Community discussions

MikroTik App
  4. RouterOS
  5. General

[ASK] default configuration

Post Reply
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1280
Joined: Tue Jun 23, 2015 2:35 pm

[ASK] default configuration

Wed Oct 17, 2018 6:14 am

Just i reset my router i by default, and i have seen this one. Need explanation about yellow highlighter:
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: [ASK] default configuration

Wed Oct 17, 2018 9:17 am

That yellow marked text will limit your SRC-NAT to match (and translate) only non-IPsec outgoing traffic. There is no reason to do SRC-NAT on IPsec processed packets as they will likely have IP of the router itself.
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7053
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: [ASK] default configuration

Wed Oct 17, 2018 10:02 am

Actual reason for this rule is that packets that should match ipsec policy must not be masqueraded. Masquerade will change source address and packets will fail to match against ipsec policy.
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1280
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration

Wed Oct 17, 2018 1:25 pm

Actual reason for this rule is that packets that should match ipsec policy must not be masqueraded. Masquerade will change source address and packets will fail to match against ipsec policy.
That much better explanation. Thanks mrz
i got L2TP-IPSec between two location and i'm having l2tp-ipsec discontions (one time per week) from unknown reason, maybe it will help to solve this issues?
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7053
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: [ASK] default configuration

Wed Oct 17, 2018 3:41 pm

L2TP/Ipsec shouldn't be affected, because in this case Ipsec uses transport mode and source address is routers WAN address, so masquerade actually is not doing anything.
Problems must be somewhere else.
Top
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: [ASK] default configuration

Wed Oct 17, 2018 11:34 pm

@nichky Best would be to check your detailed logs from both server and client. There will be your "unknown" reason written. It is highly possible that you don't have enabled such logging, so you will need to add logging actions for topics "ipsec" and "l2tp" (one action for each topic) and once your disconnection happens, check what does it say.
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1280
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration

Thu Oct 18, 2018 4:17 am

@nichky Best would be to check your detailed logs from both server and client. There will be your "unknown" reason written. It is highly possible that you don't have enabled such logging, so you will need to add logging actions for topics "ipsec" and "l2tp" (one action for each topic) and once your disconnection happens, check what does it say.

have a look:

viewtopic.php?f=2&t=139945
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1280
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration

Thu Oct 18, 2018 1:53 pm

@vecernik87 That is the new update:
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], dioeyandika, jaclaz, tlamik and 120 guests
  4. RouterOS
  5. General