Community discussions

MikroTik App
 
iluvar
newbie
Topic Author
Posts: 29
Joined: Sat Aug 04, 2012 9:31 am

Help with IPSec NAT-Traversal

Sat Aug 04, 2012 10:32 am

Hi!

Help me please with create IPSec throuht alien NAT-router

Sheme:

MY OFFICE:

My RB1 ether1 LAN 192.168.0.1/24
My RB1 ether2 WAN 8.8.0.1/32


REMOTE OFFICE:

My RB2 ether1 1LAN 192.168.1.1/24

Alien RB3 ether1 LAN 192.168.1.2/24
Alien RB3 ether2 WAN 8.8.1.1/32






Alien RB3 give me NAT in remote office


How i can create VPN tonnel throuth NAT?









My RB1:

/ip address
add address=192.168.0.1/24 interface=ether1
add address=8.8.0.1/30 interface=ether2

/ip route
add gateway=8.8.0.2

/ip firewall nat
add chain=srcnat out-interface=ether2 action=masquerade



My RB2:

/ip address
add address=192.168.1.1/24 interface=ether1

/ip route
add gateway=192.168.1.2



Alien RB3:

/ip address
add address=192.168.1.2/24 interface=ether1
add address=8.8.1.1/30 interface=ether2

/ip route
add gateway=8.8.1.2

/ip firewall nat
add chain=srcnat out-interface=ether2 action=masquerade




IpSec Peer's config

My RB1:

/ip ipsec peer
add address=8.8.1.1(???)/32 port=500 auth-method=pre-shared-key secret="test"

My RB2:

/ip ipsec peer
add address=8.8.0.1/32 port=500 auth-method=pre-shared-key secret="test"




Policy and proposal

My RB1:

/ip ipsec policy
add src-address=192.168.0.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any \
sa-src-address=8.8.0.1 sa-dst-address=8.8.1.1(???) \
tunnel=yes action=encrypt proposal=default

My RB2:

/ip ipsec policy
add src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any \
sa-src-address=8.8.1.1(???) sa-dst-address=8.8.0.1 \
tunnel=yes action=encrypt proposal=default




NAT Bypass

My RB1:

/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.0.0/24 dst-address=192.168.0.0/24

Alien RB3(???):

/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.1.0/24 dst-address=192.168.0.0/24



Please, correct my, i dont understand all sheme NAT-T
 
badea
just joined
Posts: 11
Joined: Mon Oct 26, 2009 12:44 pm

Re: Help with IPSec NAT-Traversal

Sun Mar 03, 2013 7:09 pm

Hi, can anyone post a solution for this case, please? I have a similar situation and i cannot figure out how to solve it. Obviously the address of the RB2 from the above example should be in the 192.168.2.0/24 network

The interesting part is that when i try to connect to remote office (to 192.168.1.1/24) both routers show an active connection in the Remote Peers window for a short period of time, but there is no actual connection.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Help with IPSec NAT-Traversal

Mon Mar 04, 2013 6:03 am

Post your actual configs (output from /export compact) and a description of the situation. There are too many permutations to guess with IPsec.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
badea
just joined
Posts: 11
Joined: Mon Oct 26, 2009 12:44 pm

Re: Help with IPSec NAT-Traversal

Mon Mar 04, 2013 9:29 am

OK, here is my situation:


Office Router MT1 <----------------------------> D-link Router --- Home Router MT2 (behind NAT)


Output of Router MT1

RouterOS 5.24

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5

/ip address
add address=Public_MT1/25 interface=ether1
add address=192.168.1.1/24 interface=ether2

/ip firewall filter
add chain=input comment="Ip-Sec-UDP 500" dst-port=500 protocol=udp
add chain=input comment=Ip-Sec-ESP protocol=ipsec-esp
add chain=input comment=IP-Sec-AH protocol=ipsec-ah
add chain=input comment=VPN-pptp dst-port=1723 protocol=tcp
add chain=input comment="Added by webbox" protocol=icmp
add chain=input comment="Added by webbox" connection-state=established \
in-interface=ether1
add chain=input comment="Added by webbox" connection-state=related \
in-interface=ether1
add action=drop chain=input comment="Added by webbox" disabled=yes \
in-interface=ether1
add action=jump chain=forward comment="Added by webbox" in-interface=ether1 \
jump-target=customer
add chain=customer comment="Added by webbox" connection-state=established
add chain=customer comment="Added by webbox" connection-state=related
add action=drop chain=customer comment="Added by webbox" disabled=yes

/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1

/ip ipsec peer
add address=Public_Address_of_DLink/32 dpd-interval=10s dpd-maximum-failures=15 \
exchange-mode=aggressive nat-traversal=yes secret=***

/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=Public_Address_of_DLink sa-src-address=\
Public_addr_MT1 src-address=192.168.1.0/24 tunnel=yes

---------------------------------------------------

Output of Router MT2

RouterOS 5.24
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5

/interface pptp-server server
set enabled=yes

/ip address
add address=192.168.8.50/24 interface=ether1
add address=192.168.0.1/24 interface=ether2

/ip firewall filter

add chain=input comment=rdp dst-address=192.168.0.9 dst-port=3389 protocol=tcp
add chain=input comment=VPN-PPTP dst-port=1723 protocol=tcp
add chain=input comment="Ip-Sec- UDP 500" dst-port=500 protocol=udp
add chain=input comment=Ip-Sec-Esp protocol=ipsec-esp
add chain=input comment=Ip-Sec-AH protocol=ipsec-ah
add chain=forward comment="port mapping na 0.9" dst-address=192.168.0.9 \
dst-port=3389 protocol=tcp
add chain=input comment="Added by webbox" protocol=icmp
add chain=input comment="Added by webbox" connection-state=established \
in-interface=ether1
add chain=input comment="Added by webbox" connection-state=related \
in-interface=ether1
add action=drop chain=input comment="Added by webbox" disabled=yes \
in-interface=ether1
add action=jump chain=forward comment="Added by webbox" in-interface=ether1 \
jump-target=customer
add chain=customer comment="Added by webbox" connection-state=established
add chain=customer comment="Added by webbox" connection-state=related
add action=drop chain=customer comment="Added by webbox" disabled=yes
add action=drop chain=input protocol=tcp src-address=125.210.0.0
add chain=input dst-address=0.0.0.0 dst-port="" port="" protocol=tcp \
src-address=0.0.0.0 src-port=""

/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.0.0/24
add chain=srcnat disabled=yes dst-address=192.168.8.0/24 src-address=\
192.168.0.0/24
add chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=RDP dst-port=42107 in-interface=ether1 \
protocol=tcp to-addresses=192.168.0.9 to-ports=3389
add action=dst-nat chain=dstnat comment=RDP dst-port=42154 in-interface=ether1 \
protocol=tcp to-addresses=192.168.0.2 to-ports=3389

/ip ipsec peer
add address=Public_addr_MT1/32 dpd-interval=10s dpd-maximum-failures=15 \
exchange-mode=aggressive nat-traversal=yes secret=**** \
send-initial-contact=no

/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=Public_addr_MT1 sa-src-address=\
Public_Address_of_DLink src-address=192.168.0.0/24 tunnel=yes

/ppp secret
add local-address=192.168.100.1 name=*** password=*** profile=\
default-encryption remote-address=192.168.100.2 service=pptp
add local-address=192.168.100.1 name=*** password=*** profile=\
default-encryption remote-address=192.168.100.3 service=pptp

------------------------------------------

D-Link Config

LAN IP 192.168.8.1/24

Port Forwarding
(TCP/UDP) 1723 - 1723 192.168.8.50
(TCP/UDP) 500 - 500 192.168.8.50
(TCP/UDP) 50 - 50 192.168.8.50
(TCP/UDP) 445 - 445 192.168.8.50
(TCP/UDP) 1701 - 1701 192.168.8.50
 
iluvar
newbie
Topic Author
Posts: 29
Joined: Sat Aug 04, 2012 9:31 am

Re: Help with IPSec NAT-Traversal

Mon Mar 04, 2013 8:01 pm

Hi!

I try help.

Add to MT1:
/ip firewall filter
add chain=input comment="Ip-Sec-NatT-UDP 4500" dst-port=4500 protocol=udp


Add to MT2:
/ip firewall filter
add chain=input comment="Ip-Sec-NatT-UDP 4500" dst-port=4500 protocol=udp

/ip ipsec peer
send-initial-contact=yes

/ip ipsec policy
sa-src-address=192.168.8.50

/tool netwatch
add host=192.168.1.1 interval=5s


Delete from D-Link:
(TCP/UDP) 1723 - 1723 192.168.8.50
(TCP/UDP) 500 - 500 192.168.8.50
(TCP/UDP) 50 - 50 192.168.8.50
 
badea
just joined
Posts: 11
Joined: Mon Oct 26, 2009 12:44 pm

Re: Help with IPSec NAT-Traversal

Mon Mar 04, 2013 9:22 pm

Thanks! All other settings remain the same? And should I forward the 4500 port on D-Link?
 
iluvar
newbie
Topic Author
Posts: 29
Joined: Sat Aug 04, 2012 9:31 am

Re: Help with IPSec NAT-Traversal

Mon Mar 04, 2013 9:26 pm

All other settings remain the same?
yes



And should I forward the 4500 port on D-Link?
no
 
badea
just joined
Posts: 11
Joined: Mon Oct 26, 2009 12:44 pm

Re: Help with IPSec NAT-Traversal

Tue Mar 05, 2013 9:25 am

iluvar Thank you a lot! Everything seems to be ok. I left the port 1723 forwarded on D-link, because I have several clients connecting through VPN pptp.
Anyway, as I understand it is the commands:

/ip firewall filter
add chain=input comment="Ip-Sec-NatT-UDP 4500" dst-port=4500 protocol=udp

and

/tool netwatch
add host=192.168.1.1 interval=5s

that made it work. Because i have tried the other commands previously but they did not help.
Can you please explain shortly why do I need the port 4500 and what does the netwatch command do?
Thank you!
 
iluvar
newbie
Topic Author
Posts: 29
Joined: Sat Aug 04, 2012 9:31 am

Re: Help with IPSec NAT-Traversal

Tue Mar 05, 2013 9:10 pm

Can you please explain shortly why do I need the port 4500
IpSec works through Udp500, but IpSec Nat-T works through Udp4500

and what does the netwatch command do?
Ping remote subnet - run keys generation and creates a tunnel.


Sorry for my english, i`m from Russia :)
 
badea
just joined
Posts: 11
Joined: Mon Oct 26, 2009 12:44 pm

Re: Help with IPSec NAT-Traversal

Wed Mar 06, 2013 5:58 pm

Ну так какие проблемы? :D

А все таки почему не обязательно открывать порт 4500 на Д-Линке?
И на счет netwatch: разве тунель не создается автоматичски когда МТ видит "интересующий" траффик? Или это только для IpSec без Nat-T?

Спасибо!
 
iluvar
newbie
Topic Author
Posts: 29
Joined: Sat Aug 04, 2012 9:31 am

Re: Help with IPSec NAT-Traversal

Thu Mar 07, 2013 6:29 am

А все таки почему не обязательно открывать порт 4500 на Д-Линке?
Достаточно, что бы udp4500 был открыт с внешки (не был запрещен в файрволе на wan-интерфейсе), а, поскольку инициатором выступает устройство за натом (MT2), ответные пакеты от MT1 будут так же пересылаться назад к MT2

И на счет netwatch: разве тунель не создается автоматичски когда МТ видит "интересующий" траффик? Или это только для IpSec без Nat-T?
Ну собственно пинг и есть интересующий трафик :) Вместо пинга можно было бы отправлять любой пакет в удаленную подсеть, что бы поднялся туннель. Просто пока пакетов нет - тоннель и не поднимется.
 
badea
just joined
Posts: 11
Joined: Mon Oct 26, 2009 12:44 pm

Re: Help with IPSec NAT-Traversal

Fri Mar 08, 2013 5:40 pm

Вообще-то (теоретически) инициатором выступает устройство MT1, т.е. пользователи из сети 192.168.1.0 (внутренней сети МТ1) подключаются к серверу который в сети 192.168.0.0 (внутренней сети МТ2), так что я чуток в неудомении :) (или я не понимаю правильно концепт "инициализации"?? :D )
 
iluvar
newbie
Topic Author
Posts: 29
Joined: Sat Aug 04, 2012 9:31 am

Re: Help with IPSec NAT-Traversal

Sat Mar 09, 2013 11:11 pm

Вообще-то (теоретически) инициатором выступает устройство MT1, т.е. пользователи из сети 192.168.1.0 (внутренней сети МТ1) подключаются к серверу который в сети 192.168.0.0 (внутренней сети МТ2), так что я чуток в неудомении :) (или я не понимаю правильно концепт "инициализации"?? :D )
МТ1 не может быть инициатором, т.к. МТ2 не виден ему за НАТом. У нас же не стоит перенаправление портов на ДЛинке, поэтому только МТ2 может инициировать первичное соединение.
 
jayismyson
just joined
Posts: 3
Joined: Sat Mar 30, 2013 6:53 am

Re: Help with IPSec NAT-Traversal

Sat Mar 30, 2013 7:02 am

Thanks! All other settings remain the same?


_________________
Runescape Gold|Diablo 3 Gold|WoW Gold|Rs Gold
 
seaman29
just joined
Posts: 6
Joined: Sat Dec 21, 2013 4:56 pm

Re: Help with IPSec NAT-Traversal

Sat May 03, 2014 12:06 am

Hey guys!

У меня подобная ситуация:

Офис, железо неизвестно Дом MikroTik
shrew клиент из дома подключается по sha1, 3des
Внешний_IP 195.95.95.95 Внешний белый IP 128.28.28.28 (из-под l2tp beeline)
Внутр_подсеть1 10.10.5.0/24 Внутр_подсеть 192.168.88.0/24
Внутр_подсеть2 10.10.0.0/24

Требуется поднять на домашнем микротике туннель до офиса и получить доступ к 2 офисным подсетям.
Виндовый shrew клиент поднимается, работает. Из логов подсмотрел, что использует sha1 и 3des.
Пытался переиначить вашу схему под себя, но туннель не поднимается. Помогите камрады.
Заранее благодарю!
Вот мой скрипт микротика касаемо задачи:

/ip firewall filter
add chain=input comment="ipsec mycompany" dst-port=500,1701,1723,4500 protocol=udp src-address=195.95.95.95
add chain=input protocol=ipsec-ah src-address=195.95.95.95
add chain=input protocol=ipsec-esp src-address=195.95.95.95
add chain=input dst-port=500,1701,1723,4500 protocol=tcp src-address=195.95.95.95

/ip firewall nat
add chain=srcnat dst-address=10.10.5.0/24 src-address=192.168.88.0/24
add chain=srcnat dst-address=10.10.0.0/24 src-address=192.168.88.0/24

/ip ipsec proposal add enc-algorithms=3des lifetime=1d name=mycompany-proposal

/ip ipsec peer
add address=195.95.95.95/32 auth-method=pre-shared-key-xauth dpd-interval=\
10s dpd-maximum-failures=15 enc-algorithm=3des exchange-mode=aggressive \
my-id-user-fqdn=VPNGROUP nat-traversal=yes secret=* xauth-login=* xauth-password=*

/ip ipsec policy
add dst-address=10.10.5.0/24 proposal=mycompany-proposal sa-dst-address=\
195.95.95.95 sa-src-address=128.28.28.28 src-address=192.168.88.0/24 \
tunnel=yes
add dst-address=10.10.0.0/24 proposal=mycompany-proposal sa-dst-address=\
195.95.95.95 sa-src-address=128.28.28.28 src-address=192.168.88.0/24 \
tunnel=yes
 
seaman29
just joined
Posts: 6
Joined: Sat Dec 21, 2013 4:56 pm

Re: Help with IPSec NAT-Traversal

Sun May 04, 2014 12:32 pm

Hey guys!

У меня подобная ситуация:

Офис, железо неизвестно Дом MikroTik
shrew клиент из дома подключается по sha1, 3des
Внешний_IP 195.95.95.95 Внешний белый IP 128.28.28.28 (из-под l2tp beeline)
Внутр_подсеть1 10.10.5.0/24 Внутр_подсеть 192.168.88.0/24
Внутр_подсеть2 10.10.0.0/24

Требуется поднять на домашнем микротике туннель до офиса и получить доступ к 2 офисным подсетям.
Виндовый shrew клиент поднимается, работает. Из логов подсмотрел, что использует sha1 и 3des.
Пытался переиначить вашу схему под себя, но туннель не поднимается. Помогите камрады.
Заранее благодарю!
Вот мой скрипт микротика касаемо задачи:

/ip firewall filter
add chain=input comment="ipsec mycompany" dst-port=500,1701,1723,4500 protocol=udp src-address=195.95.95.95
add chain=input protocol=ipsec-ah src-address=195.95.95.95
add chain=input protocol=ipsec-esp src-address=195.95.95.95
add chain=input dst-port=500,1701,1723,4500 protocol=tcp src-address=195.95.95.95

/ip firewall nat
add chain=srcnat dst-address=10.10.5.0/24 src-address=192.168.88.0/24
add chain=srcnat dst-address=10.10.0.0/24 src-address=192.168.88.0/24

/ip ipsec proposal add enc-algorithms=3des lifetime=1d name=mycompany-proposal

/ip ipsec peer
add address=195.95.95.95/32 auth-method=pre-shared-key-xauth dpd-interval=\
10s dpd-maximum-failures=15 enc-algorithm=3des exchange-mode=aggressive \
my-id-user-fqdn=VPNGROUP nat-traversal=yes secret=* xauth-login=* xauth-password=*

/ip ipsec policy
add dst-address=10.10.5.0/24 proposal=mycompany-proposal sa-dst-address=\
195.95.95.95 sa-src-address=128.28.28.28 src-address=192.168.88.0/24 \
tunnel=yes
add dst-address=10.10.0.0/24 proposal=mycompany-proposal sa-dst-address=\
195.95.95.95 sa-src-address=128.28.28.28 src-address=192.168.88.0/24 \
tunnel=yes
 
iluvar
newbie
Topic Author
Posts: 29
Joined: Sat Aug 04, 2012 9:31 am

Re: Help with IPSec NAT-Traversal

Mon Jul 14, 2014 9:45 am

Hey guys!

У меня подобная ситуация:
Привет. Понимаю, что уже прошло больше полугода, но может еще нужен ответ? Или разобрался?

Who is online

Users browsing this forum: Baidu [Spider], machack, muhlpaul, Rackit, tdw and 49 guests