Page 1 of 1

Mikrotik IPSEC to Sonicwall

Posted: Fri Oct 16, 2009 1:45 am
by jd6strings
Hello All:

I have interesting problem that has recently come to light.

I have a Mikrotik v3.30 (recently upgraded) PC utilizing an IPSEC tunnel to a remote SonicWall. I have NO control over the SonicWall. The tunnel is establishing fine. However, from what I understand, sonicwall utilizes an "address object group" to specify which IP's on the remote network are accessible through the tunnel. The interesting thing is, I can ONLY ping the last IP that is added to the sonicwall "address object group". In other words if the IP's 192.168.187.20, 192.168.187.21, and 192.168.187.47 are in an "address object group" on the SonicWall, I can ONLY ping 192.168.187.47. If 192.168.187.47 is removed from the group then I can ONLY ping 192.168.187.21. WTF!!!

Has anyone seen this? This was working FINE for months and NOTHING changed on my side. I upgraded to v3.30 hoping that it would resolve the problem after it had appeared.

I'm thinking this has something to do with the SonicWall BUT the admin on the remote side insists otherwise.

Not that it matters (because the tunnel is establishing) but here's my config:
 /ip ipsec peer> print
Flags: X - disabled 
 0   address=xxx.xxx.xxx.xxx/32:500 auth-method=pre-shared-key 
     secret="D1AB6AD4D313456" generate-policy=no exchange-mode=main 
     send-initial-contact=no nat-traversal=no proposal-check=obey 
     hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=
     lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 \
/ip ipsec proposal> print
Flags: X - disabled 
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h 
     pfs-group=modp102
/ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive 
 0 I src-address=192.168.1.11/32:any dst-address=192.168.187.20/32:any 
     protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=xxx.xxx.xxx.xxx 
     sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 

 1   src-address=192.168.1.11/32:any dst-address=192.168.187.21/32:any 
     protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=xxx.xxx.xxx.xxx 
     sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 

 2   src-address=192.168.1.11/32:any dst-address=192.168.187.47/32:any 
     protocol=all action=encrypt level=require ipsec-protocols=esp 
     tunnel=yes sa-src-address=xxx.xxx.xxx.xxx 
     sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 

 
0   chain=srcnat action=accept src-address=192.168.1.11 
     dst-address=192.168.187.21 

 1   chain=srcnat action=accept src-address=192.168.1.11 
     dst-address=192.168.187.20 

 2   chain=srcnat action=accept src-address=192.168.1.11 
     dst-address=192.168.187.47 
PLEASE HELP!!

THANKS AS ALWAYS!

Re: Mikrotik IPSEC to Sonicwall

Posted: Sat Oct 17, 2009 6:48 am
by jd6strings
BUMP....anyone?

Re: Mikrotik IPSEC to Sonicwall

Posted: Sat Oct 17, 2009 9:50 am
by hilton

Re: Mikrotik IPSEC to Sonicwall

Posted: Tue Feb 25, 2014 4:46 am
by saintofinternet
hi,

any update on your issue??

i am facing the same problem....

Re: Mikrotik IPSEC to Sonicwall

Posted: Tue Feb 25, 2014 6:22 pm
by saintofinternet
knock knock.... someone please help