connection-state="" protocol=ipsec-esp
add action=accept chain=input connection-state="" src-address=172.10.9.0/24
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=input dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
    ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=drop chain=forward comment="default configuration" connection-state=invalid


CASAPAI
	 
[admin@MikroTik] > /ip ipsec  installed-sa print                                                                                                                            
Flags: A - AH, E - ESP 
 0 E spi=0x45E3027 src-address=213.***.***.150:4500 dst-address=192.168.7.222:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="cf02d1e5439a3*****1477d84f8c668a751e3b7f" enc-key="5179de1945f23****fa0778e079a2650c00dac493929f998" add-lifetime=24m/30m replay=128 

 1 E spi=0x7F5B1E3 src-address=192.168.7.222:4500 dst-address=213.***.***.150:4500 state=mature auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192 
     auth-key="086cb64e7f62a769081e****04126960b07763f9" enc-key="4e6c2d2e978b79171248****7ffe812f8d3d4387f6c3dad6" add-lifetime=24m/30m replay=128 


[admin@MikroTik] >> /ip firewall filter export hide-sensitive        
# mar/29/2017 09:23:46 by RouterOS 6.38.5
# software id = 3JHK-4KKC
#
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8728 protocol=tcp
add action=accept chain=input dst-port=500 protocol=tcp
add action=accept chain=input dst-port=4500 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: vpn ipsec lan2lan behind nat

Wed Mar 29, 2017 5:05 pm

One more thing I forgot to ask:
/ip address export
 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

Re: vpn ipsec lan2lan behind nat

Wed Mar 29, 2017 6:22 pm

BALVES
[admin@MikroTik] > /ip address export
# mar/29/2017 16:27:29 by RouterOS 6.38.5
# software id = L4I8-PDXH
#
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface=bridge-local network=192.168.88.0
add address=192.168.7.222/24 comment="Rede NOS - Antiga rede casa" interface=ether1-gateway network=192.168.7.0
add address=172.30.7.254/24 comment="Rede Casa" interface=ether2-master-local network=172.30.7.0
add address=10.20.30.1/24 comment="hotspot network" interface=wlan3 network=10.20.30.0
CASAPAI
[admin@MikroTik] > /ip address export
# mar/29/2017 16:20:43 by RouterOS 6.38.5
# software id = 3JHK-4KKC
#
/ip address
add address=172.10.9.254/24 comment=defconf interface=ether2-master network=172.10.9.0
add address=192.168.1.250/24 interface=ether1 network=192.168.1.0
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: vpn ipsec lan2lan behind nat

Thu Mar 30, 2017 12:38 am

There is something inconsistent between your pic and IP addresses (can't find any 192.168.1.0/24 network on the pic in casapai), but OK, I know which routers are mikrotik, and assume, that you want to have an access from balves, which LAN range is 172.30.7.0/24 to casapai, which LAN range is 172.10.9.0/24 and of course in other direction.

First of all, I assume, that your both mikrotiks are routing the traffic, and and the other routers on the pic above them are forwarding all traffic to them. If so, I think that you need to add 2 rules in each of your filter firewall.

In balves:
/ip firewall filter add chain=forward src-address=172.30.7.0/24 dst-address=172.10.9.0/24 action=accept place-before=0
/ip firewall filter add chain=forward src-address=172.10.9.0/24 dst-address=172.30.7.0/24 action=accept place-before=1
In casapai
/ip firewall filter add chain=forward src-address=172.10.9.0/24 dst-address=172.30.7.0/24 action=accept place-before=0
/ip firewall filter add chain=forward src-address=172.30.7.0/24 dst-address=172.10.9.0/24 action=accept place-before=1
I know the 2nd line may look strange, but in my case, when they were not added, I could ping all devices on both sides, but for example couldn't get to remote desktop on Windows SQL Server. It was opening very, very slowly, or not opening at all. After adding the 2nd line on both mikrotiks it works like a charm,
 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

Re: vpn ipsec lan2lan behind nat

Fri Mar 31, 2017 10:34 am

That work,

Thanks for your help, but now one thing is happen, i can't ping from router to other network, but from network to network i can.

I think is something related with the snat (i think the ip is going with the wan ip and not with the lan ip, or is not going truth vpn). how can i monitor all the traffic, like snort or ngrep on linux servers?
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: vpn ipsec lan2lan behind nat

Fri Mar 31, 2017 3:02 pm

Try to ping using proper interface. It probably tries to use "WAN" interface.
ping remote_ip_LAN interface=your_local_LAN_interface
You can also define in routes which gateway to use to communicate with the other network.
 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

Re: vpn ipsec lan2lan behind nat

Fri Mar 31, 2017 4:13 pm

Thanks, but i solve the problem, just create a new rule on firewall

on BALVES
chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=192.168.7.222 dst-address=172.10.9.254 log=no log-prefix="" 
On Casapai
 0    chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=192.168.1.250 dst-address=172.30.7.0/24 log=no log-prefix="" 
Thanks for your help!
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: vpn ipsec lan2lan behind nat

Sun Apr 02, 2017 9:21 pm

Thanks, but i solve the problem, just create a new rule on firewall

on BALVES
chain=srcnat action=src-nat to-addresses=172.30.7.254 src-address=192.168.7.222 dst-address=172.10.9.254 log=no log-prefix="" 
On Casapai
 0    chain=srcnat action=src-nat to-addresses=172.10.9.254 src-address=192.168.1.250 dst-address=172.30.7.0/24 log=no log-prefix="" 
Thanks for your help!
So you're NAT'ing in RFC1918 space. Seems like an extremely unnecessary step. Use GRE wrapped in IPSec and route packets instead of NAT'ing them.
 
balves
just joined
Topic Author
Posts: 11
Joined: Fri Jan 13, 2017 8:00 pm

Re: vpn ipsec lan2lan behind nat

Tue Apr 04, 2017 2:16 pm

Hi, Can you tell me how can i do that?

I try to do like this https://www.manitonetworks.com/mikrotik ... ec-tunnels, but have always the same error
CasaPai GRE transmit loop detected, downing interface for 60 seconds

Who is online

Users browsing this forum: No registered users and 69 guests