Community discussions

 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

RB750Gr3 IPsec VPN to Cisco ASA does not work

Mon Jun 19, 2017 11:26 pm

HI, I have a problem connecting Site-to-Site VPN between RB750Gr3 (tried RouterOS versions 6.37.5, 6.38.1, 6.39.2 and 6.40rc21) and Cisco ASA (version 9.x). The same tunnel with same configuration works on Mikrotik RB750 (RouterOS v6.38.1). On RB750Gr3 I keep getting IPSEC messages in the log like this:

Code: Select all

<ASA IP address> notify: INVALID-COOKIE
<ASA IP address> fatal INVALID-COOKIE notify message, delete phase 1 handle.
The configuration on RB750 is the same as on RB750Gr3, they have the same IP addresses and everything, I manually swap the cables.
The relevant IPSec config is as follows:

Code: Select all

/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=AES256 pfs-group=none
/ip ipsec peer
add address=<ASA IP address>/32 compatibility-options=skip-peer-id-validation dh-group=modp1536 dpd-interval=disable-dpd enc-algorithm=aes-256 \
lifetime=1h local-address=<Mikrotik IP> nat-traversal=no secret="sKl#91qWlDf22\$rA"
/ip ipsec policy
add dst-address=<NET behind ASA>/32 proposal=AES256 sa-dst-address=<ASA IP address> sa-src-address=<Mikrotik IP address> src-address=<Mikrotik IP address>/32 tunnel=yes
Note that the trafic from the server behind Mikrotik is NAT-ed to the Mikrotik address and the networks behind ASA should see this server as comming from Mikrotik IP.

As I said before, this configuraton works on RB750 (v6.38.1) and it does not work on RB750Gr3 (multiple versions of RouterOS tried).
Is IPSec broken on RB750Gr3?

Best regards,
Budzi
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Tue Jun 20, 2017 3:18 am

Starting with the basics ... Are you clearing the SAs on the ASA side? Alternatively waiting for them to time out.

Side-note IPSec over IPv6 in transport mode between a hex on the latest 6.40rc21 to a hap ac lite works fine for me.
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Tue Jun 20, 2017 1:38 pm

Starting with the basics ... Are you clearing the SAs on the ASA side? Alternatively waiting for them to time out.

Side-note IPSec over IPv6 in transport mode between a hex on the latest 6.40rc21 to a hap ac lite works fine for me.
Hi idlemind,
Thank you for your reply.

Yes, the SAs on the ASA side (both ISAKMP and IPSEC) are cleared. Actually, they did not exist when I checked them (ASA is on a remote site so I had to contact their network engineer to give me access), maybe due to the fact that lifetime is set to 1 hour (3600 seconds) and I started troubleshooting the next day. Just to be on the safe side, we cleared any IPSEC SAs from Mikrotik peer (clear crypto ipsec sa peer <Mikrotik IP address>), although ASA didn't show any SAs. The strange thing is that when I try connecting from RB750Gr3, I get nothing in the debug logs on ASA related to this tunnel or related to Mikrotik IP address at all (debug logs from ASA are sent to syslog server). If I ping ASA from RB750Gr3 I can see the ICMP (request and reply) packets in the log of ASA, but nothing related to IPSEC tunnel. On the other hand, when I connect RB750, I get a ton of logs on ASA related to IPSEC tunnel.

This is not the first time I have trouble with IPSEC tunnels between Cisco and Mikrotik. I had troubles with IPSEC tunnels between RB953GS-5HnT and Cisco routers, the tunnels would randomly freeze on Cisco side, and I had to manually clear SAs on Cisco side for them to start working again. Although, to be honest, I used two GPRS modems in RB953GS to connect to Cisco and the conditions on the wireless channel could be the cause. But later I replaced Cisco routers with RB3011 and now it works flawlessly (I have 20+ routers connecting to central office via dual redundant GPRS links and GRE over IPSEC tunnels with OSPF routing). But I digress...

For now, I switched back to RB750, when I get some free time I will try to sniff the traffic between ASA and the two Mikrotik's and see if there is any notable difference.
I will post back any results/conclusions.

Thank you
Budzi
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Wed Sep 20, 2017 4:48 pm

I managed to solve this. I have not mentioned this before, but I have two WAN connections to Internet from this router - WAN1: PPPoE and WAN2: a cable modem with fixed public IP address. Most of the traffic goes to Internet via WAN1, except for few servers that go through WAN2 (this is set using mangle and NAT rules and this works fine). I have manually set the route to ASA peer in the routing table by setting the IP address of the next hop router on WAN2 network (the gateway IP address that my cable provider gave to me). When I ping the ASA peer, the traffic goes via WAN2 and I can see it on ASA. However, when IPSec daemon/service on Mikrotik tries to establish the connection with ASA peer, it goes through WAN1!

SOLUTION:
The problem was resolved when I changed the route to ASA peer to use "WAN2 interface" as gateway, instead of the "WAN2 gateway IP address" provided to me by the WAN2 provider.

Why this works is beyond me. I would really like if someone could explain me the difference between using an IP address and interface as gateway to some destination network.

Anyway, hope this helps someone else with similar problem.
Thanks idlemind for trying to help.

Best regards,
Budzi
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Wed Sep 20, 2017 5:19 pm

Interesting, without seeing the output of /ip route I'm a bit mystified as well. The only thing that comes to mind is how was WAN2 addressed and what was the gateway address (the gateway was within the subnet of WAN2 right?

Switching to the interface as the gateway I believe causes the router to ARP for the destination IP so it requires the upstream router to have proxy ARP to work or be on a point to point type of interface (PPP). Either way very interesting.
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Wed Sep 20, 2017 6:58 pm

As it appears, that was not the solution :(

After I got it to work, I set the route to ASA peer to use the IP address of the WAN2 gateway (it is in the same subnet as WAN2 address) and it continued to work?!? So then I rebooted the router and there it was the same problem again! So I changed the route again to use the WAN2 interface, and nothing happened, still no tunnel! Rebooted, same problem. Disabled "Allow Fast Path", reboted, same problem...

Long story short, when I disable and then enable the WAN1 interface - the IPSec tunnel starts working! And continues to work (using WAN2) even if I disable the ASA peer route and redirect the traffic via WAN1!

So here is what I think happens:
When the router boots, it takes a bit longer for WAN2 interface to come up than WAN1, so when the IPSec service/daemon tries to connect to ASA, it goes via WAN1 as that is it's default gateway. I can confirm this from the logs, IPSec service tries to connect before WAN2 comes up, it takes 5-6 seconds for WAN2 to come up after rebooting the Mikrotik, maybe it is some feature of the cable modem, who knows (it is a Cisco cable modem/router, maybe it has portfast turned off on that interface so it listens for loops before enabling the interface, just guessing).
When WAN2 interface comes up, it changes the routing table so that traffic to ASA peer goes via WAN2. But the IPSec service does not detect this and it continues to go through WAN1 interface!
No matter what I change in the routing table, IPSec service continues to go through WAN1. The only way to make it switch to WAN2 is to shortly disable/enable the WAN1 interface. The service then re-reads the routing table, switches the traffic to ASA peer via WAN2 and the IPSec tunnel establishes successfully.

I could be wrong about this, but that is what my tests show. I have no idea if this is a bug or if it is intentional, but I think that the IPSec service should monitor the routing table and if it affects any of it's peers, restart the negotiation phase with that peer (or simply restart the IPSec service).

Thanks again for all the help.
Best regards,
Budzi
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work  [SOLVED]

Wed Sep 20, 2017 7:33 pm

Very surprising, I'd expect the WAN2 ISP to be dropping packets sourced from the WAN1 IP range on the basis of BCP38 so as the routing table updates the tunnel would actually die and be rebuilt.

Can you verify if the traffic actually moves to WAN2 but the source IP stays WAN1? (interface graphs maybe, i'm not sure if you could pick it up with firewall logging)
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Wed Sep 20, 2017 8:00 pm

Actually, the source IP for the IPSec packets, when they go through WAN1, is WAN1 IP address (despite the fact that I have set the "Local address" in the Mikrotik IPSec peer configuration to be the WAN2 IP address) as they are able to reach the ASA on the other side. They travel to ASA and then ASA drops them as it has no knowledge of a peer with that IP address. If I am not mistaken, ASA returns "INVALID_COOKIE" packet back to Mikrotik via WAN1.

I finally figured out that it has something to do with routing when I asked my colleague on the Cisco side to catch in the log anything that has the IP address of the WAN1. Then he told me he is getting the IPSec drops from my WAN1 IP address, and nothing from my WAN2 IP address. That is when I disabled/enabled WAN1 and it all started to work properly.

I am not sure I could see the packets source IP on WAN2, other than setting some kind of sniffer on WAN2 and using Wireshark to collect the packets.

Now that I think about it, you make a good point, maybe the traffic is going out via WAN2 but the IPSec service is stuck with source IP from WAN1. In case the provider does not do any reverse route checking, that would make it all the way to ASA (as the destination IP is good) and then the response would come back through WAN1 (ASA would still deny the connection as the packet is from the wrong source IP, the WAN1 IP address). When I get some time I will try to get one PC with two NICs in bridge mode between the Mikrotik and WAN2 cable modem and then trigger the problem to see what I get. Or maybe there is a way to set the mirroring port on Mikrotik...I will check it out when I get the time and let you know what I found out.

Thank you
Budzi
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Thu Sep 21, 2017 3:19 pm

So I managed to sniff the traffic on WAN2 link. It turns out you (idlemind) are absolutely right.
As it can be seen on the attached picture, the tunnel is working properly and using the right IP addresses (WAN2 IP is 62.4.X.X and Cisco ASA is 195.66.X.X).
Then I disable the WAN2 interface and the IPSec tunnel, enable tunnel (enable the peer on Mikrotik), and then after few seconds enable the WAN2 interface. And I get the WAN1 IP address (37.122.X.X) as the source IP of the IPSec tunnel packets on the WAN2 link!
And it continues like that until I briefly disable and then enable the WAN1 (PPPoE link). At that point, IPSec start using the WAN2 IP address as the source and the tunnel establishes again.

So it is the problem inside the IPSec service and not the routing problem. For some reason, IPSec service does not detect the change in routing and keeps using the same IP address on different network. I did not encounter this problem on MIPSBE router (RB750) only on MMIPS (RB750Gr3).

Interestingly, the packet with the wrong source IP address still makes it to Cisco ASA on the other side. This tells a lot about my WAN2 provider security measures...

Hope this helps someone else with this problem. And I hope someone from Mikrotik will see this and fix it.

Thank you idlemind for all our help. You are a genius!

Best regards,
Budzi
You do not have the required permissions to view the files attached to this post.
 
dadaniel
Member Candidate
Member Candidate
Posts: 155
Joined: Fri May 14, 2010 11:51 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Thu Sep 21, 2017 6:20 pm

Can you please report this to support@mikrotik.com ? They often don't notice bug reports in the forums.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 480
Joined: Thu Dec 11, 2014 8:53 am

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Thu Sep 21, 2017 6:43 pm

First of all, to clarify, gateway can be specified as interface only for PPP interfaces.

Secondly, IPsec does not keep track of routing table changes no matter what architecture you are using. Most likely this would require quite some resources on larger configurations.

You said you have set local-address to WAN2 address in IPsec Peer configuration. This does not quite go together with your statement that IPsec uses WAN1 address as source address on WAN2 interface. Local-address parameter just sets the source address for ISAKMP protocol to use, it does not check whether you can actually use the address.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5708
Joined: Mon Jun 08, 2015 12:09 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Thu Sep 21, 2017 9:25 pm

When I get some time I will try to get one PC with two NICs in bridge mode between the Mikrotik and WAN2 cable modem and then trigger the problem to see what I get. Or maybe there is a way to set the mirroring port on Mikrotik...I will check it out when I get the time and let you know what I found out.
As usual I recommend to avoid IPsec tunnels and instead use a GRE tunnel over IPsec transport, then route appropriate traffic over the GRE tunnel interface.
I have a scenario like that operating and I even use two GRE tunnels and a routing protocol (BGP), so it even does failover in case one of the internet connections fails.
Plus it is so much easier to debug, to write firewall rules, etc etc etc.
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Thu Sep 21, 2017 10:01 pm

Hi emils,

Thanks for your reply.
First of all, to clarify, gateway can be specified as interface only for PPP interfaces.
That is what I think also, it could be that I was mistaken on this, but at the time it seemed that it was working using interface instead of gateway IP address. But I tried so many thing trying to fix the problem that there might be some other route in the routing table directing the traffic to the proper gateway address.
Secondly, IPsec does not keep track of routing table changes no matter what architecture you are using. Most likely this would require quite some resources on larger configurations.
Well it might not be resource intensive if it is designed properly. For example, when creating an IPSec tunnel, you could remember the interface the traffic for that IPSEC tunnel goes out of. In my case, the IPSec tunnel first tried to connect to peer using WAN1, but it could not establish the tunnel. Then when the WAN2 came up, the packets to peer were redirected via WAN2 but the IPSec service did not detect this, and it kept creating ISAKMP packets using WAN1 address. If it had remembered the interface that it used before, and then checked if it is the same interface before sending the packets, it would detect the change and then try to re-negotiate the IPSec tunnel using new source IP address - WAN2 IP.

This is just an example, there is probably a lot more to this than I described here. But I know that for Cisco devices, you have to specify the interface for every IPSec tunnel (uses crypto maps bound to a specific interface). That way, using routing, you direct the traffic that should be encrypted to the specific interface, and then the router checks if it should be encrypted and sends it out via IPSec tunnel that originates from that interface. There is no way for that specific IPSec tunnel to originate from any other interface.
You said you have set local-address to WAN2 address in IPsec Peer configuration. This does not quite go together with your statement that IPsec uses WAN1 address as source address on WAN2 interface. Local-address parameter just sets the source address for ISAKMP protocol to use, it does not check whether you can actually use the address.
That is why I think it is strange. I have set the local address of the IPSec peer to WAN2 IP address. Yet on the WAN 2 interface I could clearly see ISAKMP traffic with source IP address of WAN1 (you can see it on the picture from my previous post). That should not happen.

As to why this does not happen on my RB750 router, that could be linked to it's speed. It takes much more time for RB750 to boot to operating state than RB750Gr3. Maybe RB750 does not have this problem because for the time it takes for it to start the IPSec tunnel negotiation, the Cisco cable modem (my WAN2 provider) brings the interface WAN2 up and IPSec service starts using the right interface from the start. This is just a hypothesis, I did not verify this.

Thank you for your help.

Best regards,
Budzi
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Thu Sep 21, 2017 10:06 pm

When I get some time I will try to get one PC with two NICs in bridge mode between the Mikrotik and WAN2 cable modem and then trigger the problem to see what I get. Or maybe there is a way to set the mirroring port on Mikrotik...I will check it out when I get the time and let you know what I found out.
As usual I recommend to avoid IPsec tunnels and instead use a GRE tunnel over IPsec transport, then route appropriate traffic over the GRE tunnel interface.
I have a scenario like that operating and I even use two GRE tunnels and a routing protocol (BGP), so it even does failover in case one of the internet connections fails.
Plus it is so much easier to debug, to write firewall rules, etc etc etc.
Yes, I use GRE over IPSec also, with OSPF routing that gives me loadbalancing and failover over two links or more links. Unfortunately, sometimes I can not choose the tunnel type due to other side devices capabilities, security policies and what not.

Best regards,
Budzi
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5921
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Fri Sep 22, 2017 7:52 am

Looks like a problem when you have dual wan and "masquerade" configured. I would suggest with routing marks always force ipsec over the WAN2.
 
Budzi
just joined
Topic Author
Posts: 10
Joined: Wed Apr 08, 2015 10:32 pm

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Sat Sep 23, 2017 11:18 pm

Looks like a problem when you have dual wan and "masquerade" configured. I would suggest with routing marks always force ipsec over the WAN2.
I don't understand how is masquerade-ing causing wrong IP address on the interface.

I think that the suggestion to use routing marks might work. But this would only mask the original design problem. Looking at the packet flow diagram (https://wiki.mikrotik.com/wiki/Manual:P ... ow#Diagram), we can see that after hitting the IPSec policy decision, and deciding it should be encrypted, we get to "local process out", then a routing decision again (?!?) and then again all the way to the output interface. What this allows is that I can direct traffic that should be encrypted through say WAN1, it gets picked up by an IPSec policy (that is not bound to any interface), gets encrypted and then I can direct the encrypted traffic to go through WAN2. So the encrypted traffic goes out of WAN2 instead of WAN1. This is contrary to most (if not all) other routers on the market. In my opinion, the IPSec tunnels should be defined "per interface" so that they can not go out any interface of their choosing.

On the packet flow diagram, there should be no "routing decision" in the packet path after you build the IPSec tunnel, as there could be a change in routing (interface up/down, dynamic routing decision etc) that the IPSec tunnel service/daemon does not pick up after it has been built the first time. And since the tunnel is already built, any subsequent traffic that matches the IPSec policy and matches the already built IPSec tunnel will go out with wrong source IP address, like in my case. So, in my opinion, on the packet flow diagram, the box "IPSec Encryption" should be connected to "OUTPUT INTERFACE" box and not "Local process out". And the IPSec policy and/or peer configuration should have a mandatory field "output interface".

But then again, I could be wrong. Anyway, I will look into the routing marks solution in order to "lock" the IPSec tunnel to the right interface.
Thank you all for helping me getting to the root of this problem.

Best regards,
Budzi
 
svallverdu
just joined
Posts: 1
Joined: Tue Nov 21, 2017 7:09 am

Re: RB750Gr3 IPsec VPN to Cisco ASA does not work

Tue Nov 21, 2017 7:40 am

Hello everybody, I am having trouble trying to establish a IPSEC tunnel between one of my latest Microtik Routers and a Cisco ASA in our main headquarters. One of the Microtik routers work quite well, but the other (with exact same config) does not.

I don´t know what can be wrong, so I have included a zip file with the following:

I would really appreciate your support.

Thank you very much.

Best regards,

Not working IPSEC router (Julieta)
Model: RouterBOARD 750G r3
Serial number: 6F39073EAC6D
Factory Firmware: 3.35
Package List routeros-mmips 6.36.1

Config:
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add lifetime=8h name=Extranet pfs-group=modp768
add lifetime=1h name=BREEZE
/ip address
add address=192.168.2.1/24 interface=LAN1 network=192.168.2.0
add address=192.168.25.1/24 interface=SCADA network=192.168.25.0
add address=192.168.25.100/24 interface=SCADA network=192.168.25.0
add address=120.23.67.38/27 interface=WAN network=120.23.67.32
/ip firewall address-list
add address=192.168.25.0/24 list=redes_locales
add address=120.23.67.32/27 list=redes_locales
add address=192.168.2.0/24 list=redes_locales
add address=124.224.177.182 list=ssh_blacklist
add address=192.168.120.0/24 list=redes_locales
add address=172.16.6.0/24 list=redes_locales
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
established,related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=ether17
add action=jump chain=forward comment="Acceso VPN" jump-target=VPN \
src-address=10.99.99.0/24
add action=jump chain=input comment=SSH dst-port=22 jump-target=SSH protocol=\
tcp
add chain=forward dst-port=25 out-interface=WAN protocol=tcp \
src-address-list=redes_locales
add action=drop chain=forward dst-port=25 protocol=tcp
add chain=input dst-port=8291 in-interface=WAN protocol=tcp
add chain=input dst-port=61893 in-interface=WAN protocol=tcp
add chain=forward connection-state=related in-interface=WAN
add chain=forward connection-state=established in-interface=WAN
add chain=input in-interface=WAN protocol=icmp
add chain=input comment="abro puerto tcp 1723 para la vpn pptp" dst-port=1723 \
in-interface=WAN protocol=tcp
add chain=input comment="habilito protocolo GRE para la vpn pptp" \
in-interface=WAN protocol=gre
add chain=input dst-port=1723 in-interface=WAN protocol=udp
add chain=input connection-state=established in-interface=WAN
add chain=input connection-state=related in-interface=WAN
add action=drop chain=input comment=test in-interface=all-wireless
add action=drop chain=input comment="Bloqueo DNS cache externo" dst-port=53 \
in-interface=WAN protocol=udp
add action=drop chain=input comment="Bloqueo DNS cache externo" dst-port=53 \
in-interface=WAN protocol=tcp
add action=drop chain=input comment="Bloqueo webproxy externo" dst-port=8080 \
in-interface=WAN protocol=tcp
add action=drop chain=input comment="Bloqueo webproxy externo" dst-port=8080 \
in-interface=WAN protocol=udp
add chain=VPN comment="Excepcion Usuario X" disabled=yes log=yes src-address=\
10.99.99.6
add chain=VPN comment="Permito acceso a las redes locales desde VPN" \
dst-address-list=redes_locales
add action=drop chain=VPN
add action=drop chain=SSH comment="drop ssh peligroso" src-address-list=\
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=SSH connection-state=new \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=SSH connection-state=new src-address-list=\
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=SSH connection-state=new src-address-list=\
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=30s chain=SSH connection-state=new
/ip firewall nat
add action=netmap chain=srcnat comment=Extranet-VOB dst-address=\
192.168.120.0/24 src-address=192.168.25.0/24 to-addresses=10.16.6.0/24
add action=netmap chain=dstnat comment=Extranet-VOB dst-address=10.16.6.0/24 \
src-address=192.168.120.0/24 to-addresses=192.168.25.0/24
add action=netmap chain=srcnat comment=Extranet dst-address=192.168.120.0/24 \
src-address=192.168.2.0/24 to-addresses=172.16.6.0/24
add action=netmap chain=dstnat comment=Extranet dst-address=172.16.6.0/24 \
src-address=192.168.120.0/24 to-addresses=192.168.2.0/24
add action=netmap chain=srcnat comment=Breeze dst-address=172.30.10.0/23 \
to-addresses=10.43.104.0/24
add action=netmap chain=dstnat comment=Breeze dst-address=10.43.104.0/24 \
to-addresses=192.168.25.0/24
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether17
add action=masquerade chain=srcnat dst-address=192.168.2.20 out-interface=\
LAN1
add action=dst-nat chain=dstnat comment="RTU - Modbus TCP" dst-port=60502 \
in-interface=WAN protocol=tcp to-addresses=192.168.2.20 to-ports=502
add action=dst-nat chain=dstnat comment="RTU - Modbus TCP" dst-port=502 \
in-interface=WAN protocol=tcp to-addresses=192.168.2.20 to-ports=502
add action=dst-nat chain=dstnat comment="RTU - Programacion" dst-port=2001 \
in-interface=WAN protocol=tcp to-addresses=192.168.2.20 to-ports=2001
add action=dst-nat chain=dstnat comment="RTU - Programacion" dst-port=2001 \
in-interface=WAN protocol=udp to-addresses=192.168.2.20 to-ports=2001
add action=dst-nat chain=dstnat dst-port=6502 in-interface=WAN protocol=tcp \
to-addresses=192.168.2.10 to-ports=502
add action=masquerade chain=srcnat out-interface=WAN
add action=netmap chain=dstnat dst-address=192.168.25.100 in-interface=SCADA \
to-addresses=192.168.2.20
add action=dst-nat chain=dstnat dst-port=2404 in-interface=WAN protocol=tcp \
to-addresses=192.168.2.20 to-ports=2404
add action=netmap chain=dstnat dst-address=192.168.19.0/24 to-addresses=\
192.168.2.0/24
add action=masquerade chain=srcnat out-interface=SCADA
/ip ipsec peer
add address=180.117.134.64/32 dh-group=modp768 enc-algorithm=aes-256,aes-128 \
local-address=120.23.67.38 secret=Extranet.test.microtik \
send-initial-contact=no
add address=46.51.197.243/32 enc-algorithm=aes-256 lifetime=8h local-address=\
120.23.67.38 secret=Breeze.test.microtik send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add comment=Extranet dst-address=192.168.120.0/24 level=unique priority=3 \
proposal=Extranet sa-dst-address=180.117.134.64 sa-src-address=\
120.23.67.38 src-address=172.16.6.0/24 tunnel=yes
add comment=Extranet-VOB dst-address=192.168.120.0/24 level=unique priority=3 \
proposal=Extranet sa-dst-address=180.117.134.64 sa-src-address=\
120.23.67.38 src-address=10.16.6.0/24 tunnel=yes
add dst-address=172.30.10.0/23 level=unique proposal=BREEZE sa-dst-address=\
46.51.197.243 sa-src-address=120.23.67.38 src-address=10.43.104.0/24 \
tunnel=yes
/ip route
add comment=" Gateway de ANTEL" distance=1 gateway=120.23.67.33


Working IPSEC router (Villa Rodríguez)
Model: RouterBOARD 750G r2
Serial number: 5C5005532CB8
Factory Firmware: 3.34
Package List routeros-mipsbe 6.28

Config

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add enc-algorithms=aes-128-cbc lifetime=1h name=BREEZE
add enc-algorithms=aes-128-cbc lifetime=8h name=Extranet pfs-group=modp768
/ip address
add address=192.168.2.1/24 interface=LAN1 network=192.168.2.0
add address=192.168.25.1/24 interface=SCADA network=192.168.25.0
add address=192.168.25.100/24 interface=SCADA network=192.168.25.0
add address=179.127.177.70/27 interface=WAN network=179.127.177.64
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether17
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=200.40.220.245,200.40.30.245 gateway=\
192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.25.0/24 list=redes_locales
add address=179.127.177.70/27 list=redes_locales
add address=192.168.2.0/24 list=redes_locales
add address=124.224.177.182 list=ssh_blacklist
add address=172.16.7.0/24 list=redes_locales
add address=192.168.120.0/24 list=redes_locales
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=ether17
add action=jump chain=forward comment="Acceso VPN" jump-target=VPN \
src-address=10.99.99.0/24
add action=jump chain=input comment=SSH dst-port=22 jump-target=SSH protocol=\
tcp
add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\
redes_locales
add action=drop chain=forward dst-port=25 protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=WAN protocol=tcp
add action=accept chain=input dst-port=61893 in-interface=WAN protocol=tcp
add action=accept chain=forward connection-state=related in-interface=WAN
add action=accept chain=forward connection-state=established in-interface=WAN
add action=accept chain=input in-interface=WAN protocol=icmp
add action=accept chain=input comment="abro puerto tcp 1723 para la vpn pptp" \
dst-port=1723 in-interface=WAN protocol=tcp
add action=accept chain=input comment=\
"habilito protocolo GRE para la vpn pptp" in-interface=WAN protocol=gre
add action=accept chain=input dst-port=1723 in-interface=WAN protocol=udp
add action=accept chain=input connection-state=established in-interface=WAN
add action=accept chain=input connection-state=related in-interface=WAN
add action=drop chain=input comment=test in-interface=all-wireless
add action=drop chain=input comment="Bloqueo DNS cache externo" dst-port=53 \
in-interface=WAN protocol=udp
add action=drop chain=input comment="Bloqueo DNS cache externo" dst-port=53 \
in-interface=WAN protocol=tcp
add action=drop chain=input comment="Bloqueo webproxy externo" dst-port=8080 \
in-interface=WAN protocol=tcp
add action=drop chain=input comment="Bloqueo webproxy externo" dst-port=8080 \
in-interface=WAN protocol=udp
add action=accept chain=VPN comment="Excepcion jrabunal" disabled=yes log=yes \
src-address=10.99.99.6
add action=accept chain=VPN comment=\
"Permito acceso a las redes locales desde VPN" dst-address-list=\
redes_locales
add action=drop chain=VPN
add action=drop chain=SSH comment="drop ssh peligroso" src-address-list=\
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=SSH connection-state=new \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=SSH connection-state=new src-address-list=\
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=SSH connection-state=new src-address-list=\
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=30s chain=SSH connection-state=new
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether17
add action=masquerade chain=srcnat dst-address=192.168.2.20 out-interface=\
LAN1
add action=masquerade chain=srcnat dst-address=192.168.2.20
add action=netmap chain=srcnat comment=Extranet-VOB dst-address=\
192.168.120.0/24 src-address=192.168.25.0/24 to-addresses=10.16.7.0/24
add action=netmap chain=dstnat comment=Extranet-VOB dst-address=10.16.7.0/24 \
src-address=192.168.120.0/24 to-addresses=192.168.25.0/24
add action=netmap chain=srcnat comment=Extranet dst-address=192.168.120.0/24 \
src-address=192.168.2.0/24 to-addresses=172.16.7.0/24
add action=netmap chain=dstnat comment=Extranet dst-address=172.16.7.0/24 \
src-address=192.168.120.0/24 to-addresses=192.168.2.0/24
add action=netmap chain=srcnat comment=Breeze dst-address=172.30.10.0/23 \
to-addresses=10.43.105.0/24
add action=netmap chain=dstnat comment=Breeze dst-address=10.43.105.0/24 \
to-addresses=192.168.25.0/24
add action=dst-nat chain=dstnat comment="RTU - Modbus TCP" dst-port=60502 \
in-interface=WAN protocol=tcp to-addresses=192.168.2.20 to-ports=502
add action=dst-nat chain=dstnat comment="RTU - Modbus TCP" dst-port=502 \
in-interface=WAN protocol=tcp to-addresses=192.168.2.20 to-ports=502
add action=dst-nat chain=dstnat comment="RTU - Programacion" dst-port=2001 \
in-interface=WAN protocol=tcp to-addresses=192.168.2.20 to-ports=2001
add action=dst-nat chain=dstnat comment="RTU - Programacion" dst-port=2001 \
in-interface=WAN protocol=udp to-addresses=192.168.2.20 to-ports=2001
add action=dst-nat chain=dstnat dst-port=6502 in-interface=WAN protocol=tcp \
to-addresses=192.168.2.10 to-ports=502
add action=masquerade chain=srcnat out-interface=WAN
add action=netmap chain=dstnat dst-address=192.168.25.100 in-interface=SCADA \
to-addresses=192.168.2.20
add action=dst-nat chain=dstnat dst-port=2404 in-interface=WAN protocol=tcp \
to-addresses=192.168.2.20 to-ports=2404
add action=netmap chain=dstnat dst-address=192.168.19.0/24 to-addresses=\
192.168.2.0/24
add action=masquerade chain=srcnat out-interface=SCADA
/ip ipsec peer
add address=46.51.197.243/32 enc-algorithm=aes-256 lifetime=8h local-address=\
179.127.177.70 secret=Breeze.test.microtik send-initial-contact=no
add address=180.117.134.64/32 dh-group=modp768 enc-algorithm=aes-256,aes-128 \
local-address=179.127.177.70 secret=Extranet.test.microtik \
send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add comment=Breeze dst-address=172.30.10.0/23 level=unique proposal=BREEZE \
sa-dst-address=46.51.197.243 sa-src-address=179.127.177.70 src-address=\
10.43.105.0/24 tunnel=yes
add comment=Extranet dst-address=192.168.120.0/24 level=unique priority=3 \
proposal=Extranet sa-dst-address=180.117.134.64 sa-src-address=\
179.127.177.70 src-address=172.16.7.0/24 tunnel=yes
add comment=Extranet-VOB dst-address=192.168.120.0/24 level=unique priority=3 \
proposal=Extranet sa-dst-address=180.117.134.64 sa-src-address=\
179.127.177.70 src-address=10.16.7.0/24 tunnel=yes
/ip route
add comment="Gateway de antel" distance=1 gateway=179.127.177.65

Who is online

Users browsing this forum: Google [Bot] and 36 guests