IKEv2 site to site between 2 Mikrotik

kenyloveg · Fri Jan 18, 2019 3:46 pm

Hi, Guys
I've managed to create a site to site IPsec/IKEv2 connection between 2 Mikrotik device (HAP AC2 and RB4011).

Here is Router 1 (HAP AC2) config:

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] loop-protect=off name=ether2-wan1
set [ find default-name=ether3 ] loop-protect=off name=ether3-wan2
set [ find default-name=ether4 ] loop-protect=off name=ether4-wan3
set [ find default-name=ether5 ] loop-protect=off name=ether5-lan
/interface l2tp-client
add connect-to=l2tpsrv2.com disabled=no name=l2tp-out1 password=l2tppswd user=l2tpusr
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=2d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether5-lan
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=112.65.129.178/30 interface=ether2-wan1 network=112.65.129.176
add address=140.206.103.134/30 interface=ether3-wan2 network=140.206.103.132
add address=220.248.18.254/30 interface=ether4-wan3 network=220.248.18.252
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set cache-max-ttl=1m cache-size=1024KiB servers=208.67.220.220,208.67.222.222
/ip firewall address-list
add address=1.0.1.0/24 list=cnlist
###...5000 more ip address list...###
add address=l2tpsrv2.com list=cnlist
add address=208.67.220.220 list=cnlist
add address=208.67.222.222 list=cnlist
add address=192.168.88.0/24 list=lan
add address=192.168.88.2-192.168.88.253 list=local
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=ether2-wan1 new-connection-mark=wan1
add action=mark-connection chain=prerouting in-interface=ether3-wan2 new-connection-mark=wan2
add action=mark-connection chain=prerouting in-interface=ether4-wan3 new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 new-connection-mark=wan1 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 new-connection-mark=wan2 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 new-connection-mark=wan3 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=wan1 in-interface=bridge1 new-routing-mark=wan1-mark
add action=mark-routing chain=prerouting connection-mark=wan2 in-interface=bridge1 new-routing-mark=wan2-mark
add action=mark-routing chain=prerouting connection-mark=wan3 in-interface=bridge1 new-routing-mark=wan3-mark passthrough=yes
add action=mark-routing chain=output connection-mark=wan1 new-routing-mark=wan1-mark
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=wan2-mark
add action=mark-routing chain=output connection-mark=wan3 new-routing-mark=wan3-mark passthrough=yes
add chain=prerouting dst-address=112.65.129.0/24 in-interface=bridge1
add chain=prerouting dst-address=140.206.103.0/24 in-interface=bridge1
add action=accept chain=prerouting dst-address=220.248.18.0/24 in-interface=bridge1
add action=mark-routing chain=prerouting dst-address-list=!cnlist dst-address-type=!local new-routing-mark=l2tp passthrough=yes src-address-list=local
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.88.0/24
add action=src-nat chain=srcnat out-interface=ether2-wan1 to-addresses=112.65.129.178
add action=src-nat chain=srcnat out-interface=ether3-wan2 to-addresses=140.206.103.134
add action=src-nat chain=srcnat out-interface=ether4-wan3 to-addresses=220.248.18.254
add action=masquerade chain=srcnat comment=src-nat out-interface=l2tp-out1
add action=dst-nat chain=dstnat dst-address=112.65.129.178 dst-port=3999 protocol=tcp src-address-list=ssh to-addresses=192.168.88.12 to-ports=8069
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.100.0/24 src-address=192.168.88.0/24
add dst-address=192.168.100.0/24 sa-dst-address=58.32.34.46 sa-src-address=220.248.18.254 src-address=192.168.88.0/24 tunnel=yes
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=shiyutech nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm lifetime=1h pfs-group=none
/ip ipsec peer
add address=58.32.34.46/32 exchange-mode=ike2 generate-policy=port-strict local-address=220.248.18.254 mode-config=shiyutech passive=yes secret=ShiyuTech send-initial-contact=no
/ip ipsec mode-config
add address-pool=dhcp_pool1 name=shiyutech system-dns=no
/ip route
add distance=1 gateway=112.65.129.177 routing-mark=wan1-mark
add distance=1 gateway=140.206.103.133 routing-mark=wan2-mark
add distance=1 gateway=220.248.18.253 routing-mark=wan3-mark
add distance=1 gateway=l2tp-out1 routing-mark=l2tp
add distance=1 gateway=112.65.129.177,140.206.103.133,220.248.18.253
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2-wan1 type=external
add interface=ether3-wan2 type=external
add interface=ether4-wan3 type=external
add interface=bridge1 type=internal

And Router 2 (RB4011)

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] loop-protect=off name=ether2-wan
set [ find default-name=ether6 ] loop-protect=off name=ether6-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2-wan name=pppoe-out1 password=pppoepswd user=pppoeusr
/interface l2tp-client
add connect-to=l2tpsrv1.com disabled=no name=l2tp-out1 password=l2tppswd user=l2tpusr
/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=4w2d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether6-lan
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set cache-max-ttl=1h cache-size=1024KiB servers=208.67.220.220,208.67.222.222
/ip firewall address-list
add address=1.0.1.0/24 list=cnlist
###...5000 more ip address list...###
add address=208.67.220.220 comment=opendns list=cnlist
add address=208.67.222.222 comment=opendns list=cnlist
add address=l2tpsrv1.com list=cnlist
add address=192.168.100.2-192.168.100.253 list=local
add address=192.168.100.0/24 list=lan
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!cnlist dst-address-type=!local new-routing-mark=l2tp passthrough=yes src-address-list=local
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.100.0/24
add action=src-nat chain=srcnat comment=src-nat out-interface=pppoe-out1 to-addresses=58.32.34.46
add action=masquerade chain=srcnat out-interface=l2tp-out1
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=tcp to-addresses=208.67.220.220 to-ports=443
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=tcp to-addresses=208.67.222.222 to-ports=443
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.88.0/24 src-address=192.168.100.0/24
add dst-address=192.168.88.0/24 sa-dst-address=220.248.18.254 sa-src-address=58.32.34.46 src-address=192.168.100.0/24 tunnel=yes
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm lifetime=1h pfs-group=none
/ip ipsec peer
add address=220.248.18.254/32 exchange-mode=ike2 generate-policy=port-strict mode-config=request-only secret=ShiyuTech
/ip route
add check-gateway=ping distance=2 gateway=l2tp-out1 routing-mark=l2tp
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external

I can ping 192.168.88.254 (Synology NAS on Router 1 HAP AC2) from 192.168.100.2 (Windows 7 PC on Router 2 RB4011) with around 10ms no drops.The problem is windows smb share is not work, I can type "\\192.168.88.254" to browse share but not able to open any folder. And I can't open "http://192.168.88.254" (Synology NAS's webpage, title displayed but no page shows).
I've searching in the forum and found same experience posted by other users.
How can it be solved?
Thanks.

kenyloveg · Mon Jan 21, 2019 4:45 pm

really hoping someone can point out what I'm doing wrong

JohnTRIVOLTA · Mon Jan 21, 2019 6:30 pm

really hoping someone can point out what I'm doing wrong

I cant see any IpSec IKE2 Site to Site configuration ! You may have set up some L2TP with IpSec ppp connection and routing the networks on it - do you have any routes for them in both places ?

kenyloveg · Tue Jan 22, 2019 5:19 am

Hi, @JohnTRIVOLTA
Did you ever looked in my config?

Router 1 (HAP AC2 as responder)

/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.88.0/24
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.100.0/24 src-address=192.168.88.0/24
add dst-address=192.168.100.0/24 sa-dst-address=58.32.34.46 sa-src-address=220.248.18.254 src-address=192.168.88.0/24 tunnel=yes
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=shiyutech nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm lifetime=1h pfs-group=none
/ip ipsec peer
add address=58.32.34.46/32 exchange-mode=ike2 generate-policy=port-strict local-address=220.248.18.254 mode-config=shiyutech passive=yes secret=ShiyuTech send-initial-contact=no
/ip ipsec mode-config
add address-pool=dhcp_pool1 name=shiyutech system-dns=no

And Router 2 (RB4011 as responder)

/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.100.0/24
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.88.0/24 src-address=192.168.100.0/24
add dst-address=192.168.88.0/24 sa-dst-address=220.248.18.254 sa-src-address=58.32.34.46 src-address=192.168.100.0/24 tunnel=yes
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm lifetime=1h pfs-group=none
/ip ipsec peer
add address=220.248.18.254/32 exchange-mode=ike2 generate-policy=port-strict mode-config=request-only secret=ShiyuTech

Thanks.

JohnTRIVOLTA · Tue Jan 22, 2019 6:57 am

I'm really sorry. I have only seen the beginning of both configurations without scrolling them!
Now, when I look at the config, I think that the traffic that is between the two networks should be marked to be exactly where / which WAN port / will come out for balancing!

kenyloveg · Tue Jan 22, 2019 4:56 pm

Hi, @JohnTRIVOLTA
Please read my first post. My problem is access smb share from initiator side (Router 2 RB4011) is very slow, I can barely browse folder but can't open any folder or file, ping is fine no lost.
I did same test today, this time from responder side (Router 2 HAP AC2), smb share is fine, copy files from router 2 speed is around 20-30 Mbps (consider it's acceptable).
Now I'm considering it should be related to MTU/MSS, cuz Router 2's wan is PPPoE client (MTU 1442, MRU 1480) and Router 1 is static IP (MTU 1500). Ping from initiator side indicates actual MTU is 1364(ping -f -l 1346 192.168.88.254).
The conclusion is IPsec tunneling need adjust MTU or change MSS manually.
Correct me if I'm wrong.
Thanks.

JohnTRIVOLTA · Tue Jan 22, 2019 7:20 pm

I think your problem is in the balancing mode used /PCC/. In the second router, you do not use balancing, and there is no problem for initiate the connection. For the test, you can stop the wan ports and leave only the wan for ipsec and try it again.

kenyloveg · Wed Jan 23, 2019 2:28 am

Hi, @JohnTRIVOLTA
Thanks for your replay. But I still think you are missing the point, I can ping lan devices under responder from lan device under initiator without any lose, which means PCC setting should be fine (it is, for the last 5 year.) Well, I changed "both address and ports" to "both address" to verify if it is the problem, will update tomorrow.

Edit: Change PCC rules to "both address and ports" to "both address" doesn't make any different, I still can't open smb folder on lan device (responder) from lan device (initiator).

sindy · Wed Jan 23, 2019 4:01 pm

What makes me uncertain whether it is the same problem as in this other topic is that you say that it works but very slowly. Slow operation is usually a consequence of use of an action=fasttrack-connection rule in /ip firewall filter which is incompatible with use of IPsec policies. There are somehow too few rules in your filter table - have you posted only those you've considered relevant?

Leaving that doubt aside for a moment, there were reports here which suggested that some combinations of encapsulation and authentication of IPsec transport packets yielded wrong MTU sizes (different authentication algorithms add different number of bytes to the packet so the resulting MTU differs depending on this), so as a consequence the ICMP "sorry, didn't fit" feedback was not provided and the packets exceeding the real threshold got silently dropped. I'm not aware whether anyone has ever made a support ticket of that. I'm also not sure whether sha-256 is one of those and whether the mapping table doesn't take into account also the encryption algorithm although it should not be related, but I'd suggest you to change the proposal to auth-algorithms=sha512 enc-algorithms=aes-256-cbc which I use routinely without any issues and see whether it helps or not. If it does, your current proposal is affected by that incorrect MTU adjustment; if it doesn't, something else is rotten. In the latter case, you'd have to run a sniffer into file simultaneously at both devices on their LAN ports looking towards the SMB hosts and see whether all incoming packets at one end can be seen as outgoing ones on the other end, and then eventually narrow the search further.

kenyloveg · Wed Jan 23, 2019 5:06 pm

Hi, @sindy
Thanks for you reply.
1. I've searched out the forum, I've noticed the fasttrack problem related to IPsec. You need place accept IPsec protocal rule before fasttrack. But, I'm not using fasttrack and I don't need to use it (HAP A2 or RB4011 can handle far more than 500Mbps NAT).
2. The exported config are all of my current settings (except none related settings like wireless or disabled services in firewall...etc)
3. I've noticed the encryption hash algorithms may reduce or increase MTU size. So I did minimized it to SHA-1, 128bit AES. I'll change it to sha512 AES-256-cbc as you mentioned it works for you, and report it back tomorrow.

kenyloveg · Mon Jan 28, 2019 3:27 pm

After rebuild my PCC rules, I've managed to fix the problem.
viewtopic.php?f=2&t=144626

Thanks.

IKEv2 site to site between 2 Mikrotik

IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Re: IKEv2 site to site between 2 Mikrotik

Who is online