Community discussions

MikroTik App
 
randallr
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Fri Oct 13, 2006 1:01 am
Location: Texas

NAT Address to VPN Router, IPSec Problem

Fri Nov 10, 2006 12:26 am

I have a customer that I have connected via RB112 with Src and Dst Nat and given his 'Hot Brick' VPN router a private address. On the other end, his 'Hot Brick' has a public IP. He has enabled IPsec and Netbios on his routers.

Much to his dismay, the VPN established just fine. However, it drops the connection whenever he tries to pull a file across the VPN. (It's not the wireless link, he's holding 4mb each way with 20ms ptp.)

The "Hot Brick" maker says you can't NAT an IPsec VPN, and that's the problem.

I believe that it's the cheap 'Hot Brick' router.

I'm new to Mikrotik, and it's my first attempt at providing NAT'd addresses to customers.

Any input is appreciated.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Fri Nov 10, 2006 1:33 pm

IPSec does not work for natted hosts without special implementations.
Router should support NAT-T, if you want to forward data between PC1 and PC2 in the following diagram (PC1--->Router_perfroming_NAT--->Internet--->PC2). MikroTik RouterOS has NAT-T support in RouterOS3, RouterOS3 is on beta stage now.

You can use alternative VPN protocols L2TP or L2TP/IPSec. L2TP tunnel works trough NAT.
PPTP also requires special helpers to work trough NAT.
 
randallr
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Fri Oct 13, 2006 1:01 am
Location: Texas

Fri Nov 10, 2006 4:34 pm

The customers' 'hot bricks' are actually using L2TP/IPSec. So does that mean it should be working. Again, the vpn tunnel is up, but crashes when they try to open files.

I have RB112 in place at one end, and was planning on replacing Karlnet radio with RB112 on other end.
Have thought about setting up EoIP tunnnel and do away with customer's "hot brick' routers.

Or I could change to RB532 and implement L2TP from MT to MT... Would that be the best solution?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Mon Nov 13, 2006 8:35 am

What do you mean by tunnel crash ?
Do you have L2TP tunnel established between RouterOS and your router ?
L2TP should work fine as between two MikroTik routers, as between MikroTik router and any other third-part router.
EoIP tunnel works only between two MikroTik routers.
 
randallr
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Fri Oct 13, 2006 1:01 am
Location: Texas

Mon Nov 13, 2006 4:37 pm

I may have found my problem... The customer said he could ping the other side, but when he tried to transfer files, it would hang.

I setup and tested a Ipip tunnel from two test radios. I noticed that when I transfered files, it was on port 445, which I had put a filter on our core router to block back when the sasser worm was bad. (I'm bad!)

I also had put a rule to allow my to get to port 8291 for Winbox, and apparently it was forwarding all traffic to the radio.

The filter was removed and the firewall rule was removed and they are working.

Randall

Who is online

Users browsing this forum: anav, Moomoo71, WookieeFer and 76 guests