Hello,
I have configured IPSec on RB751G-2hnd (ROS 6.6) according following document from Mikrotik wiki:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
but Shrew client can not bring-up ipsec tunnel, time-out occur.
There is nothing mentioned in the wiki about firewall rules for road warrior, it is not clear where problems occur - in the firewall rules or in the IPSec policy?
I think firewall INPUT chain should contain at at least one rule to allow new connection on WAN, port 500 udp to start initiate IPSec tunnel. What about other rules to allow traffic from road warrior via IPSec to LAN?
I would be grateful if someone would help for me to complete configuration for road warrior with IPSec policy for Shrew client?
Re: IPSec Road Warrior
Hello!
Also please note that there's a bug in the policy templates configuration, 'dst-address' and 'src-address' are mixed up in 6.6 and earlier version. I was going to write to support about the issue, but have not done that yet.
You need these to allow outer-tunnel IPsec traffic (you can further restrict them to your WAN interface only):I think firewall INPUT chain should contain at at least one rule to allow new connection on WAN, port 500 udp to start initiate IPSec tunnel. What about other rules to allow traffic from road warrior via IPSec to LAN?
ros code
/ip firewall filter add chain=input comment=IPsec dst-port=500 protocol=udp add chain=input protocol=ipsec-esp add chain=input dst-port=4500 protocol=udpAs to the inner-tunnel traffic, it's a bit more complicated. First, use mangle rules like these to mark (not yet decapsulated) IPsec packets with 'vpn' packet mark:
ros code
/ip firewall mangle add action=mark-packet chain=input dst-port=4500 new-packet-mark=vpn protocol=udp add action=mark-packet chain=input new-packet-mark=vpn protocol=ipsec-espThe 'vpn' packet mark will be copied to your inner-tunnel packets during decapsulation, so you can use it in filter rules later.
Also please note that there's a bug in the policy templates configuration, 'dst-address' and 'src-address' are mixed up in 6.6 and earlier version. I was going to write to support about the issue, but have not done that yet.
Re: IPSec Road Warrior
And you can skip 4500/udp rules if you are not going to support/allow NAT-T.
Re: IPSec Road Warrior
Hello,
thank you for quick responses.
Now tunnel is enabled but I can't ping remote LAN.
When I remove following lines from shrew:
s:ident-client-data:
s:ident-server-data:
and add
s:client-iface:virtual
s:client-ip-addr:192.168.7.50 -> free IP from remote LAN, not from DHCP pool
s:client-ip-mask:255.255.255.0
only then I can ping several IP's on remote LAN.
Quite interesting situation - I can ping only some IP's, others IP's are unreachable, where unreachable IP's can be pinged via Winbox ping tool without problems.
Remote LAN contains several static IP's + dynamic IP's (from DHCP pool), local PC firewall is turned to off.
Why only some IP's are accessible on remote LAN?
Any ideas are welcome, thank you.
thank you for quick responses.
Now tunnel is enabled but I can't ping remote LAN.
When I remove following lines from shrew:
s:ident-client-data:
s:ident-server-data:
and add
s:client-iface:virtual
s:client-ip-addr:192.168.7.50 -> free IP from remote LAN, not from DHCP pool
s:client-ip-mask:255.255.255.0
only then I can ping several IP's on remote LAN.
Quite interesting situation - I can ping only some IP's, others IP's are unreachable, where unreachable IP's can be pinged via Winbox ping tool without problems.
Remote LAN contains several static IP's + dynamic IP's (from DHCP pool), local PC firewall is turned to off.
Why only some IP's are accessible on remote LAN?
Any ideas are welcome, thank you.
- /ip ipsec peer print
0 address=0.0.0.0/0 passive=no port=500 auth-method=pre-shared-key secret="123" generate-policy=port-override exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
- /ip ipsec policy print
0 D src-address=192.168.7.50/32 src-port=any dst-address=192.168.7.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=A.B.C.D sa-dst-address=E.F.G.H priority=2
Re: IPSec Road Warrior
What advantages does Shrew offer over the windows client?
Re: IPSec Road Warrior
What Windows client? To my knowledge, there's no easy to use pure (policy based) IPsec client in Windows itself at all. Shrew supports virtually anything you can do with IPsec- no other client that I know of is as flexible as Shrew.What advantages does Shrew offer over the windows client?
Re: IPSec Road Warrior
Shrew profile files (even though being plain-text) are not designed to be human-readable/editable, IMO. Can you please specify what these options refer to in the UI?When I remove following lines from shrew:
s:ident-client-data:
s:ident-server-data:
I do NOT recommend using IPs from remote LAN's subnet for your road-warriors (VPN users). Even though it might (or might not) work with proxy ARP enabled, classic policy-based IPsec is not meant to be used that way. Allocate another (separate) subnet for your road-warriors.s:client-ip-addr:192.168.7.50 -> free IP from remote LAN, not from DHCP pool
Re: IPSec Road Warrior
Hello,
From Wiki:
The problem was in RoadWarrior subnet, it was from LAN address range, it really won't work.
Thank you for support.
From Wiki:
That phrase point me to wrong direction. Looks like there is an error...http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
IpSec Server Config
At first we need a pool from which RoadWarrior will will get an address. Typically in office you set up DHCP server for local workstations, the same DHCP pool can be used.
The problem was in RoadWarrior subnet, it was from LAN address range, it really won't work.
Thank you for support.
Re: IPSec Road Warrior
Does anyone fix it up, or still has error?
i've been doing, i've got same problems like you.
i've been doing, i've got same problems like you.