Community discussions

 
angriukas
just joined
Topic Author
Posts: 10
Joined: Fri Nov 22, 2013 9:20 am
Location: Lithuania
Contact:

IPSec Road Warrior

Fri Nov 22, 2013 9:41 am

Hello,

I have configured IPSec on RB751G-2hnd (ROS 6.6) according following document from Mikrotik wiki:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
but Shrew client can not bring-up ipsec tunnel, time-out occur.
There is nothing mentioned in the wiki about firewall rules for road warrior, it is not clear where problems occur - in the firewall rules or in the IPSec policy?

I think firewall INPUT chain should contain at at least one rule to allow new connection on WAN, port 500 udp to start initiate IPSec tunnel. What about other rules to allow traffic from road warrior via IPSec to LAN?
I would be grateful if someone would help for me to complete configuration for road warrior with IPSec policy for Shrew client?
 
andriys
Forum Guru
Forum Guru
Posts: 1135
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec Road Warrior

Fri Nov 22, 2013 10:14 am

Hello!
I think firewall INPUT chain should contain at at least one rule to allow new connection on WAN, port 500 udp to start initiate IPSec tunnel. What about other rules to allow traffic from road warrior via IPSec to LAN?
You need these to allow outer-tunnel IPsec traffic (you can further restrict them to your WAN interface only):

ros code

/ip firewall filter
add chain=input comment=IPsec dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udp
As to the inner-tunnel traffic, it's a bit more complicated. First, use mangle rules like these to mark (not yet decapsulated) IPsec packets with 'vpn' packet mark:

ros code

/ip firewall mangle
add action=mark-packet chain=input dst-port=4500 new-packet-mark=vpn protocol=udp
add action=mark-packet chain=input new-packet-mark=vpn protocol=ipsec-esp
The 'vpn' packet mark will be copied to your inner-tunnel packets during decapsulation, so you can use it in filter rules later.

Also please note that there's a bug in the policy templates configuration, 'dst-address' and 'src-address' are mixed up in 6.6 and earlier version. I was going to write to support about the issue, but have not done that yet.
 
andriys
Forum Guru
Forum Guru
Posts: 1135
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec Road Warrior

Fri Nov 22, 2013 10:16 am

And you can skip 4500/udp rules if you are not going to support/allow NAT-T.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5921
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec Road Warrior

Fri Nov 22, 2013 10:23 am

 
angriukas
just joined
Topic Author
Posts: 10
Joined: Fri Nov 22, 2013 9:20 am
Location: Lithuania
Contact:

Re: IPSec Road Warrior

Sun Nov 24, 2013 3:37 pm

Hello,

thank you for quick responses.

Now tunnel is enabled but I can't ping remote LAN.

When I remove following lines from shrew:
s:ident-client-data:
s:ident-server-data:

and add

s:client-iface:virtual
s:client-ip-addr:192.168.7.50 -> free IP from remote LAN, not from DHCP pool
s:client-ip-mask:255.255.255.0

only then I can ping several IP's on remote LAN.
Quite interesting situation - I can ping only some IP's, others IP's are unreachable, where unreachable IP's can be pinged via Winbox ping tool without problems.
Remote LAN contains several static IP's + dynamic IP's (from DHCP pool), local PC firewall is turned to off.
Why only some IP's are accessible on remote LAN?
Any ideas are welcome, thank you.
  • /ip ipsec peer print
    0 address=0.0.0.0/0 passive=no port=500 auth-method=pre-shared-key secret="123" generate-policy=port-override exchange-mode=main send-initial-contact=yes
    nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
  • /ip ipsec policy print
    0 D src-address=192.168.7.50/32 src-port=any dst-address=192.168.7.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
    sa-src-address=A.B.C.D sa-dst-address=E.F.G.H priority=2
 
jaytcsd
Member Candidate
Member Candidate
Posts: 286
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSec Road Warrior

Fri Nov 29, 2013 7:30 am

What advantages does Shrew offer over the windows client?
 
andriys
Forum Guru
Forum Guru
Posts: 1135
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec Road Warrior

Fri Nov 29, 2013 9:21 am

What advantages does Shrew offer over the windows client?
What Windows client? To my knowledge, there's no easy to use pure (policy based) IPsec client in Windows itself at all. Shrew supports virtually anything you can do with IPsec- no other client that I know of is as flexible as Shrew.
 
andriys
Forum Guru
Forum Guru
Posts: 1135
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec Road Warrior

Fri Nov 29, 2013 9:33 am

When I remove following lines from shrew:
s:ident-client-data:
s:ident-server-data:
Shrew profile files (even though being plain-text) are not designed to be human-readable/editable, IMO. Can you please specify what these options refer to in the UI?
s:client-ip-addr:192.168.7.50 -> free IP from remote LAN, not from DHCP pool
I do NOT recommend using IPs from remote LAN's subnet for your road-warriors (VPN users). Even though it might (or might not) work with proxy ARP enabled, classic policy-based IPsec is not meant to be used that way. Allocate another (separate) subnet for your road-warriors.
 
angriukas
just joined
Topic Author
Posts: 10
Joined: Fri Nov 22, 2013 9:20 am
Location: Lithuania
Contact:

Re: IPSec Road Warrior

Fri Nov 29, 2013 3:34 pm

Hello,

From Wiki:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
IpSec Server Config
At first we need a pool from which RoadWarrior will will get an address. Typically in office you set up DHCP server for local workstations, the same DHCP pool can be used.
That phrase point me to wrong direction. Looks like there is an error...

The problem was in RoadWarrior subnet, it was from LAN address range, it really won't work.
Thank you for support.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 522
Joined: Tue Jun 23, 2015 2:35 pm

Re: IPSec Road Warrior

Thu Nov 17, 2016 12:08 am

Does anyone fix it up, or still has error?
i've been doing, i've got same problems like you.
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;

Who is online

Users browsing this forum: Baidu [Spider] and 43 guests