Community discussions

MikroTik App
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 12:14 am

I want to setup an IPSEC link between Azure and MT-device for my client for quick workaround when new shops/locations are being installed, to cover the period needed for permanent setup of network equipment from our provider (which ultimately results in a BGP network where all sites are connected).

Why IPSEC ? Because that's the only damn thing allowed in that specific Azure setup for Site 2 Site VPN.

In Azure there are various servers for different purposes (ERP application, file servers, print servers, DNS, AD, ...).
On local premise there are basically computers, printers and scanners, all connected with cable or wifi.

The aim is the Azure servers should be able to reach the local printers for printing of documents generated by servers in the cloud. This works.
Local scanners should be able to drop their scanned documents to file servers located in Azure. This I can not get to work.

I've followed various guides but can't get it to work both ways. One way only.

This one from Tik about Site-to-site config
https://help.mikrotik.com/docs/display/ ... Ev1)tunnel

This one from Microsoft (older but still useful):
https://learn.microsoft.com/en-us/archi ... k-routeros

Azure setup is copy-paste from a connection to some Watchguard device (and using instructions referenced above). That one works both ways.
I have reached the point where traffic from Azure down to the local network works.
For now this is the most important part when we want to setup a new location.
But I want the other way to work as well. And there I am stuck.

Network diagram:
2022-09-23_22-03-42.png

Mikrotik config (sanitized):
20220923mAP.rsc

PS Yes, there is ALSO a Wireguard connection. I need to control that thing from home in case that IPSEC connection doesn't work.
And that Wireguard connection works just fine, no problems there 8)

FWIW (and the experts will know what to do, I guess)
when pinging from local network to Azure server (10.0.1.16), I get a response like this:
2022-09-23_23-09-02.png
Any comments or pointers are more then welcome.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 2:56 am

Could it be that target server just doesn't like connections from 192.168.21.x?

I don't see anything clearly wrong. You have some unnecessary filter rules (first two in forward chain, that traffic would be allowed anyway by next two with ipsec-policy option), some unnecessary srcnat rules (first two again; default one won't touch that traffic because of ipsec-policy=out,none), and missing accept rules in input (you should allow udp 500 and 4500 and protocol ipsec-esp from <Azure Public IP>; edit: the latter is not necessary since you're behind NAT), but none of that is breaking anything.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 8:48 am

I know these rules are not needed since I see no hits. Result from the Tik instructions I followed.

About accept of ipsec ports, I had it on a previous version of config, doesn't change a thing.
One way only.

The ping from local to Azure does something since I see a connection between 10.0.1.x and 192.168.0.10 when I run it.

The Azure side is configured similar as a connection to a watchguard towards a 192.168.0.0/24 subnet.
And that works.
I followed all steps only changing what's needed for this new setup. External ip and local subnet. And secret key, obviously.

But you gave me a good pointer... I'll see if I can check firewall settings on Azure side.
Maybe it indeed restricts incoming traffic except specified subnets.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 10:26 am

As far as I can see no firewall restrictions on Azure side.
How can I know it effectively is being send out by mAP when I ping Azure ?

When doing local ping from Tik to 10.0.1.21 (which fails) and from server 10.0.1.16 ping to 192.168.21.1 (which works) I see this:
2022-09-24_09-23-47.png

What I think I see there is that 10.0.1.16 device tries to send something back but not to the correct IP address ? Is that what needs to be addressed ?

I'll may have to reach out to our IT provider to help me on the Azure part since there should be a possibility to do network packet capturing there but I have no clue how it needs to be done.
Learning quite some bits but I need to get to the end successfully to make it a worthwhile experience ...
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 10:30 am

Also tried
/ip ipsec installed-sa print interval=1s

when doing ping from local to Azure.
As far as I can see counters do not move so the problem is local ?
But where ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Azure IPSEC problem - one way traffic only  [SOLVED]

Sat Sep 24, 2022 12:36 pm

The src-address of the policy at Mikrotik side is 192.168.21.0/24 in order to match the LAN subnet. But as you have no dedicated route to 10.0.1.0/24, when pinging 10.0.1.21, the Mikrotik finds the default route which goes via 192.168.0.1, so it chooses its own address in that subnet, 192.168.0.10, as the source one for the ping. And that address doesn't match the traffic selector of the policy.

So add src-address=192.168.21.1 to the ping 10.0.1.21 command and sniff again.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 2:49 pm

Oh boy, this is getting interesting !!

[xyz@MTmAP] > ping 10.0.1.21 src-address=192.168.21.1
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 10.0.1.21                                  56 128 18ms530us 
    1 10.0.1.21                                  56 128 51ms279us 
    2 10.0.1.21                                  56 128 18ms540us 
    3 10.0.1.21                                  56 128 19ms510us 
    sent=4 received=4 packet-loss=0% min-rtt=18ms530us avg-rtt=26ms964us 
   max-rtt=51ms279us 

A NAT rule is needed then ?
If I look at this diagram, I would think output chain ? But action=src-nat is not possible there...

Oh wait...
any communication going to Azure, using ether1 should be handled.
So srcnat to 10.0.1.0/24, out interface ether1, action=src-nat, to-address=192.168.21.1
[xyz@MTmAP] > ping 10.0.1.21
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 10.0.1.21                                  56 128 21ms802us 
    1 10.0.1.21                                  56 128 17ms754us 
    2 10.0.1.21                                  56 128 19ms634us 
    3 10.0.1.21                                  56 128 20ms556us 
    4 10.0.1.21                                  56 128 19ms913us 
    5 10.0.1.21                                  56 128 19ms107us 
    6 10.0.1.21                                  56 128 17ms994us 
    7 10.0.1.21                                  56 128 50ms34us  
    sent=8 received=8 packet-loss=0% min-rtt=17ms754us avg-rtt=23ms349us 
   max-rtt=50ms34us 
Correct ??
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 3:01 pm

Connected laptop to the local wireless of that mAP, correctly received an IP within the .21.x subnet.

I can access all servers on Azure from local network !
The other way around I can not reach my laptop from Azure but this might be local firewall, will try other device.
Edit: used my smartphone, it's reachable from Azure ! So that part is not broken. From that device I can also scan all server in the Azure domain.
So that's a big step forward !!

But I can not reach that mAP device from my local laptop anymore using IP (MAC works).
Close but not completely there yet ...
Last edited by holvoetn on Sat Sep 24, 2022 3:22 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 3:16 pm

A NAT rule is needed then ?
...
any communication going to Azure, using ether1 should be handled.
So srcnat to 10.0.1.0/24, out interface ether1, action=src-nat, to-address=192.168.21.1
...
Correct ??
It depends on what you actually want.

If the only reason is that you could ping the Azure side subnet from the Mikrotik itself, then using src-address as a parameter of the ping command is sufficient. Traffic from hosts in 192.168.21.0/24 is properly exempted from getting src-nated to 192.168.0.10 by the rule action=accept chain=srcnat dst-address=10.0.1.0/24 src-address=192.168.21.0/24 (the next rule with swapped dst-address and src-address is redundant as the nat table only handles the initial packet of each connection), so if this traffic does not work, the reason is something else.

If the reason is that you indeed want that the Mikrotik itself was able to initiate other than ping connections to the Azure side, then there are two other possibilities in addition to your src-nat rule (chain=srcnat src-address-type=local dst-address=10.0.1.0/24 action=src-nat to-addresses=192.168.21.1) - you can either add a dedicated route via any reachable gateway but specify pref-src (e.g. dst-address=10.0.1.0/24 gateway=192.168.0.1 pref-src=192.168.21.1), or even simpler but weird-looking, use a route dst-address=10.0.1.0/24 gateway=bridge - this will set the source address to 192.168.21.1 automatically.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sat Sep 24, 2022 4:14 pm

The aim is the local network can fully reach and access resources within the Azure subnet.
Other way around: from Azure we need to be able to access printers on the local network so our Navision ERP can print documents on the correct place.

I tried the weird-looking route suggestion (dst 10.0.1.0/24, gateway bridge), that did not work. All access broke (regular internet and towards Azure).
So I took one step back (removed that route) and did further testing from my laptop connected to mAP-wireless.

I can effectively access shared network folders, see the servers, even RDP into them.
I connected a mAP Lite to ether2 of that mAP, it got a network address. I can get into that device using Winbox starting from Azure.
Therefor both directions work from a functional point of view for me.

So ... instead of squeezing out the very last drop of that setup, I am at a stage now where for the local organization it will work.
Printing from Azure to local network should be possible.
Scanning documents from local devices directly to shared network resources should be possible as well.

As for accessing the MT-router:
I can always use Azure to local router when connected via Azure/IPSEC, wireguard access from home or winbox/Mac when being local. 3 options, that should be enough.

Thanks a ton for the pointers, both of you !
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Azure IPSEC problem - one way traffic only

Sun Sep 25, 2022 12:50 am

No, this weird route:
/ip route
add dst-address=10.0.1.0/24 gateway=bridge pref-src=192.168.21.1
can't break anything. First, dst-address is 10.0.1.0/24, so nothing else could be affected. It's obviously a lie that any 10.0.1.x is reachable on bridge, because it's not there at all. But because there's IPSec involved, it steals packets matching policy before they are sent out, so they won't ever go to bridge. The only thing this "fake" route is good for is the pref-src parameter. It tells the router to use this address as source when it (the router itself, not other devices) initiates new connection to 10.0.1.x.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sun Sep 25, 2022 1:05 am

Just when I disassembled the whole setup you are clarifying this ... :shock:
:lol:

I'll set it up somewhere later this week and try it out.
Can't hurt to experiment further to fine-tune things as long as I have the device still in my reach.

PS I have a second setup with mAP using IPSEC (actually it was the first) which I remotely (250km away) changed using what I learned today.
I was a good boy, I waited for the shop to close before changing AND making sure to use Safe mode, in case something went wrong.
Azure resources accessible for the local devices now 8)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Azure IPSEC problem - one way traffic only

Sun Sep 25, 2022 2:11 am

You can't blame me, my shift starts later and I left you with my very capable colleague as replacement. Well, it's not exactly true, there's no shift and @sindy, who I don't really know, appeared by his own decision, ... :)

But mainly, did you actually change anything to make it work? Because unless I'm misreading something, it seems that you got stuck on testing from router (which most likely doesn't really need to access remote servers), before even trying it from device behind router, where you need it and from where it should have worked from the start.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sun Sep 25, 2022 11:07 am

It was a nice 1 2 you guys did :D

You made me check the firewall part on other side, Sindy pointed out the source ip problem.

Only thing I changed as a result of that pointer was adding a srcnat rule from post #7 in Ip/Firewall/Nat

I'll sanitize the config (remove what's not needed anymore, add security where needed because right now I have this thing in DMZ at home though the other one is only working with forwarded ports) and post again.
I now have a working base so if it breaks, I know where to double-check the changes.

I'll try as well to remove the srcnat rule and see what it gives from behind the router.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sun Sep 25, 2022 12:55 pm

NAT rule is needed so that's the one change what did it.
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.0.1.0/24 out-interface=ether1 \
    to-addresses=192.168.21.1

The other srcnat rules and the forward rules are not needed (as indicated by you and I see no movement on their counters ) since the default ipsec rules cover that part.

Setup:
ISP - mAP in DMZ - mAP Lite
When disabling the NAT rule on mAP, mAP Lite can not access Azure subnet.
When enabling NAT rule, it works again.
Each time when changing something, I removed all active connections in firewall and killed active IPSEC connection as well.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Azure IPSEC problem - one way traffic only

Sun Sep 25, 2022 4:21 pm

This srcnat rule should not be needed either. Or more accurately, it will help with connections initiated by router, because it will cause them to have 192.168.21.1 as source. It's either this srcnat, the weird route with pref-src, or src-address you used for ping. But it's not needed for connections initiated by other devices, because they already have 192.168.21.x as source.

In fact, it's sort of breaking things, because if e.g. 192.168.21.20 tries to connect to remote server, it will be seen by this server as 192.168.21.1. In other words, if it works (from devices other than router) with this srcnat but not without, it suggests some filtering on the other side.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5398
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Azure IPSEC problem - one way traffic only

Sun Sep 25, 2022 6:16 pm

I hear what you say but this is what I observe which works for both ways.

' The other side' is not entirely under my control ( I do have full admin access there but I do not understand at all how networking is done there. Better said: I understand it a lot less then how it's done on a Tik).
Better not touch it to avoid an organization of 250 people going down :shock:

What I find strange: the " problem" of having one way communication with Azure is something which appears pretty frequently when you search for it.
Almost always some natting rule is involved to solve it but only now I understood how it needed to be done ( due to that ping with src-address suggestion).

Who is online

Users browsing this forum: eworm and 37 guests