Community discussions

MikroTik App
 
eertg841er8
just joined
Topic Author
Posts: 2
Joined: Sun Sep 12, 2021 11:22 pm

IPSec issues.

Mon Sep 13, 2021 12:06 am

Hello, first time poster here, after weeks of trying new configs and troubleshooting, you're my last hope...

I made a VPN connection to my other branch office following this tutorial: https://wiki.mikrotik.com/wiki/Manual:I ... sec_tunnel

But it doesn't work quite right. I tried about 3 tutorials by now, they're all basically the same.
  • Both routers connect to the internet just fine.
  • Both routers can ping each other fine. (across the internet)
  • IPSec connects them both together just fine, both peers are active.
  • Both routers are using the same stable RouterOS and firmware

Issue:
1. Cant ping from Router 1 subnet (243.0) to Router 2 subnet (233.0).
2. Cant ping from Router 2 subnet (233.0) to Router 1 subnet (243.0).

The only thing that works fine is all traffic from Routers 2 subnet (233.0) to Routers 1 server, which has an IP of 192.168.243.10.
But funnily enough, trying the same with another IP like: Routers 2 subnet (233.0) to Routers 1 server, IP of 192.168.243.2 fails.


Router 1 config (public IP's are removed):
# sep/12/2021 23:27:33 by RouterOS 6.48.4
# model = RB960PGS
/interface ethernet
set [ find default-name=ether2 ] name=Administracija poe-out=off
set [ find default-name=ether5 ] name=FREE-5 poe-out=off
set [ find default-name=ether1 ] name=Isoriniai
set [ find default-name=ether3 ] name=Vlanai45 poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=Vlanai45 name=Freeinet vlan-id=5
add interface=Vlanai45 name=Studentai vlan-id=4
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=<removed>/32 name=ike1-site2
/ip pool
add name=Studentai ranges=192.168.244.2-192.168.244.253
add name=Administracija ranges=192.168.243.1-192.168.243.253
/ip dhcp-server
add address-pool=Studentai authoritative=after-2sec-delay disabled=no \
    interface=Studentai name=StudentaiDHCP
/queue interface
set Administracija queue=ethernet-default
set Isoriniai queue=ethernet-default
set Vlanai45 queue=ethernet-default
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=Administracija list=discover
add interface=Isoriniai list=discover
add interface=Vlanai45 list=discover
add interface=Freeinet list=discover
add interface=Studentai list=discover
/ip address
add address=<removed>/28 interface=Isoriniai network=<removed>
add address=192.168.243.254/24 interface=Administracija network=192.168.243.0
add address=192.168.244.254/24 interface=Studentai network=192.168.244.0
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server network
add address=192.168.243.0/24 dns-server=192.168.243.10,8.8.8.8 gateway=\
    192.168.243.254
add address=192.168.244.0/24 dns-server=192.168.243.10,8.8.8.8 gateway=\
    192.168.244.254
/ip dns
set servers=192.168.243.10,8.8.8.8
/ip dns static
add address=192.168.243.254 comment=defconf name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment=established+related \
    connection-state=established,related
add action=accept chain=forward comment=established+related connection-state=\
    established,related
add action=drop chain=forward comment=Invalid connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.233.0/24 src-address=\
    192.168.243.0/24
add action=masquerade chain=srcnat out-interface-list=all
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.233.0/24 src-address=\
    192.168.243.0/24
add action=notrack chain=prerouting dst-address=192.168.243.0/24 src-address=\
    192.168.233.0/24
/ip ipsec identity
add peer=ike1-site2 secret=<removed>
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.233.0/24 peer=ike1-site2 src-address=192.168.243.0/24 \
    tunnel=yes
/ip route
add distance=1 gateway=<removed>
Router 2 config:
# sep/12/2021 23:26:49 by RouterOS 6.48.4
# model = RB4011iGS+
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
/interface vlan
add interface=ether3 name=Adm vlan-id=3
add interface=ether5 name=Freenet vlan-id=5
add interface=ether4 name=Studentai vlan-id=4
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 10 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=<removed>/32 name=ike1-site1
/ip pool
add name=StudentaiPool ranges=192.168.234.2-192.168.234.253
add name=FreenetPool ranges=192.168.235.2-192.168.235.253
add name=AdmPool ranges=192.168.233.2-192.168.233.253
/ip dhcp-server
add address-pool=StudentaiPool authoritative=after-2sec-delay disabled=no \
    interface=Studentai name=StudentaiDHCP
add address-pool=FreenetPool authoritative=after-2sec-delay disabled=no \
    interface=Freenet name=FreenetDHCP
add address-pool=AdmPool authoritative=after-2sec-delay disabled=no \
    interface=Adm name=AdmDHCP
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set ether6 queue=ethernet-default
set sfp-sfpplus1 queue=ethernet-default
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=Mgmt
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add list=LAN
add interface=ether2 list=Mgmt
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.234.254/24 interface=Studentai network=192.168.234.0
add address=192.168.233.254/24 interface=Adm network=192.168.233.0
add address=<removed>/28 interface=sfp-sfpplus1 network=<removed>
add address=192.168.235.254/24 interface=Freenet network=192.168.235.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.233.0/24 dns-server=<removed>,<removed> gateway=\
    192.168.233.254
add address=192.168.234.0/24 dns-server=<removed>,<removed> gateway=\
    192.168.234.254
add address=192.168.235.0/24 dns-server=<removed>,<removed> gateway=\
    192.168.235.254
/ip dns
set servers=<removed>,<removed>
/ip firewall filter
add action=fasttrack-connection chain=forward comment=established,related \
    connection-state=established,related
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment="Drop connection is Studentai i Adm" \
    in-interface=Studentai out-interface=Adm
add action=drop chain=forward comment="Drop connection is FreeNet i Adm" \
    in-interface=Freenet out-interface=Adm
add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.243.0/24 src-address=\
    192.168.233.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.243.0/24 src-address=\
    192.168.233.0/24
add action=notrack chain=prerouting dst-address=192.168.233.0/24 src-address=\
    192.168.243.0/24
/ip ipsec identity
add peer=ike1-site1 secret=<removed>
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.243.0/24 peer=ike1-site1 src-address=192.168.233.0/24 \
    tunnel=yes
/ip route
add distance=1 gateway=<removed>
 
fsebera
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Jun 03, 2021 6:19 pm

Re: IPSec issues.

Wed Sep 15, 2021 10:53 pm

:
I'm no expert here but I do not see your IPSec Policy configuration in your CLI data.
The IPSec Policy lists the source and destination networks to encrypt (Cisco's term of interesting traffic by way of ACL).
Once you have IPSec Policy and your peers are established, a static route at a minimum is needed.

Hope this helps
Frank
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec issues.

Thu Sep 16, 2021 9:46 am

Before addressing the topic issue: your firewall rules do not protect your routers from anything. If the routers are directly connected to internet, they may well be part of a botnet now. The reason is that the default handling in Mikrotik's firewall is "accept", so packets that do not match to any rule in their respective chain of /ip firewall filter are accepted. You have no rules at all in chain input of /ip firewall filter, and even no restriction of plaintext management protocols like telnet or http in /ip services (firewall rules are in general more safe than these application level restrictions).

There is also no "drop the rest" rule in chain forward, which is not wrong as such if all the clients have their own firewalls. But if that is the case, you need no rules in this chain at all.

So unless there is an external firewall between each router and the internet, you should netinstall both and restore their configuration from the export, not from a backup, leaving the default firewall rules in place and only setting up intended exceptions from them.

To the topic issue:
The only thing that works fine is all traffic from Routers 2 subnet (233.0) to Routers 1 server, which has an IP of 192.168.243.10.
But funnily enough, trying the same with another IP like: Routers 2 subnet (233.0) to Routers 1 server, IP of 192.168.243.2 fails.
This indicates that the issue is not the IPsec setup as such but something in the settings of the hosts in the two subnets. Two points to look at first:
  • Windows firewalls by default do not accept ping requests coming from other subnets than the own subnet of the interface at which the ping request is received.
  • if the route to 192.168.233.0/24 at each hosts in 192.168.243.0/24 is not via 192.168.243.254 (e.g. because the clients do not accept the default gateway setting from DHCP), the packets from .243. to .233. never arrive to the router, so it cannot deliver them.
Your best friend here is /tool sniffer quick - make a command line window as wide as your screen allows and run this command at both routers with ip-address=192.168.243.2 and either protocol=icmp or ip-protocol=tcp port=the-one-the-server-uses and try to ping/connect from 192.168.233.x to 192.168.243.2. The tool will show you the traffic packet by packet and interface by interface, so you'll see how far the request got, whether it got responded, and how far the response got. Just don't panic if you see the packets arrive via WAN interface - the sniffer shows the payload extracted from IPsec transport packets.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec issues.

Thu Sep 16, 2021 9:49 am

I'm no expert here but I do not see your IPSec Policy configuration in your CLI data.
@fsebera, for some reason, the export doesn't show all IPsec-related configuration in a single contagious block. So there is /ip ipsec peer, then unrelated stuff, and then comes /ip ipsec identity and /ip ipsec policy.
 
eertg841er8
just joined
Topic Author
Posts: 2
Joined: Sun Sep 12, 2021 11:22 pm

Re: IPSec issues.

Fri Sep 17, 2021 11:56 am

Before addressing the topic issue: your firewall rules do not protect your routers from anything. If the routers are directly connected to internet, they may well be part of a botnet now. The reason is that the default handling in Mikrotik's firewall is "accept", so packets that do not match to any rule in their respective chain of /ip firewall filter are accepted. You have no rules at all in chain input of /ip firewall filter, and even no restriction of plaintext management protocols like telnet or http in /ip services (firewall rules are in general more safe than these application level restrictions).

There is also no "drop the rest" rule in chain forward, which is not wrong as such if all the clients have their own firewalls. But if that is the case, you need no rules in this chain at all.

So unless there is an external firewall between each router and the internet, you should netinstall both and restore their configuration from the export, not from a backup, leaving the default firewall rules in place and only setting up intended exceptions from them.

To the topic issue:
The only thing that works fine is all traffic from Routers 2 subnet (233.0) to Routers 1 server, which has an IP of 192.168.243.10.
But funnily enough, trying the same with another IP like: Routers 2 subnet (233.0) to Routers 1 server, IP of 192.168.243.2 fails.
This indicates that the issue is not the IPsec setup as such but something in the settings of the hosts in the two subnets. Two points to look at first:
  • Windows firewalls by default do not accept ping requests coming from other subnets than the own subnet of the interface at which the ping request is received.
  • if the route to 192.168.233.0/24 at each hosts in 192.168.243.0/24 is not via 192.168.243.254 (e.g. because the clients do not accept the default gateway setting from DHCP), the packets from .243. to .233. never arrive to the router, so it cannot deliver them.
Your best friend here is /tool sniffer quick - make a command line window as wide as your screen allows and run this command at both routers with ip-address=192.168.243.2 and either protocol=icmp or ip-protocol=tcp port=the-one-the-server-uses and try to ping/connect from 192.168.233.x to 192.168.243.2. The tool will show you the traffic packet by packet and interface by interface, so you'll see how far the request got, whether it got responded, and how far the response got. Just don't panic if you see the packets arrive via WAN interface - the sniffer shows the payload extracted from IPsec transport packets.

Good morning, I followed the guide here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Added a few lines to both routers firewalls, that were missing. (at the bottom ofc)

add action=accept chain=input src-address-list=<custom_list>
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid (updated this one)
add action=drop chain=input
and even no restriction of plaintext management protocols like telnet or http in /ip services (firewall rules are in general more safe than these application level restrictions).
I stripped a few config lines from my original post.
But every management protocol is disabled, except winbox. Which is secured. And uses a different and secure user account.

I'll try to track down the packet issue you mentioned.
And to clarify:
  • 243.10 is a Windows server.
  • 243.2 is a Linux server.

Who is online

Users browsing this forum: Bing [Bot], K0NCTANT1N, ofatieiev and 64 guests