Community discussions

 
juanjosv
just joined
Topic Author
Posts: 2
Joined: Tue Jul 24, 2018 1:01 pm

vpn site to site, one behind NAT and dynamic ip

Tue Jun 25, 2019 2:59 pm

I'm trying to create a vpn between Gcp and a RB750 v6.42.6, this last one is behind NAT ( i created a dmz) and the external router has dynamic ip.
This is my config at this moment:

Code: Select all

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip ipsec peer
add address=35.205.XXX.XXX/32 dh-group=modp1024 enc-algorithm=aes-128 exchange-mode=ike2 \
generate-policy=port-override lifetime=1w local-address=83.46.0.0
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.132.0.0/24 level=unique proposal=ipsec sa-dst-address=35.205.XXX.XXX \
sa-src-address=83.46.XXX.XXX src-address=192.168.99.0/24 tunnel=yes
The PH2 State in policies shows "no phase2", in logs:
13:45:43 ipsec ike2 request, exchange: SA_INIT:0 35.205.XXX.XXX[500]
13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX
13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500]

I have other vpn working with static ip between mikrotiks and Gcp, but i can not understand what is happening here.
 
McSee
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Tue Feb 26, 2019 12:49 pm

Re: vpn site to site, one behind NAT and dynamic ip

Tue Jun 25, 2019 5:15 pm

13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX
13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500]


You do not have suitable peer with local address 192.168.1.33 (or peer with no local address specified).

This sa-src-address=83.46.XXX.XXX would be second point of failure if you do not have exactly this address locally on your Mikrotik.
Also I am not sure if Nat Traversal is the default setting for peers (or peer profiles - not sure there it is in 6.42.6 RoS).
 
AlexKV
just joined
Posts: 18
Joined: Tue Jul 06, 2010 9:57 am

Re: vpn site to site, one behind NAT and dynamic ip

Tue Jun 25, 2019 5:52 pm

are rules added?
/ip firewall filter add chain=forward action=accept place-before=0 src-address=10.132.0.0/24 dst-address=192.168.99.0/24
/ip firewall filter add chain=forward action=accept place-before=1 src-address=192.168.99.0/24 dst-address=10.132.0.0/24

/ip firewall nat add chain=srcnat action=accept  place-before=0 src-address=10.132.0.0/24 dst-address=192.168.99.0/24
/ip firewall nat add chain=srcnat action=accept  place-before=1 src-address=192.168.99.0/24 dst-address=10.132.0.0/24
 
juanjosv
just joined
Topic Author
Posts: 2
Joined: Tue Jul 24, 2018 1:01 pm

Re: vpn site to site, one behind NAT and dynamic ip

Tue Jun 25, 2019 6:29 pm

13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX
13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500]


You do not have suitable peer with local address 192.168.1.33 (or peer with no local address specified).

This sa-src-address=83.46.XXX.XXX would be second point of failure if you do not have exactly this address locally on your Mikrotik.
Also I am not sure if Nat Traversal is the default setting for peers (or peer profiles - not sure there it is in 6.42.6 RoS).
The 1.33 ip is in ether1, was assigned by the nat router. But in the tutorial i followed did not show anything about the local ip from nat router.

are rules added?
/ip firewall filter add chain=forward action=accept place-before=0 src-address=10.132.0.0/24 dst-address=192.168.99.0/24
/ip firewall filter add chain=forward action=accept place-before=1 src-address=192.168.99.0/24 dst-address=10.132.0.0/24

/ip firewall nat add chain=srcnat action=accept  place-before=0 src-address=10.132.0.0/24 dst-address=192.168.99.0/24
/ip firewall nat add chain=srcnat action=accept  place-before=1 src-address=192.168.99.0/24 dst-address=10.132.0.0/24
yes i got that four rules created. And the 500, 1701 and 4500 udp ports are open.

Who is online

Users browsing this forum: Google [Bot], Majestic-12 [Bot] and 84 guests