Community discussions

MikroTik App
 
GarbleGage
just joined
Topic Author
Posts: 1
Joined: Thu Sep 30, 2021 4:10 pm

IPSec MikroTik to Checkpoint FW

Thu Sep 30, 2021 5:57 pm

Hello everybody,

I am slowly losing my mind on this topic :( .

I am trying to establish an ipsec tunnel between my on-site mikrotik router (OS 6.48.4) to our company's checkpoint FW.
I got an established tunnel, and regarding our support engineer also on the checkpoint side the tunnel seems fine.
To avoid natting issues, the on-site network matches the encryption domain (172.29.97.0/28), the VPN tunnel should have direct access to the connected machines.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
To confirm the connection, I have my company notebook which is connected to the company network (172.19.6.210).
I have a second notebook connected to the MT router (172.29.97.13).

From the company notebook, i try to ping the other PC (ping 172.29.97.13).
The MT recognizes the incoming connection (icmp) as "SC",
source 172.19.6.210 dest 172.29.97.13 -> reply source 172.29.97.13 reply dest 172.19.6.210
The MT's firewall accepts incoming ipsec policy packets (is triggered).
Wireshark recognizes the ping (icmp) request AND response.
The MT's firewall accepts outgoing ipsec policy packets (is triggered).
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Furthermore
The active peer between site and firewall has the same amount of packets in Tx and Rx. So there is definitely data flowing. State ist established, dynamic address is 0.0.0.0.
The firewall filters "accept in ipsec policy" and "accept out ipsec policy" have the same amount of packets. This entries seem to be triggered.
The log shows,
forward: in:ether1 out:bridge, src-mac ***, proto ICMP (type 8, code 0), 172.19.6.210->172.29.97.13, len 60
forward: in:bridge out:ether1, src-mac ***, proto ICMP (type 0, code 0), 172.29.97.13->172.19.6.210, len 60
The ipsec's SAs register "Current Bytes" in both directions.

BUT ... the packages get somewhere lost. The initiating PC does not get any response. The ping times out. :(

I cannot really ping the other direction, because the company is pretty strict with firewall rules.
Anyways, without the proper tunnel, I guess I would not be able to recognize the ping on the MT / other computer at all?
I feel like I am sooo close to solving this issue, but I am exhausted and have no further idea what to do ... Please help!
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

My config looks like this:
/ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEE TUN SRC-ADDRESS                                  DST-ADDRESS                                  PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T X*         ::/0                                         ::/0                                         all       
 1   A  K   yes 172.29.97.0/28                               172.19.4.0/22                                all        encrypt require          2
 2   A  K   yes 172.29.97.0/28                               172.20.82.0/23                               all        encrypt require          1
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address-list=LAN_VPN dst-address-list=LAN_VPN log=yes log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/ip firewall address-list print     
Flags: X - disabled, D - dynamic 
 #   LIST                                         ADDRESS                                                           CREATION-TIME        TIMEOUT             
 0   LAN_VPN                                      172.29.97.0/28                                                    sep/30/2021 14:12:34
 1   LAN_VPN                                      172.20.82.0/23                                                    sep/30/2021 14:12:50
 2   LAN_VPN                                      172.19.4.0/22                                                     sep/30/2021 14:13:08
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=yes log-prefix="" ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=yes log-prefix="" ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot], martinclaro, Semrush [Bot] and 14 guests