Community discussions

MUM Europe 2020
 
jd6strings
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Tue Dec 20, 2005 8:24 pm

Mikrotik IPSEC to Sonicwall

Fri Oct 16, 2009 1:45 am

Hello All:

I have interesting problem that has recently come to light.

I have a Mikrotik v3.30 (recently upgraded) PC utilizing an IPSEC tunnel to a remote SonicWall. I have NO control over the SonicWall. The tunnel is establishing fine. However, from what I understand, sonicwall utilizes an "address object group" to specify which IP's on the remote network are accessible through the tunnel. The interesting thing is, I can ONLY ping the last IP that is added to the sonicwall "address object group". In other words if the IP's 192.168.187.20, 192.168.187.21, and 192.168.187.47 are in an "address object group" on the SonicWall, I can ONLY ping 192.168.187.47. If 192.168.187.47 is removed from the group then I can ONLY ping 192.168.187.21. WTF!!!

Has anyone seen this? This was working FINE for months and NOTHING changed on my side. I upgraded to v3.30 hoping that it would resolve the problem after it had appeared.

I'm thinking this has something to do with the SonicWall BUT the admin on the remote side insists otherwise.

Not that it matters (because the tunnel is establishing) but here's my config:
 /ip ipsec peer> print
Flags: X - disabled 
 0   address=xxx.xxx.xxx.xxx/32:500 auth-method=pre-shared-key 
     secret="D1AB6AD4D313456" generate-policy=no exchange-mode=main 
     send-initial-contact=no nat-traversal=no proposal-check=obey 
     hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=
     lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 \
/ip ipsec proposal> print
Flags: X - disabled 
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h 
     pfs-group=modp102
/ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive 
 0 I src-address=192.168.1.11/32:any dst-address=192.168.187.20/32:any 
     protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=xxx.xxx.xxx.xxx 
     sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 

 1   src-address=192.168.1.11/32:any dst-address=192.168.187.21/32:any 
     protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=xxx.xxx.xxx.xxx 
     sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 

 2   src-address=192.168.1.11/32:any dst-address=192.168.187.47/32:any 
     protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=xxx.xxx.xxx.xxx 
     sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 

 
0   chain=srcnat action=accept src-address=192.168.1.11 
     dst-address=192.168.187.21 

 1   chain=srcnat action=accept src-address=192.168.1.11 
     dst-address=192.168.187.20 

 2   chain=srcnat action=accept src-address=192.168.1.11 
     dst-address=192.168.187.47 
PLEASE HELP!!

THANKS AS ALWAYS!
 
jd6strings
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 73
Joined: Tue Dec 20, 2005 8:24 pm

Re: Mikrotik IPSEC to Sonicwall

Sat Oct 17, 2009 6:48 am

BUMP....anyone?
 
User avatar
hilton
Long time Member
Long time Member
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Mikrotik IPSEC to Sonicwall

Sat Oct 17, 2009 9:50 am

Regards
Hilton
 
User avatar
saintofinternet
Forum Veteran
Forum Veteran
Posts: 760
Joined: Thu Oct 15, 2009 3:52 am

Re: Mikrotik IPSEC to Sonicwall

Tue Feb 25, 2014 4:46 am

hi,

any update on your issue??

i am facing the same problem....
by professionals, for professionals....
Don't forget to give KARMA!!!
 
User avatar
saintofinternet
Forum Veteran
Forum Veteran
Posts: 760
Joined: Thu Oct 15, 2009 3:52 am

Re: Mikrotik IPSEC to Sonicwall

Tue Feb 25, 2014 6:22 pm

knock knock.... someone please help
by professionals, for professionals....
Don't forget to give KARMA!!!

Who is online

Users browsing this forum: No registered users and 96 guests