Community discussions

MikroTik App
 
tonecool
just joined
Topic Author
Posts: 3
Joined: Sat Dec 22, 2018 10:34 pm

Problem accessing an IP over Ipsec

Sun Jan 29, 2023 5:31 pm

Hello guys, I have problem configuring MikroTik router to access an IP (10.0.0.6) over Ipsec and I will appreciate your suggestions very much.

Here is what I'm doing (just as a proof of concept) from my local windows machine:
#create and setup connection
powershell -command "Add-VpnConnection -ServerAddress 108.142.165.191 -Name nas-vpn -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -SplitTunneling $True -PassThru"
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName nas-vpn  -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
#adding a route to 10.0.0.6 over "nas-vpn" interface
powershell -command "Add-VpnConnectionRoute -ConnectionName nas-vpn -DestinationPrefix 10.0.0.6/32 -PassThru"
And this is working just fine, I can access 10.0.0.6 from my local machine after connection is established, the rest of the traffic is not going over Ipsec. This is the status of established VPN connection from windows:
Image
The strange thing over there is marked IP address which is my machine getting and I don't understand where it is coming from and if needed how to configure it on Mikrotik either.

I'm trying to configure Mikrotik to do exactly the same thing for the whole local network. To establish VPN connection and route traffic to remote IP over it, but without success so far:
/ip ipsec peer add address=108.142.165.191/32 exchange-mode=ike2 name=peer1
/ip ipsec identity add auth-method=digital-signature certificate=crt1.p12_1 peer=peer1
/ip ipsec policy add src-address=192.168.88.0/24 dst-address=10.0.0.6/32 tunnel=yes action=encrypt proposal=default peer=peer1 sa-src-address=89.216.89.200 sa-dst-address=108.142.165.191

/ip firewall nat add chain=srcnat action=accept  place-before=0 src-address=192.168.88.0/24 dst-address=10.0.0.6/32
#tried with this and without this with disabled fasttrack rule, no difference
/ip firewall raw add action=notrack chain=prerouting src-address=192.168.88.0/24 dst-address=10.0.0.6/32
/ip firewall raw add action=notrack chain=prerouting src-address=10.0.0.6/32 dst-address=192.168.88.0/24

Here are the router details:
[admin@MikroTikN] /ip address> / ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                   
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                                                                                                                                      
 1 D 89.216.89.200/28   89.216.89.192   ether1  
[admin@MikroTikN] /ip address> / ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          89.216.89.193             1
 1 ADC  89.216.89.192/28   89.216.89.200   ether1                    0
 2 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
[admin@MikroTikN] /ip ipsec active-peers> print detail value-list 
              id: 108.142.165.191
   local-address: 89.216.89.200
            port: 4500
  remote-address: 108.142.165.191
            port: 4500
           state: established
            side: initiator
          uptime: 10m35s
       last-seen: 4s
            spii: 75828578bc4a4b5e
            spir: 4f1456fa21c0724a
[admin@MikroTikN] /ip ipsec policy> print detail  value-list
               peer:         peer1
             tunnel:         yes
              group: default 
        src-address: ::/0    192.168.88.0/24
           src-port:         any
        dst-address: ::/0    10.0.0.6/32
           dst-port:         any
           protocol: all     all
             action:         encrypt
              level:         require
    ipsec-protocols:         esp
     sa-src-address:         89.216.89.200
     sa-dst-address:         108.142.165.191
           proposal: default default
           template: yes     
          ph2-count:         0
Ipsec connection is established just fine but no traffic is going over it.

Who is online

Users browsing this forum: Bing [Bot] and 101 guests