Community discussions

MikroTik App
 
atoth
just joined
Topic Author
Posts: 2
Joined: Thu Jun 01, 2023 4:10 pm

ipsec vpn issue between mikrotik and juniper

Thu Jun 01, 2023 5:00 pm

hello,


i have a new mikrotik D53G-5HacD2HnD.
the main purpuse for this device would be to have an ipsec connection with a juniper device and serve 2 clients on mikrotik lan side.
ipsec connection itself seens up (confirmed on juniper side too), but there is no traffic on it. i tried pinging from both side, with connected devices, no luck.
since this is my first mikrotik device, i guess i'm missing something, but searching since a week with no luck.
the device itself has lte network, with a public ip, confirmed by the provider no filtering on there side.
on juniper side no problem, with other devices ipsec working without a problem.
can you check the config to see what is the issue ?

Thanks

#jun/01/2023 15:35:08 by RouterOS 7.8
# software id = 88C6-S5EV
#
# model = D53G-5HacD2HnD
# serial number = 
/interface bridge
add arp=proxy-arp name=lan-br
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface lte apn
add apn=******* ip-type=ipv4
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=****** band=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
set [ find default=yes ] connection-mark=no-mark
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=******
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=***********
/ip ipsec peer
add address=*********.226/32 exchange-mode=ike2 name=****** profile=******
add address=*********.65/32 exchange-mode=ike2 name=********** passive=yes profile=***********
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=****** pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=*********** pfs-group=modp2048
/ip pool
add name=lan-dhcp-pool ranges=10.88.1.20-10.88.1.200
/ip dhcp-server
add address-pool=lan-dhcp-pool interface=lan-br name=lan-dhcp
/interface bridge port
add bridge=lan-br interface=ether1
add bridge=lan-br interface=ether2
add bridge=lan-br interface=ether3
add bridge=lan-br interface=ether4
add bridge=lan-br interface=ether5
add bridge=lan-br interface=wlan1
add bridge=lan-br interface=wlan2
/ip address
add address=10.88.1.1/24 interface=ether1 network=10.88.1.0
/ip dhcp-server network
add address=10.88.1.0/24 gateway=10.88.1.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward connection-state=established,related dst-address=172.17.0.0/16 src-address=10.88.1.0/24
add action=accept chain=forward dst-address=172.22.0.0/16 src-address=10.88.1.0/24
add action=accept chain=forward connection-state=established,related dst-address=10.88.1.0/24 src-address=172.17.0.0/16
add action=accept chain=input dst-address=10.88.1.0/24 src-address=172.22.0.0/16
add action=accept chain=input src-address=172.17.0.0/16
add action=accept chain=input src-address=172.22.0.0/16
add action=accept chain=input log=yes src-address=10.88.1.0/24
add action=accept chain=input src-address=*********.70
add action=accept chain=input src-address=*********.65
add action=accept chain=input src-address=*********.226
add action=accept chain=input src-address=*********.247
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid log=yes log-prefix="[drop]"
/ip firewall nat
add action=accept chain=srcnat disabled=yes log=yes log-prefix=SNAT1 src-address=172.17.0.0/16
add action=masquerade chain=srcnat ipsec-policy=out,none log-prefix=MASQ
/ip ipsec identity
add notrack-chain=output peer=******
add notrack-chain=output peer=**********
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.17.0.0/16 level=unique peer=****** proposal=****** src-address=10.88.1.0/24 tunnel=yes
add dst-address=172.22.0.0/16 level=unique peer=********** proposal=*********** src-address=10.88.1.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=172.17.0.0/16 gateway=*************pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10 vrf-interface=lte1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/******
/system ntp client
set enabled=yes
/system ntp client servers
add address=**.pool.ntp.org
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ipsec vpn issue between mikrotik and juniper

Sun Jun 04, 2023 7:06 pm

Off-topic but really important, please do have a look into the philosophy of the Mikrotik firewall, especially the role of the chains (input/output vs. forward) and the purpose of connection tracking. Your current firewall rules effectively do nothing because the default behavior of all filter chains is accept and you only drop invalid packets. So what is not selectively accepted by one of your rules is accepted anyway.

As the bots keep scanning the internet all the time for devices whose management services are accessible, you may already not be the only administrator of your Tik. The times when Winbox could have been left accessible from anywhere are long gone. Also, anyone can use your Tik for UDP DDoS attacks as your DNS service is open to the world.

As for your issue, I'd like to see the output of /ip ipsec active-peers print and /ip ipsec installed-sa print. Please obfuscate the output in a consistent way in terms that all occurrences of each unique IP address will be substituted by the same unique string, like local.public.ip, ip.of.peer.A, ip.of.peer.B ...

Pinging a remote private address from a device connected to Mikrotik LAN should cause the packet and byte counters to grow on the corresponding SA. With your currrent configuration, pinging from the Mikrotik itself must fail because the source address for the ping packets is chosen depending on the result of routing, and since there is only the default route on the Mikrotik that goes via WAN (the other one is disabled and it seems to lead via WAN anyway), the pings are sent from the WAN address which doesn't match the src-address of any of the two IPsec policies. To fix that, you would have to add dedicated routes or src-nat rules, but that's just cosmetics unless you cannot ping from a LAN device.

Since the Mikrotik has a public address, the SAs use bare ESP if the Juniper has a public address too, is that the case? Some ISP between the Mikrotik and the Juniper may drop ESP packets, so the fact that your mobile ISP doesn't may not be sufficient.

What also confuses me is that you mention only the Juniper, but you actually have two IPSec peers configured (and guessing by the number of asterisks, each policy is linked to another peer); is the other peer working flawlessly?
 
atoth
just joined
Topic Author
Posts: 2
Joined: Thu Jun 01, 2023 4:10 pm

Re: ipsec vpn issue between mikrotik and juniper

Mon Jun 05, 2023 5:00 pm

Hey,


thanks for the reply.

i modified the last drop rule, so its now blocks everything, not just invalid.


i run the 2 commands:
[admin@MikroTik] >  /ip ipsec active-peers print
Flags: R - RESPONDER
Columns: ID, STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
#   ID              STATE        UPTIME    PH2-TOTAL  REMOTE-ADDRESS
0 R ip_public_peer  established  5h18m46s          1  ip_public_peer
[admin@MikroTik] > /ip ipsec installed-sa print
Flags: H - HW-AEAD; E - ESP
Columns: SPI, STATE, SRC-ADDRESS, DST-ADDRESS, AUTH-ALGORITHM, ENC-ALGORITHM, ENC-KEY-SIZE
#    SPI         STATE   SRC-ADDRESS      DST-ADDRESS      AUTH-ALGORITHM  ENC-ALGORITHM  ENC-KEY-SIZE
0 HE 0x467CEC9   mature  ip_public_peer   ip_mikrotic_public  sha256          aes-cbc                 256
1 HE 0x3B6C3B01  mature  ip_mikrotic_public  ip_public_peer   sha256          aes-cbc                 256
[admin@MikroTik] > 
Yes, juniper has a public ip adress too. (with at least 8 other ip sec connections, and they are working, esp too)
yes, there was a second ipsec connection on the mikrotik for test, i deleted it.

i also reedited the config:
# jun/05/2023 15:55:38 by RouterOS 7.8
# software id = 88C6-S5EV
#
# model = D53G-5HacD2HnD
# serial number = HD208A34D9Z
/interface bridge
add arp=proxy-arp name=lan-br
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface lte apn
add apn=apn ip-type=ipv4
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=apn band=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
set [ find default=yes ] connection-mark=no-mark
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=partner
/ip ipsec peer
add address=ipsec_peer_publicip/32 exchange-mode=ike2 name=partner profile=partner
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=partner pfs-group=modp2048
/ip pool
add name=lan-dhcp-pool ranges=10.88.1.20-10.88.1.200
/ip dhcp-server
add address-pool=lan-dhcp-pool interface=lan-br name=lan-dhcp
/interface bridge port
add bridge=lan-br interface=ether1
add bridge=lan-br interface=ether2
add bridge=lan-br interface=ether3
add bridge=lan-br interface=ether4
add bridge=lan-br interface=ether5
add bridge=lan-br interface=wlan1
add bridge=lan-br interface=wlan2
/ip address
add address=10.88.1.1/24 interface=ether1 network=10.88.1.0
/ip dhcp-server network
add address=10.88.1.0/24 gateway=10.88.1.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward connection-state=established,related dst-address=172.17.0.0/16 src-address=10.88.1.0/24
add action=accept chain=forward dst-address=172.22.0.0/16 src-address=10.88.1.0/24
add action=accept chain=forward connection-state=established,related dst-address=10.88.1.0/24 src-address=172.17.0.0/16
add action=accept chain=input dst-address=10.88.1.0/24 src-address=172.22.0.0/16
add action=accept chain=input src-address=172.17.0.0/16
add action=accept chain=input src-address=172.22.0.0/16
add action=accept chain=input log=yes src-address=10.88.1.0/24
add action=accept chain=input src-address=ipsec_peer_publicip
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid,established,related,new,untracked log-prefix="[drop]"
/ip firewall nat
add action=accept chain=srcnat disabled=yes log=yes log-prefix=SNAT1 src-address=172.17.0.0/16
add action=masquerade chain=srcnat ipsec-policy=out,none log-prefix=MASQ
/ip ipsec identity
add notrack-chain=output peer=partner
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.17.0.0/16 level=unique peer=partner proposal=partner src-address=10.88.1.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=172.17.0.0/16 gateway=ipsec_peer_publicip pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10 vrf-interface=lte1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/***
/system ntp client
set enabled=yes
/system ntp client servers
add address=**.pool.ntp.org
a hope its ok this way.
whats wierd for me as you said, some counter should be increasing, but it doesnt...

Thanks

Akos

Who is online

Users browsing this forum: lurker888, tangent and 58 guests