Community discussions

MikroTik App
 
timwillis
just joined
Topic Author
Posts: 4
Joined: Sat Aug 08, 2009 6:10 pm

ipsec vpn, routing through tunnel and wake tunnel

Mon Apr 27, 2020 3:27 pm

HI,

I have recently set up an IPSEC VPN from a Mikrotik to a Juniper. I have not got full access to the juniper nor am I that confident in my knowledge of the whole VPN process. I have too problems,

Local_PC -----------( local_lan)------|..Ether1 Mikrotik...|-------public internet
10.0.13.11.............10.0.13.0/24 ..........10.0.13.10.......|
.....................................................................................|-----------(IPsec VPN)---------------- ( juniper )-------------------- remote network-10.254.96.0/21

1) I am unable to ping device from a terminal session on the Mikrotik, I am unable to work out what the profess of routing packets from within the Mikrotik to have then directed to the VPN. I have created a NAT run to accept the packets as routed and thus not NAT them. But I am getting nowhere.

2) the IPSEC tunnel disconnects with no traffic flowing after about an hour and I am unable to wake it from the 10.254.96.0 network devices
I have one mode config set as request only, which is the default, if I create a second one as a responder, I do not know how to apply it. For the present time I have setup a cron job to regularly ping a device on the remote network to keep the tunnel alive.

I have posted the config here. with non related lines removed.
# apr/27/2020 20:17:35 by RouterOS 6.46.5
# software id =
#
#
#
/interface bridge
add name=bridge-loopback

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des lifetime=8h name=IPX_ipsec_profile nat-traversal=no
/ip ipsec peer
add address=223.37.96.44/32 exchange-mode=aggressive local-address=122.213.233.219 name=peer1 profile=IPX_ipsec_profile
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms="aes-256-cbc,aes-256-ctr,\
aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr,aes-128-gcm,3des" lifetime=1h name=IPX

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip firewall address-list
add address=10.0.13.0/24 list=local_lan
add address=10.0.13.0/24 list=local_and_IPX
add address=10.254.96.0/21 list=local_and_IPX
add address=10.254.96.0/21 list=IPX_lan

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=friends
add action=accept chain=input src-address-list=local_lan
add action=drop chain=input

add action=accept chain=forward dst-address-list=IPX_lan
add action=accept chain=forward add action=accept chain=output

/ip firewall nat
add action=accept chain=srcnat dst-address-list=IPX_lan src-address-list=local_lan
add action=masquerade chain=srcnat dst-address-list=!local_and_IPX src-address-list=local_lan

/ip ipsec identity
add my-id=fqdn:vpn.company.com.au peer=peer1 secret=02349640003456104716
/ip ipsec policy
add dst-address=10.254.96.0/21 peer=peer1 proposal=IPX sa-dst-address=223.37.96.44 \
sa-src-address=122.213.233.219 src-address=10.0.13.0/24 tunnel=yes set 1 \
disabled=yes dst-address=10.254.96.0/24 proposal=IPX src-address=10.0.13.0/24


I anyone can assist I would greatly appreciate it. I have spent a lot of time reading articles and trying to learn, but unfortunately have got nowhere on these two issues.

Thanks - Tim
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: ipsec vpn, routing through tunnel and wake tunnel

Mon Apr 27, 2020 6:24 pm

1) I am unable to ping device from a terminal session on the Mikrotik, I am unable to work out what the profess of routing packets from within the Mikrotik to have then directed to the VPN. I have created a NAT run to accept the packets as routed and thus not NAT them. But I am getting nowhere.
IPsec works (almost) independent of routing. Any traffic matching IPsec policy goes to tunnel, the rest is routed as usual. Simply specify a proper (i.e. covered by policy) source address (using src-address parameter) when pinging.

2) the IPSEC tunnel disconnects with no traffic flowing after about an hour and I am unable to wake it from the 10.254.96.0 network devices
Fix your firewall filter rules. Allow 500/udp and ipsec-esp in the input chain, then check if problem persists.
 
timwillis
just joined
Topic Author
Posts: 4
Joined: Sat Aug 08, 2009 6:10 pm

Re: ipsec vpn, routing through tunnel and wake tunnel

Tue Apr 28, 2020 10:57 am

1) I am unable to ping device from a terminal session on the Mikrotik, I am unable to work out what the profess of routing packets from within the Mikrotik to have then directed to the VPN. I have created a NAT run to accept the packets as routed and thus not NAT them. But I am getting nowhere.
IPsec works (almost) independent of routing. Any traffic matching IPsec policy goes to tunnel, the rest is routed as usual. Simply specify a proper (i.e. covered by policy) source address (using src-address parameter) when pinging.

Yes what I thought it was meant to do, but yes the src-address in the ping made all the difference.

2) the IPSEC tunnel disconnects with no traffic flowing after about an hour and I am unable to wake it from the 10.254.96.0 network devices
Fix your firewall filter rules. Allow 500/udp and ipsec-esp in the input chain, then check if problem persists.

I have added those rules and will see if that makes the difference.
/ip firewall filter
chain=input action=accept protocol=udp dst-port=4500 log=no
chain=input action=accept protocol=ipsec-esp

Thanks for the ideas.
 
timwillis
just joined
Topic Author
Posts: 4
Joined: Sat Aug 08, 2009 6:10 pm

Re: ipsec vpn, routing through tunnel and wake tunnel

Wed Apr 29, 2020 2:01 pm

Thanks to andriys, the suggestions seem to have made the difference.

The help is really appreciated.

Tim

Who is online

Users browsing this forum: No registered users and 7 guests