Community discussions

MikroTik App
 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

EOIP with IPSEC over Double Nat

Fri Sep 14, 2018 3:02 pm

HI All

Can someone help me out on this, even if just to say that it can absolutely not be done?

I have an office HQ where I have Mikrotik running with a static IP
plus
I have a remote office where I have a hEX running which I want to link to the HQ for email and the like.

The problem which I have is that the remote office is using an LTE modem for internet connectivity. The WAN ip address of the LTE modem is reported as 10.x.x.x but if I do a checkip.dyndns.com report, I find that the public WAN ip address is 213.x.x.x so I am being double natted by the service provider.

The result of this is that I am failing to get any connection to establish using EOIP/IPSEC, it fails at phase 1 and I am guessing that it is because I have set up using the 213.x.x.x address as remote from HQ and local on the hEX.

Does anyone know how I can overcome this or has anyone done this before with any level of success?

I have tried reading through a whole bunch of articles but I am not a networking guru and a lot of it leaves me for dead o any help would be appreciated.

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP with IPSEC over Double Nat

Fri Sep 14, 2018 5:59 pm

The only actual difference is between no NAT at all on one hand and one or more NATs on the other. So as soon as there is at least one NAT somewhere between the peers, you cannot use the automatic creation of IPsec settings which normally works if you specify the local-address, remote-address and ipsec-secret under /interface eoip, and you have to configure manually the /ip ipsec peer and /ip ipsec policy necessary to transport the EoIP packets, and then configure the /interface eiop without the ipsec-secret.

To support NAT anywhere in the path between the peers, you have to set nat-traversal to yes at both peers if using IKEv1 (exchange-mode=aggressive, base or main) or you must use exchange-mode=ike2 as IKEv2 contains NAT traversal support intrinsically.

At least one of the peers (usually the HQ one) must have a static public address (or be NATed to a static public address with port-forwarding of UDP ports 500 and 4500 from that address to its internal one); the other peer (usually the BO one) may be NATed behind a dynamically changing address. If even the HQ's public address is dynamic, you can use some dynamic DNS system (such as Mikrotik's /ip cloud service) to register an fqdn of the HQ which the BO will use as peer's address parameter instead of an IP number.

In either case, you have to configure the HQ side peer with address=0.0.0.0/0 (or a subnet from which the BO's outermost addresses are chosen if you know it) and configure it with send-initial-contact=no. The BO's peer is then configured with send-initial-contact=yes and with the outermost address of the HQ's peer or its fqdn as address. If the HQ's address is static, it is enough that the HQ's generates the ipsec policy dynamically; if the HQ's address is changing too, you have to use xauth mode so that both peers would generate the policies.

If you want to avoid scripting, you have to set up the /ip ipsec policy between some private addresses on the two Mikrotiks and set up the remote-address of the /interface eoip to the private address of the remote peer.
 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Fri Sep 14, 2018 6:13 pm

OK, thanks for all of that!

I am going to have to sit myself down with the equipment and work through what you have given me to see if I can understand it!

I can find my way around most things but I am not such a strong router/network user.

If you know of a step by step guide which would help......?

Sent from my SM-J530F using Tapatalk

 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP with IPSEC over Double Nat

Fri Sep 14, 2018 6:26 pm

You can choose between Mikrotik's IPsec manual and @Srđan's nice article which deals mostly with the NAT part.
 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Fri Sep 14, 2018 6:58 pm

I shall study both links and see how I get on.

Thanks again

Sent from my SM-J530F using Tapatalk

 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Mon Sep 17, 2018 9:06 pm

OK, I am still stuck! I need to share some more information for anyone to help me.

I have the HQ router on which I have set up the IPSec Peer with 'Send Initial Contact' turned off.
I have set up the EOIP tunnel(s) between the HQ router which has a static IP and the Public WAN IP of the BO router which I have ascertained thanks to dynDNS.

I have the BO router on which I have set up the IPSec Peer with 'Send Initial Contact' turned ON.
I have set up the EOIP tunnels between the BO router and the HQ router.

The result is that I get a pairing of the 2 sites when the BO router contacts the HQ router to set up the Peer to Peer IPSec connection.
The HQ router brings up its EOIP tunnels
The BO router doesn't do anything with the EOIP tunnels.

And this is where I need to explain better what I want to do....

What I am trying to achieve is that my HQ runs a number of servers: infrastructure, phones and business
Each of these servers has DHCP and sits in a seperate VLAN with its own IP range

I do not have any DHCP functionality running in the BO

What I want is to link the two sites using an IPSec tunnel and run an EOIP tunnel (or several EOIP tunnels) through the IPSec tunnel so that each server can be accessed at the BO as it the machines there are plugged directly into the HQ.

What I am struggling with is how to get the IPSec policy(ies) to create the tunnel when I have no network to bridge to in the BO. I have created the corresponding bridge(s), EOIP tunnel(s) and VLAN(s) but without DHCP, addresses etc, how do I define the source-destination of the IPSec tunnel.

I can create an address pool for each VLAN and assign it to the corresponding bridge but then I am introducing a different IP range from than in use by the DHCP server at HQ.

This has to be easier than I am making it but I can not find a straightforward explanation and I am not enough of a network/router bod to get my head around it without a little help.

If someone has done this before and I am sure that someone has, please give me a shove in the right direction as I am losing the will to live right now!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP with IPSEC over Double Nat

Tue Sep 18, 2018 12:51 pm

The result is that I get a pairing of the 2 sites when the BO router contacts the HQ router to set up the Peer to Peer IPSec connection.
The HQ router brings up its EOIP tunnels
The BO router doesn't do anything with the EOIP tunnels.
This part (non-symmetric behaviour) makes me really surprised. Can you post /interface eoip export and /interface eoip print from both devices in this state?
 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Tue Sep 18, 2018 6:39 pm

Thanks again Sindy for your reply.
I haven't got access to the BO right now as i cannot log into it remotely.
I have tried to run a tracert from my laptop earlier which does not complete, although I can ping the HQ tik.
What I do know is that I can only tell the HQ to connect to 213.xxx.xxx.xxx as after that the ISP has my modem WAN hidden behind NAT so the EOIP link is up as far as the HQ is concerned but only as far as the ISP publicly visible router.
Maybe the ISP is blocking EOIP?

I will be back on site tomorrow and will post the exports when I get there

Thanks again
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP with IPSEC over Double Nat

Tue Sep 18, 2018 7:04 pm

Assuming you tunnel EoIP inside an IPsec tunnel and not vice versa, the ISP knows nothing about EoIP as the only thing they can see are ESP packets (if both devices are on public IPs, so clearly not your case) or UDP packets with some encrypted payload. So they may be blocking IPsec intentionally or unintentionally, but they have no means to find out that the payload of the IPsec is EoIP in particular.
 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Tue Sep 18, 2018 9:39 pm

Ahh, but thats the point, isn't it!

How do I tunnel eoip inside the ipsec tunnel when I have no ip address at the bo to enter in my policy?

Sent from my SM-J530F using Tapatalk

 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Tue Sep 18, 2018 9:40 pm

Ahh, but thats the point, isn't it!

How do I tunnel eoip inside the ipsec tunnel when I have no ip address at the bo to enter in my policy?

Sent from my SM-J530F using Tapatalk
I can't create an ipsec tunnel!


Sent from my SM-J530F using Tapatalk

 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Wed Sep 19, 2018 3:01 pm

So, this is from the HQ...

[admin@HQ] > interface eoip export
# sep/19/2018 13:53:47 by RouterOS 6.42.3
# software id = ZZZZ-ZZZZ
#
#
#
/interface eoip
add allow-fast-path=no !keepalive local-address=11.22.33.44 mac-address=02:AE:09:C5:EE:87 name=ToBO \
remote-address=222.333.444.555 tunnel-id=12345
[admin@HQ] > interface eoip print
Flags: X - disabled, R - running
0 R name="ToBO" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=02:AE:09:C5:EE:87 arp=enabled
arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=11.22.33.44 remote-address=222.333.444.555 tunnel-id=12345
dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=no


... and this is the BO

[admin@BO] > /interface eoip export
# sep/19/2018 13:46:24 by RouterOS 6.42.7
# software id = XXXX-XXXX
#
# model = RouterBOARD 750G r3
# serial number = XXXXXXXXXXX
/interface eoip
add allow-fast-path=no local-address=192.168.0.10 mac-address=02:ED:D1:CB:FA:71 name=ToHQ \
remote-address=11.22.33.44 tunnel-id=12345
[admin@BO] > /interface eoip print
Flags: X - disabled, R - running
0 name="ToHQ" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=02:ED:D1:CB:FA:71 arp=enabled
arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=192.168.0.10 remote-address=11.22.33.44 tunnel-id=12345
keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=no
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP with IPSEC over Double Nat

Wed Sep 19, 2018 3:58 pm

The trick is the following: instead of creating the IPsec "session" in transport mode, where you encrypt and authenticate only the packets' payload so the dst-address and sa-dst-address are the same, you create the IPsec "session" in tunnel mode, where the original packets' IP header is included into the payload to be encrypted and so it may differ from the one of the transport packet. The mode to be used is configured in /ip ipsec policy - tunnel=yes for tunnel mode and tunnel=no for transport mode.

So on each peer (or on at least the one which doesn't have a static public IP address), you create a static private address and use it as /ip ipsec policy's src-address locally (which makes it a complementary policy's dst-address on the remote peer). The peer with static public IP address must then be configured with generate-policy=port-strict or generate-policy=port-override and a policy template must be available there from which the complementary policy can be created.

That private address may be a /32 one and the best object to attach it to is an /interface bridge created for the purpose, without any member interfaces. It is up all the time regardless what happens on the physical interfaces as it is not bound to any of them.

The /interface eoip's remote address on the peer with static public IP address will then be set to that private address which doesn't change.

On peers running on public addresses you can use an fqdn as /interface eoip's remote parameter, so if the peers update some DynDNS system with their public IP address as it changes, each time the address changes, the tunnel re-establishes once the (short) validity of the previous DNS response expires and the new response shows a different IP adress, but that's clearly not your case.
 
jasgot
just joined
Posts: 10
Joined: Tue Jun 19, 2012 6:38 am

Re: EOIP with IPSEC over Double Nat

Tue Nov 13, 2018 7:16 am

Did you ever get this working?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP with IPSEC over Double Nat

Tue Nov 13, 2018 8:57 am

I'm not sure whom you ask, but I did use the setup above for a while before switching over to GRE from EoIP.
 
jasgot
just joined
Posts: 10
Joined: Tue Jun 19, 2012 6:38 am

Re: EOIP with IPSEC over Double Nat

Tue Nov 13, 2018 3:35 pm

I'm not sure whom you ask, but I did use the setup above for a while before switching over to GRE from EoIP.
I guess I meant mbrtonpye. I am embarking on the same journey and am looking for some thoughts and ideas. I deally, I would have both EOIP endpoints behind another router with port forwarding.Both with statics IPs.
 
mbrtonpye
newbie
Topic Author
Posts: 43
Joined: Tue Dec 03, 2013 4:43 pm

Re: EOIP with IPSEC over Double Nat

Tue Nov 13, 2018 3:43 pm

Unfortunately, I did not get it working and ran out of time.
I will be looking ot revisit the project as soon as possible though.

@Sindy. Thanks for the help so far and sorry for not keeping you in the loop but I hope to get back to this soon
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP with IPSEC over Double Nat

Tue Nov 13, 2018 5:16 pm

Ideally, I would have both EOIP endpoints behind another router with port forwarding.Both with statics IPs.
Port forwarding adds another degree of complexity for two reasons:
  • EoIP uses GRE and GRE doesn't work with the idea of a port, so you need to encapsulate GRE into UDP or TCP (which happens automatically if you use IPsec for encryption and NAT is involved in the scenario)
  • For IPsec, you can configure the remote port number only for the initial ISAKMP negotiation, but you cannot configure the initiator to send to other port than 4500 for the NAT-T mode to which it quickly switches over.
So you're fine if you can port-forward, at the responder side, from the external router's public IP:4500 to the inner Mikrotik's private IP:4500, but if some other application already listens at external router's public IP:4500, you have to translate the dst-port already at the initiator end of the connection, which requires either to do that on the external router in the "unusual" direction (LAN->WAN) or to loop the outgoing packers through Mikrotik's network stack twice so that you could do it on the initiator Mikrotik. And you have to use IKEv2 where the Mikrotik acting as initiator doesn't bother to start from dst-port 500 and sends the very first packet to 4500.

Who is online

Users browsing this forum: Ahrefs [Bot], akakua, DanMos79, fibracapi, Google [Bot] and 80 guests