Community discussions

 
andrewbenedyk
just joined
Topic Author
Posts: 1
Joined: Wed Jul 10, 2019 8:10 am

Routing issue in IPSec tunnel configuration

Wed Jul 17, 2019 5:14 pm

Hi All,

Actual Configuration.
There is IPSEC Tunnel configured between Site A (AWS) and Site B (on-premises) accordingly to official AWS guides and recommendations (https://docs.aws.amazon.com/vpn/latest/ ... tions.html). As Site B VPN endpoint we have Mikrotik hEX S (RB760iGS). Tunnel DOES WORK without issues.
- Site A (AWS) 1.1.1.0/24
- Site B (on-premises) 2.2.2.0/24
When traffic comes from Site A, it is NATed to IP address 2.2.2.123. We have full connectivity between Site A and Site B.

Site B (on-premises) also connected locally to Site C (internal) via on-premises router with IP address 2.2.2.2. Hereby router directly connected to Site C network.
- Site C (internal) - 3.3.3.0/24
Mikrotik router within Site B has configured static route to 3.3.3.0/24 via 2.2.2.2. Site B and Site C are pingable.
Untitled Diagram (1) (2) (1).jpg
Task:
Site A should access to Site C via Site B and vice versa.

AWS configuration:
- VPC routing table routes all traffic to used VPN gateway (0.0.0.0/0 route to IPSec tunnel)
- Used Site-to-Site VPN connection comprises required static routes configuration - 2.2.2.0/24 and 3.3.3.0/24 (accordingly to AWS official guide)

Nevertheless, we even don't see traffic are recieved by Site B Mikrotik when pinging Site C from Site A. Although, we can ping any host within Site C (internal) from Mikrotik router.
Just to mention, when we temporary tried to hook network 3.3.3.0/24 into Mikrotik interface we started see connectivity between Site A (1.1.1.0/24) and 3.3.3.0/24.

So searching help here to find issue with our setup. See following Mikrotik configuration.


Mikrotik:
Firewall NAT:
======================================================================================
> ip firewall nat print     
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; src-nat for traffic from swconn. Source addr ->2.2.2.123
      chain=srcnat action=src-nat to-addresses=2.2.2.123 src-address=1.1.1.0/24 log=yes log-prefix="nat"
======================================================================================

Firewall filter:
======================================================================================
> ip firewall filter print      
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 7    ;;; allow winbox connections
      chain=input action=accept protocol=tcp src-address-list=Mgmt in-interface=ether1 dst-port=8291 log=no log-prefix="" 

 8    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 9    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

10    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

11    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

12    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

13    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

14    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

15    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

16    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

17    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
======================================================================================

Route:
======================================================================================
> ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          $MikrotikPublicGateway             1
 1 ADC  $MikrotikPublicNet/26   $MikrotikPublicIP   ether1                    0
 2 A S  3.3.3.0/24                     2.2.2.2               1
 3 ADC  169.254.23.32/30   169.254.23.34   ether1                    0
 4 A S  ;;; Route to VPC (swconn subnet) using tunnel1
        1.1.1.0/24      2.2.2.123   169.254.23.33             1
 5 X S  ;;; Route to VPC (swconn subnet) using tunnel2
        1.1.1.0/24                      169.254.21.125            1
 6 ADC  2.2.2.0/24     2.2.2.123   Local                     0
======================================================================================

IPSec policy:
======================================================================================
> ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 
 1  A  ;;; AWS Tunnel1: local-swconn
       src-address=2.2.2.0/24 src-port=any dst-address=1.1.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=$MikrotikPublicIP 
       sa-dst-address=$AWSPublicIP proposal=ipsec-vpn-05b1182fb83354cc8-0 ph2-count=1 
 2  A  ;;; AWS Tunnel1: Mikrotik-VPG
       src-address=169.254.23.34/32 src-port=any dst-address=169.254.23.33/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=$MikrotikPublicIP 
       sa-dst-address=$AWSPublicIP proposal=ipsec-vpn-05b1182fb83354cc8-0 ph2-count=1
======================================================================================
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 47 guests