Community discussions

MikroTik App
 
Averof
just joined
Topic Author
Posts: 2
Joined: Wed Apr 21, 2021 9:19 pm

IPsec established, pings but no RouterOS access

Wed Apr 21, 2021 9:24 pm

Hi,

I have managed to establish IPSec connection between two points. HQ can ping remote router, nodes and vice versa. Remote can access HQ RouterOS through winbox but HQ cannot access remote RouterOS.Also I can see with turch the traffic coming in, so prob im missing a part on the firewall rules side. I cant see where I did wrong. Do you see the odd on my configs bellow?

HQ:
/ip ipsec peer
add address=PubIP/32 exchange-mode=ike2 local-address=192.168.10.250 \
    name=remote

/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip pool
add name="OS Pool" ranges=172.16.0.2-172.16.0.14
/ip dhcp-server
add address-pool="OS Pool" disabled=no interface=OS_Bridge name=OS_DHCP
/port
set 0 baud-rate=9600
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.10.250/24 comment=WAN interface=ether1 network=192.168.10.0
add address=172.16.0.1/28 comment="OS Network" interface=OS_Bridge network=\
    172.16.0.0
/ip dhcp-server network
add address=172.16.0.0/28 gateway=172.16.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
    "Allow incoming traffic from remote on 4500/UDP" dst-port=4500 \
    in-interface=ether1 port="" protocol=udp src-address=*PubIP* \
    src-port=""
add action=accept chain=forward comment=\
    "Allow traffic from remote to HQ OS" dst-address=172.16.0.0/28 \
    src-address=172.16.2.0/28
add action=accept chain=input comment=\
    "Allow Established/Related/Untracked connections" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop everything else"
/ip firewall nat
add action=accept chain=srcnat comment="remote NAT Rule" dst-address=\
    172.16.2.0/28 src-address=172.16.0.0/28
add action=masquerade chain=srcnat comment="Generic NAT Rule" out-interface=\
    ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=172.16.2.0/28 src-address=\
    172.16.0.0/28
add action=notrack chain=prerouting dst-address=172.16.0.0/28 src-address=\
    172.16.2.0/28
/ip ipsec identity
add peer=remote secret="******************************"
/ip ipsec policy
add dst-address=172.16.2.0/28 peer=remote sa-dst-address=*PubIP \
    sa-src-address=192.168.10.250 src-address=172.16.0.0/28 tunnel=yes
/ip route
add distance=1 gateway=192.168.10.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8089
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system logging
add topics=firewall
add disabled=yes topics=ipsec
/tool user-manager database
set db-path=user-manager
Remote:
interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface bridge
add comment="Generic LAN Bridge" name="LAN Bridge"
/interface list
add name=WAN
add name=LAN
/ip ipsec peer
add address=PubIP/32 exchange-mode=ike2 local-address=PubIP name="remote <=> HQ"
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip pool
add name="LAN Pool" ranges=192.168.0.100-192.168.0.200
add name="OS Pool" ranges=172.16.2.2-172.16.2.14
/ip dhcp-server
add address-pool="LAN Pool" disabled=no interface="LAN Bridge" name="LAN DHCP"
add address-pool="OS Pool" disabled=no interface=ether2 name="OS DHCP"
/interface bridge port
add bridge="LAN Bridge" interface=ether3
add bridge="LAN Bridge" interface=ether4
add bridge="LAN Bridge" interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface="LAN Bridge" list=LAN
add interface=ether1 list=WAN
/ip address
add address=PubIP/30 comment="WAN Address" interface=ether1 network=PunNetw
add address=192.168.0.1/24 comment="LAN Network" interface="LAN Bridge" network=192.168.0.0
add address=172.16.2.1/28 comment="OS Network" interface=ether2 network=172.16.2.0
/ip dhcp-server network
add address=172.16.2.0/28 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.2.1
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow WinBox" dst-address=172.16.2.0/28 log=yes src-address=172.16.0.0/28
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=\
    established,related,untracked
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=172.16.2.0/28 src-address=172.16.0.0/28
add action=notrack chain=prerouting dst-address=172.16.0.0/28 log=yes src-address=172.16.2.0/28
/ip ipsec identity
add peer="remote <=> HQ" secret="************************"
/ip ipsec policy
add dst-address=172.16.0.0/28 peer="remote <=> HQ" sa-dst-address=PubIP sa-src-address=PubIP \
    src-address=172.16.2.0/28 tunnel=yes
/ip route
add distance=1 gateway=PubIP
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
 
Averof
just joined
Topic Author
Posts: 2
Joined: Wed Apr 21, 2021 9:19 pm

Re: IPsec established, pings but no RouterOS access  [SOLVED]

Thu Apr 22, 2021 11:59 pm

My issue was a simple NAT rule on the client side:
/ip firewall nat
add action=accept chain=srcnat dst-address=172.16.0.0/28 src-address=\
    172.16.2.0/28
Long hours on a project never help :(

Who is online

Users browsing this forum: AshuGite, Google [Bot], wsantos and 48 guests