Community discussions

MikroTik App
 
kingportipher
just joined
Topic Author
Posts: 5
Joined: Fri Sep 06, 2019 1:22 pm

IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Wed Mar 25, 2020 11:20 am

Hello,
I have ipsec vpn established between a cisco router and a mikrotik router.
But i am unable to ping host pcs connected.
Attached is the snapshot of the routes in the mikrotik.

Kindly assist
You do not have the required permissions to view the files attached to this post.
 
Hartung
just joined
Posts: 5
Joined: Thu May 14, 2020 1:11 am

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Thu May 14, 2020 1:14 am

I have the same issue, but with a Fortigate.
Tunnel is established, but no ping.

Following has been tried:
Routes, NAT, Firewall + RAW.
 
tippenring
Member
Member
Posts: 308
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Thu May 14, 2020 7:37 pm

Off the top of my head in order of commonality:

1. Exclude VPN traffic from NAT translation.
2. Ensure each VPN peer is the default gateway for its local network. If it isn't, then the default gateway needs a route added that sets the next hop to the remote network as the VPN peer.
3. Ensure each VPN peer's firewall rules/ACLs allow the desired traffic.
4. Ensure the VPN peer doesn't have a route for the remote network pointing at an unintended next hop.
 
Hartung
just joined
Posts: 5
Joined: Thu May 14, 2020 1:11 am

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sat May 16, 2020 11:23 pm

I have had my Hex S for 14 days, so relativily new to Mikrotik. But i like it.
Used several hours on the VPN topic, with out any luck.
The Tunnel is established, but can't ping.
# may/16/2020 22:09:48 by RouterOS 6.46.6
# software id = RXZI-3K8X
#
# model = RB760iGS
# serial number = A36A0B953574
/interface bridge
add admin-mac=C4:AD:34:D8:DB:2D auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=Comits
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 name=Comits
/ip ipsec peer
add address=REMOTEWAN exchange-mode=ike2 local-address=MYWAN name=\
    Comits port=500 profile=Comits
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=1d name=Comits \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.15.10-192.168.15.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.15.1/24 comment=defconf interface=ether2 network=\
    192.168.15.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.15.0/24 comment=defconf gateway=192.168.15.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.15.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=\
    192.168.15.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.15.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=\
    192.168.15.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.15.0/24
/ip ipsec identity
add peer=Comits policy-template-group=Comits
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=Comits proposal=Comits sa-dst-address=\
    94.137.134.194 sa-src-address=MYWAN src-address=192.168.15.0/24 \
    tunnel=yes
add dst-address=192.168.5.0/24 peer=Comits proposal=Comits sa-dst-address=\
    94.137.134.194 sa-src-address=MYWAN src-address=192.168.15.0/24 \
    tunnel=yes
/ip route
add distance=1 dst-address=192.168.1.0/32 gateway=ether1
add distance=1 dst-address=192.168.5.0/32 gateway=ether1
/system clock
set time-zone-name=Europe/Copenhagen
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
johnson73
just joined
Posts: 21
Joined: Wed Feb 05, 2020 10:07 am

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 10:41 am

If you use ipsec and need to access local resources, then set the Proxy-arp option for the Bridge interface.
/interface bridge
add arp=proxy-arp name=bridge1
 
sindy
Forum Guru
Forum Guru
Posts: 6826
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 11:25 am

The Tunnel is established, but can't ping.
Unlike routes, the rules in firewall (and multiple other configuration branches) are matched in sequential order, not by best match. Hence you have to move the two action=accept rules in chain=srcnat of /ip firewall nat before (above) the action=masquerade one.

Also the first two rules in chain=forward of /ip firewall filter should be redundant (not harmful), as the next two ones from the default configuration, action=accept ipsec-policy=(in|out),ipsec, should do their job of preventing packets handled by IPsec policies from reaching the action=fasttrack-connection rule.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 6826
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 11:38 am

If you use ipsec and need to access local resources, then set the Proxy-arp option for the Bridge interface.
This is only relevant when you assign to your VPN clients addresses which fit into your LAN subnets. That's not the case here.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Hartung
just joined
Posts: 5
Joined: Thu May 14, 2020 1:11 am

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 12:56 pm

The Tunnel is established, but can't ping.
Unlike routes, the rules in firewall (and multiple other configuration branches) are matched in sequential order, not by best match. Hence you have to move the two action=accept rules in chain=srcnat of /ip firewall nat before (above) the action=masquerade one.
Done

Also the first two rules in chain=forward of /ip firewall filter should be redundant (not harmful), as the next two ones from the default configuration, action=accept ipsec-policy=(in|out),ipsec, should do their job of preventing packets handled by IPsec policies from reaching the action=fasttrack-connection rule.
Done

Traffic is being registered, but stil no positiv ping result.
I know for 200% that the remote firewall is working correctly.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 6826
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 1:17 pm

What do the installed SA show under IP->IPsec?

There should be two per each remote subnet. If both count packets and bytes while you ping, the issue is at the Mikrotik end; if only the one from Mikrotik to Fortigate counts, it is an issue with IPsec itself or the firewall at the Fortigate end.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Hartung
just joined
Posts: 5
Joined: Thu May 14, 2020 1:11 am

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 1:32 pm

What do the installed SA show under IP->IPsec?

There should be two per each remote subnet. If both count packets and bytes while you ping, the issue is at the Mikrotik end; if only the one from Mikrotik to Fortigate counts, it is an issue with IPsec itself or the firewall at the Fortigate end.
My local WAN is: xx.xx.1.136
Remote WAN is : xx.xx.134.194
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 6826
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 1:57 pm

Try to add a chain=input action=accept protocol=ipsec-esp rule to /ip firewall filter, as the very first one in chain=input - it is not the right final place for it but it is to check what the issue may be.

Since both devices have public IP addresses, they use ESP as transport protocol. The transport packets only come if they have any payload to carry, so there are three possible reasons why no ESP packets arrive as the installed SA table shows:
  • the remote device doesn't respond your pings or it doesn't have a route to your subnet via the Fortigate box, hence the Fortigate gets nothing to send in the ESP
  • something on the path between the Fortigate and the Mikrotik drops ESP
  • something has changed in the firewall implementation on Mikrotik and the "accept established" rule doesn't accept incoming ESP packets although the Mikrotik did send ones in the opposite direction
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Hartung
just joined
Posts: 5
Joined: Thu May 14, 2020 1:11 am

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 2:23 pm

Try to add a chain=input action=accept protocol=ipsec-esp rule to /ip firewall filter, as the very first one in chain=input - it is not the right final place for it but it is to check what the issue may be.
No different.

Since both devices have public IP addresses, they use ESP as transport protocol. The transport packets only come if they have any payload to carry, so there are three possible reasons why no ESP packets arrive as the installed SA table shows:
  • the remote device doesn't respond your pings or it doesn't have a route to your subnet via the Fortigate box, hence the Fortigate gets nothing to send in the ESP
    The Fortigate's respond is working and there is a route to my local network. The Mikrotik as replaced a Ubiquity ER-X, where the VPN worked. Nothing has been changed in the Fortigate's firewall or other settings. I'm sure about that, as i am also the admin of that one.
  • something on the path between the Fortigate and the Mikrotik drops ESP
  • something has changed in the firewall implementation on Mikrotik and the "accept established" rule doesn't accept incoming ESP packets although the Mikrotik did send ones in the opposite direction
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 6826
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Sun May 17, 2020 3:27 pm

You have no rules in /interface bridge filter or /ip firewall raw, so the ESP packets really do not arrive to your WAN (I suppose you tried to ping before posting the screenshot).

To check that the Fortigate eventually does send the ESP packets but they do not arrive to Mikrotik, you may set the local-address of the peer representing the Fortigate to 192.168.15.1, and set up a dst-nat rule on the WAN, chain=dstnat action=dst-nat protocol=udp dst-port=500,4500 dst-address-type=local in-interface=ether1 to-addresses=192.168.15.1. Then, you'd have to disable the identity or peer for a while, remove the IPsec connection from the firewall using /ip firewall connection remove [find dst-address~"ip.of.the.fortigate" or src-address~"ip.of.the.fortigate"], and re-enable the identity or peer. If NAT-T support is enabled at Fortigate side, the tunnel will come up and the ESP will be sent encapsulated into UDP - the installed SA should show the addresses with port number (:4500) addresses.

If even this way the pings won't start getting through, the issue is at the Fortigate end.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
aanddre75
just joined
Posts: 1
Joined: Tue May 26, 2020 5:03 pm

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Tue May 26, 2020 6:34 pm

Eu estou com um problema semelhante.
A configuração da minha VPN entre Mikrotik e Fortigate. Tenho os Servidores e internet no lado da Fortigate a VPN está estabelecida e consigo pingar para as duas redes, mas não tenho acesso internet do lado do Mikrotik. O que estará em falta?

Who is online

Users browsing this forum: masihbelajar, sindy and 173 guests