Community discussions

MikroTik App
 
Borkoje
just joined
Topic Author
Posts: 5
Joined: Sun May 23, 2021 6:22 pm

Routing trafic from wireless clients over ipsec

Sat Jun 19, 2021 3:37 pm

I have the following setup:
- IPSec connection from MikroTik to Linux server
- EAP/PEAP wireless network (RADIUS requests over IPSec to Linux server)
- DHCP Server (RADIUS requests over IPSec to Linux server, returning Framed-IP-Address)
My wireless clients are able to connect, obtain an IP address, and access Internet. I am not able to configure wireless clients to access the Linux server (10.0.0.3) on a private address over IPSec. I can ping the Linux server from MikroTik, not from wireless clients.
Linux server address is 10.0.0.3
MikroTik IPSec network is 10.0.0.0/27 (10.0.0.3-10.0.0.30 is used for wireless clients)

Here is my MikroTik configuration. Please if you can give me any hint I would appreciate it.
/interface bridge
add name="PROJECT Bridge"
add admin-mac=48:8F:5A:AC:C1:53 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge \
    ssid=MikroTik-ACC154 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=mobile4g authentication=pap default-route-distance=1 user=XXXXX
/interface lte
set [ find ] apn-profiles=mobile4g mac-address=AC:FF:FF:00:00:00 name=mobile4g
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-eap mode=dynamic-keys name=PROJECT radius-eap-accounting=yes supplicant-identity=PROJECT tls-mode=dont-verify-certificate
/interface wireless
add disabled=no mac-address=4A:8F:5A:AC:C1:54 master-interface=wlan1 name=PROJECT security-profile=PROJECT ssid=PROJECT wds-default-bridge=bridge wps-mode=\
    disabled
/ip dhcp-server
add disabled=no interface="PROJECT Bridge" name="PROJECT DHCP" use-radius=yes
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=PROJECT responder=no
/ip ipsec policy group
add name=PROJECT
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=PROJECT
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 name=PROJECT profile=PROJECT
/ip ipsec proposal
add name=PROJECT pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=wlan1
add bridge="PROJECT Bridge" interface=PROJECT
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=mobile4g list=WAN
add interface="PROJECT Bridge" list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.1.1/27 comment="network /27 assigned to partner/location" interface="PROJECT Bridge" network=10.0.1.0
/ip dhcp-server network
add address=10.0.1.0/27 gateway=10.0.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-peap generate-policy=port-strict mode-config=PROJECT peer=PROJECT policy-template-group=PROJECT \
    username=partner00001
/ip ipsec policy
add dst-address=0.0.0.0/0 group=PROJECT proposal=PROJECT src-address=0.0.0.0/0 template=yes
/radius
add address=10.0.0.3 service=wireless,dhcp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Borkoje
just joined
Topic Author
Posts: 5
Joined: Sun May 23, 2021 6:22 pm

Re: Routing trafic from wireless clients over ipsec

Wed Jun 30, 2021 9:07 pm

Any idea? If there is anyone able to help with this i am willing to pay also. Please let me know.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Routing trafic from wireless clients over ipsec

Sat Jul 03, 2021 7:06 pm

I not check your config properly but I see that in /ip firewall nat you have only a MASQ rule... you should do a proper NAT rule for IPSec customers if I unterstand your traffic correctly.
Please create some Network Graph at draw.io or glify.com or mspaint etc.
 
Borkoje
just joined
Topic Author
Posts: 5
Joined: Sun May 23, 2021 6:22 pm

Re: Routing trafic from wireless clients over ipsec

Sat Jul 03, 2021 10:57 pm

I not check your config properly but I see that in /ip firewall nat you have only a MASQ rule... you should do a proper NAT rule for IPSec customers if I unterstand your traffic correctly.
Please create some Network Graph at draw.io or glify.com or mspaint etc.
Thank you SiB!
Probably. I assume that some IPSec policy or nat rule is missing, but I am not familiar with MikroTik.
Here is a simplified layout (with just private networks, without WAN address of the central server).
Image
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Routing trafic from wireless clients over ipsec

Sun Jul 04, 2021 5:33 pm

For me strange is this
/ip ipsec policy add dst-address=0.0.0.0/0 group=PROJECT proposal=PROJECT src-address=0.0.0.0/0 template=yes
who is say, any vpn client from any network have access to any network - I never use that match general rule.
Hmm, you use a dynamic users and they connect from ANY Peer IP but for your Encryption Domain you should regulate it.

My all IPSec are for Site2Site without any RoadWarriors users.
If your IPSec Policy is more like:
Partner A) 10.0.1.1/27 <=> 10.0.0.3
then all that users should receive 10.0.1.2-30 IP and start communiaction if your Firewall not block that traffic. All NAT is done by RouterOS then if policy on each site is proper.

With IPSec is important to check:
*) Conntract connection in firewall
*) try ping from client your 10.0.0.3
*) try ping from Mtk Part.A /ping src-address=10.0.1.1 10.0.0.3
*) sniff traffic: /tools sniffer quick ip-address=10.0.0.3

I write that from hand and some syntax can be make but this is way to diagnose that problem.
 
Borkoje
just joined
Topic Author
Posts: 5
Joined: Sun May 23, 2021 6:22 pm

Re: Routing trafic from wireless clients over ipsec

Mon Jul 05, 2021 3:18 pm

Hi SiB,

The policy is set correctly, as i can understand since 10.0.0.0/16 is a private address on both sides. Do you think i need to set specific Partner network on both SRC and DST
 > /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER     TUNNEL SRC-ADDRESS                                     DST-ADDRESS                                     PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T *                 ::/0                                            ::/0                                            all       
 1 T                   0.0.0.0/0                                       0.0.0.0/0                                       all       
 2  DA  PROJECT  yes    10.0.0.0/16                                     10.0.0.0/16                                     all        encrypt unique           1

Pinging 10.0.0.3 from the client device isn't working.

Ping from MikroTik is working:
 > /ping src-address=10.0.1.1 10.0.0.3
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                        
    0 10.0.0.3                                   56  64 30ms 
    1 10.0.0.3                                   56  64 14ms 
    2 10.0.0.3                                   56  64 27ms 
    sent=3 received=3 packet-loss=0% min-rtt=14ms avg-rtt=23ms max-rtt=30ms 

Interesting is tool sniffer, here is the complete log from client EAP connection to PING 10.0.0.3 from the client:
 > /tool sniffer quick ip-address=10.0.0.3
IN     TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU
tm   31.722      8 <- 00:D1:E6:E6:E6:E6 AC:FF:FF:00:00:00        10.0.0.3:1812 (radius)              10.0.1.1:52179                      ip:udp      191   0
tm   31.756      9 <- 00:D1:E6:E6:E6:E6 AC:FF:FF:00:00:00        10.0.0.3:1812 (radius)              10.0.1.1:48780                      ip:udp      143   0
tm   31.791     10 <- 00:D1:E6:E6:E6:E6 AC:FF:FF:00:00:00        10.0.0.3:1812 (radius)              10.0.1.1:51324                      ip:udp      242   0
tm   31.865     11 <- 00:D1:E6:E6:E6:E6 AC:FF:FF:00:00:00        10.0.0.3:1813 (radius-acct)         10.0.1.1:46237                      ip:udp       62   0
tm   35.426     12 <- 00:D1:E6:E6:E6:E6 AC:FF:FF:00:00:00        10.0.0.3:1812 (radius)              10.0.1.1:40309                      ip:udp       90   0
tm   36.986     13 <- 00:D1:E6:E6:E6:E6 AC:FF:FF:00:00:00        10.0.0.3:1813 (radius-acct)         10.0.1.1:42579                      ip:udp       62   0
LO   54.375     14 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   54.375     15 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   55.377     16 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   55.377     17 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   56.389     18 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   56.389     19 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   57.376     20 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   57.376     21 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   58.377     22 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   58.377     23 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   59.371     24 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   59.371     25 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   60.376     26 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
LO   60.376     27 <- E6:92:B3:D2:52:26 4A:8F:5A:AC:C1:54        10.0.1.3                            10.0.0.3                            ip:icmp      98   0
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Routing trafic from wireless clients over ipsec  [SOLVED]

Mon Jul 05, 2021 4:36 pm

Any and General rule in any VPN is SITES, differ sites... in your policies that networks are the same what breake my head :). I do never do that way.
From where your main Router will know that he must go to specific /27 when all 3 branches use the same 0.0.0.0/16.. .

When I have Branch A,B,C and use the same addressation then first one will establish vpn and other's will be red entry who works as FailOver.. your idea to configure all traffic with the same subnets in both sites is in my opinion first stuff to fix.

About your IP Sniffer... you see that traffic direction go in one way... no back ! this is your way to track that in more detail thanks to /ip firewall connections - open it at WinBox and use proper Filters icon rule. Double click at rule and try check first 4 IP addressees.

Remember that you can run Sniffer at both devices to see if one send... and second see incomming traffic.
 
Borkoje
just joined
Topic Author
Posts: 5
Joined: Sun May 23, 2021 6:22 pm

Re: Routing trafic from wireless clients over ipsec

Tue Jul 06, 2021 10:04 am

Any and General rule in any VPN is SITES, differ sites... in your policies that networks are the same what breake my head :). I do never do that way.
From where your main Router will know that he must go to specific /27 when all 3 branches use the same 0.0.0.0/16.. .

When I have Branch A,B,C and use the same addressation then first one will establish vpn and other's will be red entry who works as FailOver.. your idea to configure all traffic with the same subnets in both sites is in my opinion first stuff to fix.

About your IP Sniffer... you see that traffic direction go in one way... no back ! this is your way to track that in more detail thanks to /ip firewall connections - open it at WinBox and use proper Filters icon rule. Double click at rule and try check first 4 IP addressees.

Remember that you can run Sniffer at both devices to see if one send... and second see incomming traffic.
Yes, you are right!
Setting right networks in IPSec policy solved this issue.
 > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER      TUNNEL SRC-ADDRESS                                    DST-ADDRESS                                    PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 TX*                  ::/0                                           ::/0                                           all       
 1 TX                   0.0.0.0/0                                      0.0.0.0/0                                      all       
 2  A  PROJECT   yes    10.0.1.0/27                                    10.0.0.0/16                                    all        encrypt require          1
Now i can ping from the client, and i can see incoming traffic on the central server from a private network.
Thank you!
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Routing trafic from wireless clients over ipsec

Tue Jul 06, 2021 6:15 pm

Mark the proper answer as Solved to close this ticket.
You welcome.

Who is online

Users browsing this forum: Amazon [Bot] and 35 guests