Community discussions

MUM Europe 2020
 
manuelritter
newbie
Topic Author
Posts: 38
Joined: Wed Sep 16, 2009 4:10 pm

IPSEC / Nat issue

Wed Apr 03, 2013 4:44 am

Hello Community,

i figured out a problem on RouterOS 6 (tile rc11 and 12 tested)
[EXTERNAL IPSec Server] yyy.yyy.yyy.10 --- xxx.xxx.xxx.242 [R1] 192.168.1.1 --- 192.168.1.2 [R2] xxx.xxx.xxx.166 (some device pppoe device with ipsec client behind. Not mikrotik)
If there is a IPSec Connection from xxx.xxx.xxx.166 (customer) to yyy.yyy.yyy.10, connection will not establish.
Torch on PPPoE Interface of R2 to xxx.xxx.xxx.166 shows:
SRC xxx.xxx.xxx.166, DST xxx.xxx.xxx.242, Rx Rate 0 bps, Tx Rate some bps
SRC xxx.xxx.xxx.166, DST yyy.yyy.yyy.10, Rx Rate some bps, Tx Rate 0 bps

If i disable all nat rules on R1, immediatly IPSec starts working and first line of torch disappear. Therefor, line 2 shows some tx rate too

It does not matter, what nat rule will be active on R1, every nat rule triggers the error.

The nat rules are:

/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether6 \
src-address-list=!nomasq
add action=masquerade chain=srcnat disabled=yes out-interface=ether11
add action=masquerade chain=srcnat src-address=192.168.2.0/24

If i disable also the third rule, IPSec works fine. If any of these rules is active, it will not.
Internet Port is ether6 and xxx.xxx.xxx.166 is member of list "nomasq"

Is there any solution or could it be my fault?

Best regards
Manuel Ritter
 
mixig
Member Candidate
Member Candidate
Posts: 265
Joined: Thu Oct 27, 2011 2:19 pm

Re: IPSEC / Nat issue

Wed Apr 03, 2013 11:28 am

IPSec traffic must be excluded from NAT (masquerade), can you please also put ipsec configuration here?
 
manuelritter
newbie
Topic Author
Posts: 38
Joined: Wed Sep 16, 2009 4:10 pm

Re: IPSEC / Nat issue

Wed Apr 03, 2013 1:37 pm

IPSec is not mine, no access to configuration
 
ghi000
newbie
Posts: 30
Joined: Thu Jun 06, 2013 6:05 pm
Location: București, România
Contact:

Re: IPSEC / Nat issue

Thu Jun 06, 2013 6:41 pm

In my configuration, with RouterOS v6 ipsec will not work if the first request will be made from RB1100AHx2 to any Mips router with v6. But if the request is coming from a mips device, the RB1100AHx2 will accept it and IPSec will work. The upgrade files used for both mips and ppc devices were taken from the all_packages-ppc-6.0 and all_packages-mipsbe-6.0 zip files. I tried to solve with support guys, but they were asking for supout, and i can't put the network offline, again. It's a prod environment, and i went back to v5.25. Everything works as it should with RouterOS v5.

Who is online

Users browsing this forum: No registered users and 104 guests