Community discussions

MikroTik App
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Need help with IPsec

Tue Jan 26, 2021 3:48 pm

Two RB750gr3 RouterOS 6.47.8
Very simple IPsec config for testing purposes:

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 nat-traversal=no
/ip ipsec peer
add address=xxx.xxx.158.248/32 name=ipsec-db profile=profile1
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip ipsec identity
add peer=ipsec-db secret=password_here
/ip ipsec policy
add dst-address=192.168.10.0/24 peer=ipsec-db proposal=proposal1 sa-dst-address=xxx.xxx.158.248 sa-src-address=xxx.xxx.121.42 src-address=\
192.168.20.0/24 tunnel=yes

------------------------------------------------------------------------
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 nat-traversal=no
/ip ipsec peer
add address=xxx.xxx.121.42/32 name=ipsec-zp passive=yes profile=profile1 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip ipsec identity
add peer=ipsec-zp secret=password_here
/ip ipsec policy
add dst-address=192.168.20.0/24 peer=ipsec-zp proposal=proposal1 sa-dst-address=xxx.xxx.121.42 sa-src-address=xxx.xxx.158.248 src-address=192.168.10.0/24 \
tunnel=yes
----------------------------------------------------
Tunnel can work for an hour or two or two days. If I reboot one router, tunnel does not rise. I see status "Established" and success keyexchange in logs, but data doesn't go through the tunnel. Only one way to get the tunnel workable again. I have to restore every router from its backup.
Active side first, passive second. And tunnel works until next accident.

Is there a way to make the tunnel work stably and start automatically after rebooting the router or disconnecting for other reason?
Last edited by remendado on Tue Jan 26, 2021 5:58 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with IPsec

Tue Jan 26, 2021 5:19 pm

Only one way to get the tunnel up again. I have to restore every router from its backup.
Is it really the only way? It doesn't make any sense why restoring config should help, when it's the same config as router already has. Did you try to reboot routers, or just turn ipsec off and on again (disable and enable peers)? Even that should be unnecessary, of course.

For the lack of better ideas (because it's really simple config with nothing clearly wrong), I'd try to change send-initial-contact from no to yes, it has different than the intuitive meaning anyway:
send-initial-contact=yes is not an instruction to act as initiator; it actually means "replace any already existing connection from my IP address, irrespective of port, by this new one", so it is quite dangerous in some scenarios (multiple initiators coming to the responded from behind the same NAT address). But you're not the only one to get trapped by the name, I had the same wrong understanding for months, and so had others.
The passive=yes is enough for this side to not contact the other. And maybe this makes some difference, but I don't know protocol details that well.
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Re: Need help with IPsec

Tue Jan 26, 2021 5:37 pm

Is it really the only way? It doesn't make any sense why restoring config should help, when it's the same config as router already has. Did you try to reboot routers, or just turn ipsec off and on again (disable and enable peers)? Even that should be unnecessary, of course.
I've tried all of these methods. No result. Only restoring from backups with same configuration helps.

For the first time in my long practice, some service on Mikrotik is unstable, and I have no idea how to fix it.
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Re: Need help with IPsec

Tue Jan 26, 2021 7:34 pm

Firewall settings

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-address=xxx.xxx.158.248 dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-address=xxx.xxx.158.248 dst-port=4500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-address=xxx.xxx.158.248 in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-address=xxx.xxx.158.248 in-interface=ether1 protocol=ipsec-ah
add action=drop chain=input dst-port=445 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=554 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.90
add action=accept chain=dstnat dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=dstnat dst-port=500 in-interface-list=WAN log=yes protocol=udp
add action=accept chain=dstnat dst-port=4500 in-interface-list=WAN log=yes protocol=udp
add action=dst-nat chain=dstnat in-interface-list=WAN to-addresses=192.168.10.2
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.20.0/24
/ip firewall service-port
set sip disabled=yes
---------------------------------------------------------------------------------------
/ip firewall connection tracking
set tcp-established-timeout=6h
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-address=xxx.xxx.121.42 dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input dst-address=xxx.xxx.121.42 dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input dst-address=xxx.xxx.121.42 in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input dst-address=xxx.xxx.121.42 in-interface=pppoe-out1 protocol=ipsec-ah
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=dst-nat chain=dstnat dst-port=5555 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.20 to-ports=554
add action=dst-nat chain=dstnat dst-port=555 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.13 to-ports=554
add action=dst-nat chain=dstnat dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.20 to-ports=80
add action=dst-nat chain=dstnat dst-port=554 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.12
add action=dst-nat chain=dstnat dst-port=5554 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.21
add action=dst-nat chain=dstnat dst-port=8081 in-interface-list=WAN protocol=tcp to-addresses=192.168.20.12
add action=accept chain=dstnat dst-port=1723 in-interface-list=WAN protocol=tcp
add action=accept chain=dstnat dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=dstnat dst-port=500 in-interface-list=WAN log=yes protocol=udp
add action=accept chain=dstnat dst-port=4500 in-interface-list=WAN log=yes protocol=udp
add action=accept chain=dstnat in-interface-list=WAN protocol=gre
add action=accept chain=dstnat in-interface-list=WAN protocol=ipsec-esp
add action=dst-nat chain=dstnat in-interface-list=WAN to-addresses=192.168.20.2
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.20.0/24
/ip firewall service-port
set sip disabled=yes


 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with IPsec

Tue Jan 26, 2021 7:50 pm

In both configs, you dstnat everything to some other device, except selected stuff. Second config has this:
/ip firewall nat
add action=accept chain=dstnat in-interface-list=WAN protocol=ipsec-esp
The same thing would make sense also for first one.
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Re: Need help with IPsec

Tue Jan 26, 2021 9:01 pm

And now I once more restored all routers from its backups with configs listed above. Tunnel working. Traffic flows over these rules:
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.20.0/24
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

If I restart one router, the tunnel stops

My brain is boiling
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with IPsec

Tue Jan 26, 2021 10:45 pm

Did you try those two changes I suggested?

I'm sure it has some explanation. Examine logs on both sides, check with packet sniffer if something is getting lost, etc.
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Re: Need help with IPsec

Tue Jan 26, 2021 11:47 pm

Did you try those two changes I suggested?

I'm sure it has some explanation. Examine logs on both sides, check with packet sniffer if something is getting lost, etc.
I recovered all two routers from backup made 3 days ago, tunnel rised up. I made changes after that, but haven't tested one router reboot yet.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with IPsec

Wed Jan 27, 2021 12:02 am

One thing I find slightly weird, your input rules have dst-address=xxx.xxx.158.248, but it would seem more logical to use src-address=<peer's address> to allow packets from peer. Isn't it possible that there's some mixup there? Both addresses (xxx.xxx.158.248 and xxx.xxx.121.42) are public, right? But if so, what's the reason for passive peer?
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Re: Need help with IPsec

Wed Jan 27, 2021 10:52 am

Did you try those two changes I suggested?

I'm sure it has some explanation. Examine logs on both sides, check with packet sniffer if something is getting lost, etc.
It seems, these changes helps. The tunnel twice recovered after a separate reboot of the first and second routers.
Later I'll try recovering after lost power.

Thank you so much for your assistance.
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Re: Need help with IPsec

Wed Jan 27, 2021 5:09 pm

One thing I find slightly weird, your input rules have dst-address=xxx.xxx.158.248, but it would seem more logical to use src-address=<peer's address> to allow packets from peer.
For testing purposes, it is more convenient to work with one entry rule
Both addresses (xxx.xxx.158.248 and xxx.xxx.121.42) are public, right? But if so, what's the reason for passive peer?
Sure. About passive peer, I don't know :) It works and reduces service traffic.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with IPsec

Wed Jan 27, 2021 5:46 pm

Hmm, neither answer makes sense to me. :)

As I wrote, if you'd have src-address=<peer's address> in those rules that allow IPSec traffic (IKE, ESP), it would allow this traffic from peer, but not any IPSec traffic from elsewhere. It would protect router from bots trying to scan open ports, and from unnecessary stuff in logs, if they's try to send some IKE packets. When you have dst-address=<local address>, I don't see how it can be useful, because it allows traffic from everywhere. But that said, it doesn't break this tunnel, it just looks unusual.

Passive option tells router to not initiate connection to peer, and wait for peer to initiate it. It makes sense for example when one peer is behind NAT with no forwarded ports, so the other one can't connect to it. So even when there are some data to send to peer's subnets, it won't happen until peer creates tunnel. If both peers are able to connect to each other, you most likely don't want any of them to be passive, because then both will be able to start the tunnel, without waiting for the other one.
 
remendado
just joined
Topic Author
Posts: 8
Joined: Tue Jan 26, 2021 3:28 pm

Re: Need help with IPsec

Wed Jan 27, 2021 5:54 pm

Hmm, neither answer makes sense to me. :)
You are definitely right.
I will keep this in mind for the future.

Thank you very much once more :)
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1493
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Need help with IPsec

Wed Jan 27, 2021 6:11 pm

Re tunneling remote lan networks

I have found that almost every tunnel configuration works differently and no two tunnels deliver the same speeds.
However , This is what I found that appears to be the fastest and by far the most reliable:
1'st , I build/establish an IPIP-tunnel between the two Mikrotiks. This tunnel uses the outside live IP address of both Mikrotiks.
2'nd , I build/establish an EoIP-tunnel inside the IPIP-tunnel. This tunnel uses a RFC-1918 IP address ( example 192.168.231.1/30 )

It's an encrypted tunnel ( secure ).
My ipip-tunnel is configured to use MTU 1480
My eoip-tunnel is configured to use MTU 1388

I know these MTUs may sound a bit off , but this is what I found to be the fastest configuration to get a remote site LAN ( on a major cable-tv company ) to my internal networks.
FYI tweaking any MTU up or down would give me slightly slower throughput - so these MTU numbers are what worked best for me.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with IPsec

Wed Jan 27, 2021 6:46 pm

EoIP in IPIP, and the whole thing in IPSec, if it should be encrypted... that sounds seriously overcomplicated to me.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1493
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Need help with IPsec

Wed Jan 27, 2021 7:17 pm

EoIP in IPIP, and the whole thing in IPSec, if it should be encrypted... that sounds seriously overcomplicated to me.
A little complicated the first time I built this combination. But I was trying to solve a remote throughput issue at a remote customer office location where I needed to get the remote LAN network transported to a local LAN for the same customer ( two locations and one location using a different ISP ).

I tried dozens and dozens of different types of tunnels and VPNs , and none of them was fast enough for what I wanted. The final config I am using ( tunnel in tunnel ) was tweaked and tuned on all possible settings until I actually started getting the absolute fastest speeds possible.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with IPsec

Wed Jan 27, 2021 9:02 pm

I can't argue with results, of course. :) But I wouldn't expect that to be the best solution.
 
User avatar
TomjNorthIdaho
Forum Guru
Forum Guru
Posts: 1493
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: Need help with IPsec

Wed Jan 27, 2021 9:44 pm

I can't argue with results, of course. :) But I wouldn't expect that to be the best solution.
One reason I did it this way is that I suspect the remote ISP location was doing something funky with their MTUs to the point that normal 1500 MTU on a tunnel would never pass.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], ivicask, mrbroadband, Semrush [Bot] and 95 guests