Community discussions

 
htikeaungkyaw
just joined
Topic Author
Posts: 2
Joined: Thu Jul 11, 2019 11:29 am

IPSec VPN (Sonciwall to MTK)

Thu Jul 11, 2019 11:54 am

Hi all,
I'd like to discuss about site to site IKE VPN (Sonicwall to MTK). I used aggressive mode because one of the site is behind double NAT. I successfully established the VPN. Now my problem is I can able to reach from the Sonicwall LAN to MTK LAN but I can't reach from MTK LAN to Sonicwall LAN. I think there's no Route to Sonicwall LAN. In the /ip route, I can see reachable. Is anybody got experience like this? I'm also attach my whole config below. I'm wondering if you can share me...
Thank you


[admin@MikroTik] /ip> ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0xD03602A src-address=158.140.147.9:4500 dst-address=192.168.8.100:4500 state=dying
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key="4622762400aede9bb7af27413172537a2cde6072"
enc-key="c1b061ba2c499a2a60672d53a2db8eb5f01a8173eb14e32b" addtime=jul/11/2019 18:28:09
expires-in=4m46s add-lifetime=24m/30m current-bytes=9660 current-packets=115 replay=128

1 E spi=0xDCAB5202 src-address=192.168.8.100:4500 dst-address=158.140.147.9:4500 state=dying
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key="28c4519ae1066429b177179af9cc82f4c65e6746"
enc-key="06450d5cf8a4630fa997c6e2fdfd30be53a341cb870c4202" addtime=jul/11/2019 18:28:09
expires-in=4m46s add-lifetime=24m/30m current-bytes=9660 current-packets=115 replay=128

2 E spi=0xDFDE972 src-address=158.140.147.9:4500 dst-address=192.168.8.100:4500 state=mature
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key="16db606d0f0fa9af171aa0d1ecf332794ed97295"
enc-key="c90e53ed761ccf98fe0c27b5bf2ab73b0b34ba8a48977c80" add-lifetime=24m/30m replay=128

3 E spi=0x8FDBD202 src-address=192.168.8.100:4500 dst-address=158.140.147.9:4500 state=mature
auth-algorithm=sha1 enc-algorithm=3des enc-key-size=192
auth-key="2e7643348d0563f06dfc401652aaa103278dba82"
enc-key="ccb3f80a0307e4e8b0129a0676372b603f75ebb4a5407f94" add-lifetime=24m/30m replay=128
You do not have the required permissions to view the files attached to this post.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 905
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: IPSec VPN (Sonciwall to MTK)

Thu Jul 11, 2019 2:01 pm

On first sight I see two issues:

Your default masquerade rule is way too loose - it will masquerade everything from anywhere to anywhere. Add your local subnet as src-address and add your WAN-interface as out-interface.
Move your NAT accept rules before your masquerade rule.

and as a side note:
Your firewall looks wide open to WAN. Maybe that is the first point to start securing your router before you do anything else.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
htikeaungkyaw
just joined
Topic Author
Posts: 2
Joined: Thu Jul 11, 2019 11:29 am

Re: IPSec VPN (Sonciwall to MTK)

Thu Jul 11, 2019 6:23 pm

Thank you Chris. I'll make sure close the loophole later. Actually it's still testing in my lab. Again thank you for replying my post. Do you have any idea on the route which I can't reach to Sonicwall's LAN subnet?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 905
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: IPSec VPN (Sonciwall to MTK)

Fri Jul 12, 2019 10:21 am

I'm pretty sure it's related to your loose masquerade rule.
Traffic from Sonicwall to your subnet works b/c traffic is NATed to your routers internal IP address which is known to your site.
And I guess that traffic towards the Sonicwall is mostt likely NATed to your WAN IP address so that traffic will be blocked in the Sonicwall.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data

Who is online

Users browsing this forum: No registered users and 85 guests