Community discussions

MikroTik App
 
Christo
just joined
Topic Author
Posts: 1
Joined: Fri May 14, 2021 10:23 am

IPsec between Kerio Control and MikroTik - website not accessible

Fri May 14, 2021 10:45 am

Hello!
I have set up an IPsec tunnel between mikrotik and Kerio Control. Connection is established and marked as up.
From devices behind mikrotik, trace-route to destinations behind Kerio works. The way back works only if a trace route was started from a device behind mikrotik. In other cases traffic is droped.
Websites on servers behind Kerio are not displayed. I see the connection starts but three way handshake seems not to be finished correctly.
Which rules do I have to set?
Thanks for your advice and support.

/export hide-sensitive
# may/14/2021 09:00:27 by RouterOS 6.48.2
#
# model = RB760iGS
# local segment behind Kerio: 192.168.178.0/24
# local segment behind mikrotik: 172.24.1.0/24
#
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-128 name=ike2-Kerio
/ip ipsec peer
add address=public-IP-Kerio/32 exchange-mode=ike2 name=ike2-Kerio profile=ike2-Kerio
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc name=ike2-Kerio
/ip pool
add name=dhcp ranges=172.24.1.10-172.24.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=172.24.1.1/24 comment=defconf interface=bridge network=172.24.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=172.24.1.0/24 comment=defconf gateway=172.24.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.24.1.1 comment=defconf
/ip firewall filter
add action=accept chain=forward connection-state=established,related dst-address=172.24.1.0/24 src-address=192.168.178.0/24
add action=accept chain=forward connection-state=established,related dst-address=192.168.178.0/24 src-address=172.24.1.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="IPsec allow" dst-port=500,4500 log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.178.0/24 src-address=172.24.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=address:public-IP-mikrotik peer=ike2-Kerio remote-id=ignore
/ip ipsec policy
add dst-address=192.168.178.0/24 peer=ike2-Kerio proposal=ike2-Kerio sa-dst-address=public-IP-Kerio sa-src-address=\
public-IP-mikrotik src-address=172.24.1.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.178.0/24 gateway=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=172.24.1.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=NameRouter
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], GoogleOther [Bot] and 62 guests