IPSec behind DMZ Double NAT Problem

icttech · Fri Dec 15, 2017 7:25 pm

Hi,

I'm new to Mikrotik forgive my ignorance but I'm having some difficulty setting up IPSec tunnel tests before my CRR1009 goes live at the DC. Testing with a CRR1009-7G-1C-1S+ Office2 <==> Office3 hEX RB750Gr3. My goal would be then to setup Admin accounts to the DC with each using a hEX RB750Gr3. All Mikrotiks are using v6.40.5.

From Local (Office2)
IPSec debug states sendfromto failed
(phase 1 negotiation failed due to send error)

17:31:24 ipsec,info initiate new phase 1 (Identity Protection): 10.1.2.0[500]<=>174.112.164.1[500] 
17:31:24 ipsec,debug new cookie: 
17:31:24 ipsec,debug 2f03b2dd9a7a0d7e  
17:31:24 ipsec,debug add payload of len 56, next type 13 
17:31:24 ipsec,debug add payload of len 16, next type 13 
17:31:24 ipsec,debug add payload of len 16, next type 0 
17:31:24 ipsec,debug 128 bytes from 10.1.2.0[500] to 174.112.164.1[500] 
17:31:24 ipsec,debug 1 times of -1 bytes message will be sent to 174.112.164.1[500] 
17:31:24 ipsec,debug,packet 2f03b2dd 9a7a0d7e 00000000 00000000 01100200 00000000 00000080 0d00003c 
17:31:24 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 
17:31:24 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 0d000014 12f5f28c 
17:31:24 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100 
17:31:24 ipsec sendfromto failed 
17:31:24 ipsec,error phase1 negotiation failed due to send error. 10.1.2.0[500]<=>174.112.164.1[500] 2f03b2dd9a7a0d7
e:0000000000000000 
17:31:24 ipsec failed to begin ISAKMP SA negotiation

Proposal

name="office" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

Peer

address=174.1.1.1/32 local-address=10.1.2.0 auth-method=pre-shared-key secret="" generate-policy=no policy-template-group=default 
       exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d 
       dpd-interval=disable-dpd

Policy

src-address=10.1.0.0/24 src-port=any dst-address=10.1.2.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
       sa-src-address=174.3.7.1 sa-dst-address=174.2.4.1 proposal=default ph2-count=0

Action: netmap Chain: dstnat works fine while testing port forwards from external. I have tested several local IP nets on different Ether Interfaces and several port forwards to each using destination add of 192.168.0.2 which is the DMZ and this all works as expected. Is there a way to get around the double NAT at the Office2 in order to get IPSec up? I have disabled fasttrack connection forward as very little CPU usage at the moment.

omalave · Fri Nov 09, 2018 8:06 pm

Hi!

This is marked as solved, but I can't see any details as solved..

icttech · Fri Dec 28, 2018 5:36 pm

hi, this was resolved by using Site to Site GRE Tunnel with IPsec.

IPSec behind DMZ Double NAT Problem [SOLVED]

IPSec behind DMZ Double NAT Problem

Re: IPSec behind DMZ Double NAT Problem

Re: IPSec behind DMZ Double NAT Problem

Who is online