Community discussions

MikroTik App
 
Bibliotech
newbie
Topic Author
Posts: 32
Joined: Mon Apr 13, 2009 8:48 pm

No Ping Across IKEv2 VPN

Tue May 19, 2020 12:37 am

I have an established site to site VPN over which I cannot ping a remote host, and the remote network cannot ping a host on mine. The log show packets leaving my outer interface but the request times out. The admin of the other network describes the same result. I have a CCR1009 v6.46.6. He has a Paloalto PA3020 running version 9.07. Our host firewalls are not blocking ICMP.
Why can we not ping remote hosts? Thanks.

I believe the only relevant info you need (knowing the vpn is established) is:

the policy
add comment="new county policy" dst-address=172.xx.xx.0/24 peer="County Peer" \
proposal="County Proposal" sa-dst-address=161.xx.xx.126 sa-src-address=\
216.xx.xx.94 src-address=192.xx.xx.0/24 tunnel=yes

The first NAT rule in the NAT list
add action=accept chain=srcnat comment="County VPN" dst-address=\
172.xx.xx.0/24 src-address=192.xx.xx.0/24

and the route
add distance=1 dst-address=172.xx.xx.0/24 gateway=E2StaffWAN
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: No Ping Across IKEv2 VPN

Tue May 19, 2020 3:58 pm

I believe the only relevant info you need (knowing the vpn is established) is:
The issues tend to be in those parts of configuration you don't suspect to be relevant, that's why it is necessary to post a complete configuration except sensitive information (passwords, usernames, public IP addresses), otherwise it is always a guesswork.

As you write that you can see the packets leaving via WAN but none arriving, I assume you sniff directly at the WAN interface and watch the ESP packets (carrying the ICMP ones as their encyrpted payload) to be leaving towards the destination address of the remote peer. If you can see only departing ESP packets while you ping the remote private subnet yourself, but no arriving ones while the remote peer is pinging towards you, one of the ISPs along the path may be dropping ESP. Can you double-check this? If you can see the ESP packets to be coming, check /ip ipsec statistics print.

If the ESP indeed doesn't get through, you can set a private local-address at the /ip ipsec peer row representing the remote peer at your side, and either use a dst-nat rule to forward incoming requests to UDP ports 500 and 4500 with your public address as destination to the private address you've set as local-address of the peer, or let the Palo Alto become a responder only (no initiation of IPsec connection towards you from their side). This will make the IPsec stack at both ends encapsulate the ESP into UDP in order to traverse the NAT.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Bibliotech
newbie
Topic Author
Posts: 32
Joined: Mon Apr 13, 2009 8:48 pm

Re: No Ping Across IKEv2 VPN

Wed May 20, 2020 6:02 pm

Thanks for the attention Sindy.

Attached is the config for my router. I do not control the PaloAlto router. Also attached is an image of my active peers. The problem is on the right. I note that the "ID" field is not the same as the "Remote Address" field, as it is in the working peer on the left. Is that an issue? I cannot find a reference to the "ID" field in the ipsec manual at the Mikrotik wiki.

I do see packets exiting the WAN interface going to xx.xx.2.126 (the address listed in the Remote Address field.)
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: No Ping Across IKEv2 VPN

Wed May 20, 2020 7:25 pm

I cannot find a reference to the "ID" field in the ipsec manual at the Mikrotik wiki.
Because there is a reference to "my-id" and "remote-id". But since the connection is established, it's not the reason why it does not transport data.

I do see packets exiting the WAN interface going to xx.xx.2.126 (the address listed in the Remote Address field.)
Yes, but in a wrong window, because in this windows you can only see packets which the IPsec stack likes. So if they actually come but the stack doesn't like them, it shows 0 Rx packets.

So please do exactly as I've suggested, run /tool sniffer quick ip-address=ip.of.palo.alto ip-protocol=ipsec-esp and let the remote guy ping towards your LAN address from his LAN address. If nothing arrives, either his side has wrong routes/policies or ESP is blocked on the way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Bibliotech
newbie
Topic Author
Posts: 32
Joined: Mon Apr 13, 2009 8:48 pm

Re: No Ping Across IKEv2 VPN

Thu May 21, 2020 6:27 pm

Sindy
Excuse my slow response. I have many irons in the fire.

E7PubWAN 145.382 30 -> 6C:3B:6B:EA:03:8F CC:2D:E0:01:79:63
E7PubWAN 150.382 31 -> 6C:3B:6B:EA:03:8F CC:2D:E0:01:79:63
E7PubWAN 155.393 32 -> 6C:3B:6B:EA:03:8F CC:2D:E0:01:79:63
E7PubWAN 160.388 33 -> 6C:3B:6B:EA:03:8F CC:2D:E0:01:79:63
E7PubWAN 165.389 34 -> 6C:3B:6B:EA:03:8F CC:2D:E0:01:79:63


The sniffer output revealed something odd. These packets are not supposed to be exiting E7PubWAN, but a different interface. I have two default WAN interfaces, one for one subnet and another for a different subnet. These packets, bound for the 172.16.51.0/24 subnet, should be exiting the E2StaffWAN interface but are instead are going out E7PubWAN, which is the second default route shown here but is the first default route shown in the Winbox GUI. I am looking into why now but I hesitate to make changes until tonight because staff are working now.

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xx.xx.254.81 1
1 A S 0.0.0.0/0 xx.xx.253.142 xx.xx.253.137 1
2 A S 172.16.0.0/16 E2StaffWAN 1
3 A S 172.16.33.0/24 E2StaffWAN 1
4 A S 172.16.51.0/24 E2StaffWAN 1
5 A S 192.168.1.0/24 E2StaffWAN 1
6 X S 192.168.10.0/24 192.168.80.28 1
7 A S 192.168.13.0/24 192.168.83.211 1
8 X S 192.168.21.0/24 192.168.80.48 1
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: No Ping Across IKEv2 VPN

Thu May 21, 2020 6:46 pm

Since you have both WAN routes active simultaneously, you are likely using policy routing (nothing to do with IPsec policies, it's just a common name of the setup in the Mikrotik world), i.e. you assign the routing-mark values using /ip route rule rows or /ip firewall mangle rules. When doing this, it is important to bear in mind that ESP and IKE traffic is independent, so if you use mangle rules, they may not match on the right packets. And if you translate connection-mark to routing-mark, you have to know that ESP connections do not inherit the connection-mark from the IKE connections which have created them (unlike FTP, SIP, GRE etc. where the data connection inherits the connection-mark from its controlling connection).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Bibliotech
newbie
Topic Author
Posts: 32
Joined: Mon Apr 13, 2009 8:48 pm

Re: No Ping Across IKEv2 VPN

Thu May 21, 2020 9:13 pm

I have two VPNs up. Both establish, but only one can I ping through. The other one is what I have been discussing with you.

Below is the output from your sniffer string for each VPN. It looks like I receive his ping and I reply to it. I also send a ping, but get no reply. Is that a correct interpretation?



Toward not working VPN: Pings do not reply. "Request timed out"

Me xx.xx.254.94
remote xx.xx.2.126


[admin@Main] >> /tool sniffer quick ip-address=xx.xx.2.126 ip-protocol=ipsec-esp
INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS
E2StaffWAN 3.502 1 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.2.126
E2StaffWAN 3.503 2 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 5.067 3 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 8.503 4 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.2.126
E2StaffWAN 8.504 5 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 10.067 6 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 13.502 7 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.2.126
E2StaffWAN 13.503 8 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 15.067 9 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 18.502 10 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.2.126
E2StaffWAN 18.502 11 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 20.067 12 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94



Toward working VPN: Pings reply both direction

Me xx.xx.254.94
remote xx.xx.126.203

[admin@Main] >> /tool sniffer quick ip-address=xx.xx.126.203 ip-protocol=ipsec-esp
INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS
E2StaffWAN 7.6 31 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 7.642 32 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.126.203
E2StaffWAN 8.38 33 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.126.203
E2StaffWAN 8.38 34 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 8.616 35 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 8.658 36 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.126.203
E2StaffWAN 9.382 37 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.126.203
E2StaffWAN 9.383 38 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 9.631 39 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
E2StaffWAN 9.673 40 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.126.203
E2StaffWAN 10.385 41 <- XX:2D:E0:01:79:62 XX:3B:6B:EA:03:8A xx.xx.126.203
E2StaffWAN 10.385 42 -> XX:3B:6B:EA:03:8A XX:2D:E0:01:79:62 xx.xx.254.94
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: No Ping Across IKEv2 VPN

Thu May 21, 2020 10:07 pm

It looks like I receive his ping and I reply to it. I also send a ping, but get no reply. Is that a correct interpretation?
If you were both pinging simultaneously, then yes, it is a correct interpretation.

The fact that you receive the ESP says that everything is OK with routes towards you and policies at PA side and also with ESP forwarding on the internet path from the PA to you. So to me, the issue is most likely at the PA side, because dropping ESP only in one direction makes little sense to me. It is also possible that the PA doesn't understand our ESP packets, so if there are any diagnostic counters, they're worth checking.

One thing is that the "intuitive" behaviour of the firewall, where you let in responses to what you've let out, is not automatic, the firewall must be configured that way.

Another thing is that lacking any knowledge about the network at the PA end, there may be simply a missing route from the PA to the LAN subnet to/from which you test the ping.

NB, if you make the CLI window where you run /tool sniffer as wide as your screen allows before you start sniffing, you'll get more information about the packets. But doing so won't help with this particular issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Bibliotech
newbie
Topic Author
Posts: 32
Joined: Mon Apr 13, 2009 8:48 pm

Re: No Ping Across IKEv2 VPN

Thu May 28, 2020 1:51 am

I'm still attentive to this thread Sindy. I'm just waiting while the other guy is investigating his side. Thanks.
 
Bibliotech
newbie
Topic Author
Posts: 32
Joined: Mon Apr 13, 2009 8:48 pm

Re: No Ping Across IKEv2 VPN

Mon Jun 01, 2020 4:29 pm

Sindy, attached is output from my edge router when the other guy is pinging my privately-addressed device from his privately-addressed device. Lines 1-4 show the ping coming in from a Cisco router at my ISP, traversing my edge router, then the reply going back through my edge router to the same Cisco edge router at the ISP. But the ping reply never arrives at at his device, and neither do my pings to his device.

This output means there cannot be an issue on my side.

The other guy has 14 working VPNs to various places. And he and his Palo Alto support tech has gone over his system and found nothing on his end.

So we are turning our attention to the vendors between us. I have sent a request to my ISP to log this traffic and we'll see what they can provide.

Can you think of anything else we should be doing?

Thanks for the assistance and the additional tips. You have been very helpful. It was good when we used to be able to give Karma. Marking an answer correct is not as satisfying.

Jim
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: No Ping Across IKEv2 VPN

Mon Jun 01, 2020 5:00 pm

Do I read you correct that between your Mikrotik which acts as an IPsec peer on a public address and the Ethernet socket provided by the ISP, there is another Mikrotik acting as edge router?

Regardless that, I have suggested a possible workaround in the last paragraph of post #2 above.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Bibliotech
newbie
Topic Author
Posts: 32
Joined: Mon Apr 13, 2009 8:48 pm

Re: No Ping Across IKEv2 VPN

Tue Jun 02, 2020 4:17 pm

The workaround regarding setting a private local-address doesn't seem relevant anymore, as I do receive his pings and I send replies. Correct? I have asked him to set respond-only.

yes, I do have two routers. My VPN peer is the interface between my private and public addressing. I have attached output from both the routers when the other side is pinging my private address.

I have asked my ISP to inspect this traffic.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: No Ping Across IKEv2 VPN

Tue Jun 02, 2020 7:49 pm

The workaround regarding setting a private local-address doesn't seem relevant anymore, as I do receive his pings and I send replies. Correct?
Wrong. The purpose of the workaround is to avoid sending bare ESP which some of the ISPs on the path may block intentionally or by mistake. The UDP is proven to pass in both directions as the IKE exchange is successful; the UDP exchange used to transport the ESP uses the same ports like the IKE.

It may not be your ISP who drops the ESP, it may be any ISP between you and the Palo Alto site.

Setting the Palo Alto as responder only makes sense together with this workaround; instead of that, you can add a dst-nat rule to redirect the initial IKE packet coming from the Palo Alto to the public IP of the Mikrotik to its private IP.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Baidu [Spider], Google Feedfetcher, kas1m, krisjanisj, Lifz, msatter, usernews and 86 guests