Community discussions

MikroTik App
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Site to Site IPsec Tunnel

Thu May 10, 2018 10:41 pm

I'm trying to setup an IPsec tunnel between two private networks at different sites and I'm having difficulty getting traffic to flow.

I've added IPsec policies and Peers, and added the Firewall NAT rule. I also added the Firewall Filter rules to bypass Fasttrack. Another thread on this forum suggested adding rules to allow udp 4500 and ipsec-esp so I did that as well.

Initially I don't see any packets in the Firewall Filters. If I edit the Fasttrack bypass rule connection state to include New, I begin to see packets traveling from Site 1 to Site 2 but I still can not make a connection.


Site1 Policy
Image
Site1 Peer
Image
Site1 Firewall
Image
Site1 NAT
Image
Site2 Policy
Image
Site2 Peer
Image
Site2 Firewall
Image
Site2 NAT
Image

Site 1 Router Export

# may/10/2018 11:43:22 by RouterOS 6.23
# software id = DUHI-IMYE
#
/interface bridge
add arp=proxy-arp name=local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-GE
set [ find default-name=ether3 ] master-port=ether2-master-GE name=ether3-slave-GE
set [ find default-name=ether4 ] master-port=ether2-master-GE name=ether4-slave-GE
set [ find default-name=ether5 ] master-port=ether2-master-GE name=ether5-slave-GE
set [ find default-name=ether6 ] name=ether6-master-FE
set [ find default-name=ether7 ] master-port=ether6-master-FE name=ether7-slave-FE
set [ find default-name=ether8 ] master-port=ether6-master-FE name=ether8-slave-FE
set [ find default-name=ether9 ] master-port=ether6-master-FE name=ether9-slave-FE
set [ find default-name=ether10 ] name=ether10-Interconnect-FE
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors l2mtu=2290 mode=station-bridge ssid=MikroTik-FF4EFD \
wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_internal ranges=192.168.218.100-192.168.218.150
/ip dhcp-server
add address-pool=dhcp name=default
add address-pool=dhcp_internal disabled=no interface=local lease-time=3d name=dhcp-local
/ip ipsec mode-config
add address-pool=dhcp_internal name=" " split-include=0.0.0.0/0
/port
set 0 name=serial0
/ppp profile
set 1 bridge=local local-address=192.168.218.1 remote-address=dhcp_internal
/interface bridge port
add bridge=local interface=ether2-master-GE
add bridge=local interface=ether6-master-FE
add bridge=local interface=sfp1
add bridge=local interface=wlan1
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set enabled=yes
/interface ovpn-server server
set certificate=ca_1 enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.218.1/24 comment="Internal network" interface=ether2-master-GE network=192.168.218.0
add address=Site1_Public_IP comment="This shouldn't be static maybe." interface=ether1-gateway network=Site1_Default_Gateway
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.218.105 mac-address= server=dhcp-local
add address=192.168.218.24 always-broadcast=yes mac-address=
add address=192.168.218.22 mac-address=
add address=192.168.218.7 mac-address=
add address=192.168.218.8 mac-address=
add address=192.168.218.10 mac-address=
add address=192.168.218.11 mac-address=
add address=192.168.218.52 mac-address=
add address=192.168.218.23 mac-address=
add address=192.168.218.114 mac-address= server=dhcp-local
add address=192.168.218.103 mac-address= server=dhcp-local
add address=192.168.218.149 mac-address= server=dhcp-local
add address=192.168.218.101 mac-address= server=dhcp-local
add address=192.168.218.124 mac-address= server=dhcp-local
add address=192.168.218.127 mac-address= server=dhcp-local
add address=192.168.218.110 mac-address= server=dhcp-local
add address=192.168.218.150 mac-address= server=dhcp-local
add address=192.168.218.146 mac-address= server=dhcp-local
add address=192.168.218.145 mac-address= server=dhcp-local
add address=192.168.218.143 mac-address= server=dhcp-local
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.218.0/24 dns-server=192.168.218.10,8.8.8.8,4.2.2.2 domain= gateway=192.168.218.1
/ip dns
set allow-remote-requests=yes servers=192.168.218.10,8.8.8.8,4.2.2.2
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="Allow related/Established connections to this device" connection-state=established,related
add chain=forward connection-state=established,related,new dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add chain=forward connection-state=established,related,new dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add chain=input dst-port=4500 protocol=udp src-port=4500
add chain=input protocol=ipsec-esp
add chain=output protocol=ipsec-esp
add chain=input comment="Allow pinging this device" protocol=icmp
add chain=input comment="Allow TCP port 1723 to this device" dst-port=1723 protocol=tcp
add chain=input comment="Allow GRE traffic to this device" log=yes protocol=gre

add chain=input comment="Allow all traffic from the local network." src-address=192.168.218.0/24
add action=drop chain=input comment="Drop all other traffic to this device from the internet" in-interface=ether1-gateway
add chain=forward comment="Accept Related/Established Forwards" connection-state=established,related
add action=drop chain=forward comment="Drop packets with an invalid connection state" connection-state=invalid

add chain=forward comment="Allow new http, https and printer traffic from us to the redacted network" connection-state=new dst-address=\
10.99.88.0/23 dst-port=80,443,515,631,9100 protocol=tcp src-address=192.168.218.0/24
add chain=forward comment="Allow new SNMP requests from us to the redacted network" connection-state=new dst-address=10.99.88.0/23 dst-port=161 \
protocol=udp src-address=192.168.218.0/24
add chain=forward comment="Allow from us to redacted." connection-state=new disabled=yes dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add chain=forward comment="allow from redacted to us" connection-state=new disabled=yes dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add action=drop chain=forward comment="Drop any other traffic from us to the redacted network" connection-state=new dst-address=10.99.88.0/23 \
src-address=192.168.218.0/24
add action=drop chain=forward comment="redacted network is not allowed to initiate forwards through this device" connection-state=new \
src-address=10.99.88.0/23
add action=drop chain=forward comment="Drop new packets from the internet to us unless they're sent to forwarded ports" connection-nat-state=\
!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=" " src-address=192.168.218.2-192.168.218.254
/ip firewall nat
add chain=srcnat dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat log-prefix=masquerade out-interface=ether10-Interconnect-FE to-addresses=10.99.88.100
# tunnel not ready
add action=masquerade chain=srcnat out-interface=tunnel
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=8166 protocol=tcp to-addresses=192.168.218.6 to-ports=8166
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=80 protocol=tcp to-addresses=192.168.218.30
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=22 protocol=tcp to-addresses=192.168.218.30
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=2222 protocol=tcp to-addresses=192.168.218.141 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=Site1_Public_IP dst-port=5900 protocol=tcp to-addresses=192.168.218.4
add action=dst-nat chain=dst-nat dst-address=Site1_Public_IP dst-port=3000 protocol=tcp to-addresses=192.168.218.50
#
add action=masquerade chain=srcnat out-interface=" "
/ip ipsec peer
add disabled=yes enc-algorithm=3des,aes-128,aes-256 exchange-mode=main-l2tp generate-policy=port-override
add address=10.0.0.228/32 disabled=yes
add address=Site2_Public_IP/32 port=4500
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.0.0/24 sa-dst-address=Site2_Public_IP sa-src-address=Site1_Public_IP src-address=192.168.218.0/24 tunnel=yes
/ip route
add distance=1 gateway=Site1_Default_Gateway
add disabled=yes distance=1 dst-address=10.99.88.0/23 gateway=ether10-Interconnect-FE
/lcd
set time-interval=hour
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=
/system ntp client
set enabled=yes primary-ntp=192.168.218.10 secondary-ntp=
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-GE
add interface=ether3-slave-GE
add interface=ether4-slave-GE
add interface=ether5-slave-GE
add interface=ether6-master-FE
add interface=ether7-slave-FE
add interface=ether8-slave-FE
add interface=ether9-slave-FE
add interface=ether10-Interconnect-FE
add interface=sfp1
add interface=wlan1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-GE
add interface=ether3-slave-GE
add interface=ether4-slave-GE
add interface=ether5-slave-GE
add interface=ether6-master-FE
add interface=ether7-slave-FE
add interface=ether8-slave-FE
add interface=ether9-slave-FE
add interface=ether10-Interconnect-FE
add interface=sfp1
add interface=wlan1
add




Site 2 Router Export

# may/10/2018 11:59:59 by RouterOS 6.28
# software id = 7UZ3-A7HR
#
/interface bridge
add arp=proxy-arp name=Internal protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local-10.0.0.0
set [ find default-name=ether3 ] master-port=ether2-master-local-10.0.0.0 name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local-10.0.0.0 name=ether4-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip dhcp-server
# DHCP server can not run on slave interface!
add disabled=no interface=ether2-master-local-10.0.0.0 name=default
/ip pool
add name=openVPN-employee-pool ranges=10.0.0.0/28
add name=openVPN-customer-pool ranges=10.0.0.16/28
add name=dhcp-lan-client-pool ranges=10.0.0.17-10.0.0.32
/ip dhcp-server
add address-pool=dhcp-lan-client-pool disabled=no interface=Internal name=dhcp1
/interface bridge port
add bridge=Internal interface=ether2-master-local-10.0.0.0
/ip firewall connection tracking
set enabled=yes
/ip address
add address=10.0.0.228/24 interface=ether2-master-local-10.0.0.0 network=10.0.0.0
add address=Site2_Public_IP interface=ether1-gateway network=Site2_Default_Gateway
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.228 netmask=24
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
/ip dns static
add address=10.0.0.228 name=router
/ip firewall filter
add chain=forward comment="RELATED/ESTABLISHED forward" connection-state=established,related
add chain=forward connection-state=established,related,new dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add chain=forward connection-state=established,related,new dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add chain=input dst-port=4500 protocol=udp src-port=4500
add chain=input protocol=ipsec-esp
add chain=output protocol=ipsec-esp
add chain=input protocol=icmp
add chain=forward protocol=icmp
add chain=input in-interface=ether1-gateway src-address=Site1_Public_IP
add chain=forward dst-address=10.0.0.0/24
add chain=input src-address=10.0.0.0/24
add chain=forward comment="Allow internal servers internet connectivity." in-interface=Internal
add chain=input dst-port=1194 protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input dst-port=47 protocol=tcp
add action=drop chain=forward comment="Drop everything else forwarded"
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall mangle
add chain=postrouting dst-address=10.0.0.234 protocol=icmp src-address=Site2_IP
add chain=prerouting dst-address=Site2_IP src-address=10.0.0.0/24
/ip firewall nat
add chain=srcnat dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="Masquerade for internal servers." out-interface=ether1-gateway src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-port=9101 in-interface=ether1-gateway protocol=tcp to-addresses=10.0.0.234 to-ports=9101
add action=dst-nat chain=dstnat dst-port=9102 in-interface=ether1-gateway protocol=tcp to-addresses=10.0.0.234 to-ports=9102
add action=dst-nat chain=dstnat dst-port=9103 in-interface=ether1-gateway protocol=tcp to-addresses=10.0.0.234 to-ports=9103
/ip ipsec peer
add address=Site1_Public_IP port=4500
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.218.0/24 sa-dst-address=Site1_Public_IP sa-src-address=Site2_Public_IP src-address=10.0.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=Site2_Public_IP
/ip service
set telnet disabled=yes
set www-ssl certificate=cert_1 disabled=no
/romon port
add disabled=no
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="MikroTik"
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local-10.0.0.0
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local-10.0.0.0
/tool sniffer
set filter-interface=Internal
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 10:11 am

  • By setting port=4500 in /ip ipsec peer, you only affect to which port on the remote peer the local device will send its initial IKE packets, but not the port on the local device from which it will send them, which remains 500. There is no way to affect the locally used port by any peaceful means - you have to use a big hammer if you really need to change the local port.
  • A device normally starts listening on port 4500 only after initial communication on port 500 has revealed that there is a NAT at least one of the ends, which is not your case as both your devices have a public IP directly on themselves.
  • the firewall rule accepting only packets from port 4500 on port 4500 makes sure that even if the above wasn't true, the IPsec stack won't get incoming packets on its port 4500 which come from remote port 500.
So at both ends, remove the port=4500 setting from the /ip ipsec peer configuration, and change the firewall filter rule
chain=input dst-port=4500 protocol=udp src-port=4500
to
chain=input dst-port=500,4500 protocol=udp


If it doesn't start working then, check in steps that
  • there is a dynamic item in the Remote Peers list
  • there is "established" in the Phase 2 column of Policy list
  • there is something in the "installed SA" list
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 8:08 pm

I noticed that the software on my routers was out of date so I updated both of them to v6.42.1. I also deleted my IPsec Policies and Peers and started over fresh. I made the change to the firewall rule you recommended, but otherwise left the rules intact. With the updated router software I was also able to add RAW filtering rules.

You also recommended to check:
  • there is a dynamic item in the Remote Peers list
There are two remote peers for each site. One is listed as the responder and one is listed as the initiator.
The dynamic address in every case is 0.0.0.0
  • there is "established" in the Phase 2 column of Policy list
This is not true. It will either say "msg 1 sent" or "no phase2"
  • there is something in the "installed SA" list
There is usually something in the Installed SA list, but the behavior seems strange. The entries disappear after a few seconds and are replaced. Sometimes there are two on one router and none on the other. I have also seen multiple entries with different SPI values, or multiples entries where the Src Address and Dst Address are swapped. If there are no entries I can go into the IPsec Policy settings and hit apply to create one.

I have some questions about the Peer settings:
Should one of the peers be set to Passive?
Should both peers have Send Initial Contact checked?
Do I need to check or uncheck NAT Traversal?
Notrack Chain is not set to anything right now. Should it be set to Output, Prerouting or neither?
Generate Policy is set to No. Should that be changed?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 8:57 pm

  • Should both peers have Send Initial Contact checked?
    You can do that to get rid of the two remote peers. I don't know whether it is mandatory or whether one of the peers will eventually stop attempting to establish a new connection once the one initiated by the other one establishes, as I've never experienced the luxury of having both devices on public addresses, and if one peer is behind a NAT and there is no port-forwarding configured on that NAT device, that peer must be the initiator and the one on public address must be the recipient.
  • Should one of the peers be set to Passive?
    I am not sure here. It may have to follow the setting above.
  • Do I need to check or uncheck NAT Traversal?
    Since both your peers have public addresses on themselves, you do not have to check it. But if you do check it, it doesn't cause any harm.
  • Notrack Chain is not set to anything right now. Should it be set to Output, Prerouting or neither?
    This is intended for use when you get configuration dynamically from the remote peer using mode-config. If you configure policies at both ends statically, set these rules statically too or make sure that the src-nat will not apply on the traffic towards the other site some other way (by adding an exception from src-nat to the nat table).
  • Generate Policy is set to No. Should that be changed?
    This makes sense on a central hub of several IPsec connections; for a site to site VPN, you may use it at one site which then generates the policy as a mirror of the one received from the peer, or you may configure the policies statically at both sites. I suspect that if one site uses mode-config to tell the other one what to do, both may have generate-policy set to yes, but I haven't tried yet.
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 9:13 pm

Thank you for the prompt response. I think I'm most concerned with the fact that my Installed SAs are not sticking around and that my PH2 State is never reaching established.
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 9:17 pm

If you aren't getting phase 2 established, something doesn't match between the two peers. I always have this logging rule on standby to enable whenever I want to see what's going on:
add disabled=yes prefix="IPSEC: " topics=ipsec,!packet
If it helps, here's my starting template when setting up a site-to-site IPSec tunnel.
/ip ipsec proposal
 add name="<proposal name>" auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp4096
/ip ipsec peer
 add address=<Remote Peer IP>/32 dh-group=modp4096 dpd-interval=15s enc-algorithm=aes-256 nat-traversal=yes secret=<PSK>
/ip ipsec policy
 add dst-address=<Remote Private Subnet>/<Mask> level=unique sa-dst-address=<Remote Peer IP> sa-src-address=<Local Peer IP> src-address=<Local Private Subnet>/<Mask> tunnel=yes proposal="<proposal name>"
Of course NAT translation must be excluded as well. Put this rule before the masquerade rule.
add action=accept chain=srcnat dst-address=<remote subnet> src-address=<local subnet>
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 9:21 pm

Thank you for the prompt response. I think I'm most concerned with the fact that my Installed SAs are not sticking around and that my PH2 State is never reaching established.
The former is the consequence of the latter. So to make things move ahead, do uncheck the "send initial contact" on one of the peers, and see whether then the phase 2 reaches established or not.

As you have started from scratch, you'll have to post the result of /export hide-sensitive from both ends again if the above is not enough to make things start working.
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 10:02 pm

Tippenring, you were absolutely correct. I had a mismatch in my proposals. I corrected that and now my PH2 state is established.

However, I am still not able to communicate with the remote Router by using its private IP address. Below is the new export from each site.

Site 1 Router Export

# may/11/2018 11:37:07 by RouterOS 6.42.1
# software id = DUHI-IMYE
#
# model = 2011UiAS-2HnD

/interface bridge
add arp=proxy-arp auto-mac=no fast-forward=no name=local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-GE
set [ find default-name=ether3 ] name=ether3-slave-GE
set [ find default-name=ether4 ] name=ether4-slave-GE
set [ find default-name=ether5 ] name=ether5-slave-GE
set [ find default-name=ether6 ] name=ether6-master-FE
set [ find default-name=ether7 ] name=ether7-slave-FE
set [ find default-name=ether8 ] name=ether8-slave-FE
set [ find default-name=ether9 ] name=ether9-slave-FE
set [ find default-name=ether10 ] name=ether10-Interconnect-FE
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n distance=indoors mode=station-bridge ssid=MikroTik-FF4EFD \
wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_internal ranges=192.168.218.100-192.168.218.150
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay name=default
add address-pool=dhcp_internal authoritative=after-2sec-delay disabled=no interface=local lease-time=3d name=\
dhcp-local
/queue interface
set tunnel queue=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=local interface=ether2-master-GE
add bridge=local interface=ether6-master-FE
add bridge=local hw=no interface=sfp1
add bridge=local interface=wlan1
add bridge=local interface=ether3-slave-GE
add bridge=local interface=ether4-slave-GE
add bridge=local interface=ether5-slave-GE
add bridge=local interface=ether7-slave-FE
add bridge=local interface=ether8-slave-FE
add bridge=local interface=ether9-slave-FE
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set enabled=yes
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master-GE list=discover
add interface=ether3-slave-GE list=discover
add interface=ether4-slave-GE list=discover
add interface=ether5-slave-GE list=discover
add interface=ether6-master-FE list=discover
add interface=ether7-slave-FE list=discover
add interface=ether8-slave-FE list=discover
add interface=ether9-slave-FE list=discover
add interface=ether10-Interconnect-FE list=discover
add interface=wlan1 list=discover
add interface=local list=discover
add interface=tunnel list=discover
add interface=ether2-master-GE list=mactel
add interface=ether3-slave-GE list=mactel
add interface=ether2-master-GE list=mac-winbox
add interface=ether4-slave-GE list=mactel
add interface=ether5-slave-GE list=mactel
add interface=ether6-master-FE list=mactel
add interface=ether7-slave-FE list=mactel
add interface=ether8-slave-FE list=mactel
add interface=ether3-slave-GE list=mac-winbox
add interface=ether9-slave-FE list=mactel
add interface=ether4-slave-GE list=mac-winbox
add interface=ether10-Interconnect-FE list=mactel
add interface=ether5-slave-GE list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether6-master-FE list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether7-slave-FE list=mac-winbox
add list=mactel
add interface=ether8-slave-FE list=mac-winbox
add interface=ether9-slave-FE list=mac-winbox
add interface=ether10-Interconnect-FE list=mac-winbox
add interface=sfp1 list=mac-winbox
add interface=wlan1 list=mac-winbox
add list=mac-winbox
/ip address
add address=10.0.0.1/24 comment="New Admin interface" disabled=yes interface=ether2-master-GE network=10.0.0.0
add address=192.168.218.1/24 comment="Internal network" interface=ether2-master-GE network=192.168.218.0
add address=Site1_Public_IP/26 comment="This shouldn't be static maybe." interface=ether1-gateway network=\

add address=10.99.88.100/23 interface=ether10-Interconnect-FE network=10.99.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.218.105 mac-address= server=dhcp-local
add address=192.168.218.24 always-broadcast=yes mac-address=
add address=192.168.218.22 mac-address=
add address=192.168.218.7 mac-address=
add address=192.168.218.8 mac-address=
add address=192.168.218.10 mac-address=
add address=192.168.218.11 mac-address=
add address=192.168.218.52 mac-address=
add address=192.168.218.23 mac-address=
add address=192.168.218.114 mac-address= server=dhcp-local
add address=192.168.218.103 mac-address= server=dhcp-local
add address=192.168.218.149 mac-address= server=dhcp-local
add address=192.168.218.101 mac-address= server=dhcp-local
add address=192.168.218.124 mac-address= server=dhcp-local
add address=192.168.218.127 mac-address= server=dhcp-local
add address=192.168.218.110 mac-address= server=dhcp-local
add address=192.168.218.150 mac-address= server=dhcp-local
add address=192.168.218.146 mac-address= server=dhcp-local
add address=192.168.218.145 mac-address= server=dhcp-local
add address=192.168.218.143 mac-address= server=dhcp-local
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.218.0/24 dns-server=192.168.218.10,8.8.8.8,4.2.2.2 domain=redacted gateway=\
192.168.218.1
/ip dns
set allow-remote-requests=yes servers=192.168.218.10,8.8.8.8,4.2.2.2
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="Allow related/Established connections to this device" connection-state=\
established,related
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=forward connection-state=established,related dst-address=192.168.218.0/24 src-address=\
10.0.0.0/24
add action=accept chain=forward connection-state=established,related dst-address=10.0.0.0/24 src-address=\
192.168.218.0/24
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="Allow pinging this device" protocol=icmp
add action=accept chain=input comment="Allow TCP port 1723 to this device" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Allow GRE traffic to this device" log=yes protocol=gre
add action=accept chain=forward protocol=tcp src-address=
add action=accept chain=input src-address=
add action=accept chain=input src-address=
add action=accept chain=input src-address=
add action=accept chain=input src-address=
add action=accept chain=input src-address=
add action=accept chain=input comment="Allow all traffic from the local network." src-address=192.168.218.0/24
add action=drop chain=input comment="Drop all other traffic to this device from the internet" in-interface=\
ether1-gateway
add action=accept chain=forward comment="Accept Related/Established Forwards" connection-state=\
established,related
add action=drop chain=forward comment="Drop packets with an invalid connection state" connection-state=invalid
add action=accept chain=forward comment="Allow new pings from us to the radacted network" dst-address=\
10.99.88.0/23 log-prefix=forward protocol=icmp src-address=192.168.218.0/24
add action=accept chain=forward comment=\
"Allow new http, https and printer traffic from us to the radacted network" connection-state=new \
dst-address=10.99.88.0/23 dst-port=80,443,515,631,9100 protocol=tcp src-address=192.168.218.0/24
add action=accept chain=forward comment="Allow new SNMP requests from us to the radacted network" \
connection-state=new dst-address=10.99.88.0/23 dst-port=161 protocol=udp src-address=192.168.218.0/24
add action=accept chain=forward comment="Allow from us to redacted." connection-state=new disabled=yes \
dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add action=accept chain=forward comment="allow from redacted to us" connection-state=new disabled=yes dst-address=\
192.168.218.0/24 src-address=10.0.0.0/24
add action=drop chain=forward comment="Drop any other traffic from us to the radacted network" \
connection-state=new dst-address=10.99.88.0/23 src-address=192.168.218.0/24
add action=drop chain=forward comment=\
"radacted network is not allowed to initiate forwards through this device" connection-state=new \
src-address=10.99.88.0/23
add action=drop chain=forward comment=\
"Drop new packets from the internet to us unless they're sent to forwarded ports" connection-nat-state=\
!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat log-prefix=masquerade out-interface=ether10-Interconnect-FE to-addresses=\
10.99.88.100
# tunnel not ready
add action=masquerade chain=srcnat out-interface=tunnel
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=8166 protocol=tcp to-addresses=\
192.168.218.6 to-ports=8166
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=80 protocol=tcp to-addresses=192.168.218.30
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=22 protocol=tcp to-addresses=192.168.218.30
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=2222 protocol=tcp to-addresses=\
192.168.218.141 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=Site1_Public_IP dst-port=5900 protocol=tcp \
to-addresses=192.168.218.4
add action=dst-nat chain=dst-nat dst-address=Site1_Public_IP dst-port=3000 protocol=tcp to-addresses=\
192.168.218.50
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add action=notrack chain=prerouting dst-address=10.0.0.0/24 src-address=192.168.218.0/24
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 disabled=yes enc-algorithm=aes-256,aes-128,3des exchange-mode=\
main-l2tp generate-policy=port-override
add address=10.0.0.228/32 dh-group=modp1024 disabled=yes
add address=Site2_Public_IP/32 notrack-chain=prerouting
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.0.0/24 level=unique sa-dst-address=Site2_Public_IP sa-src-address=Site1_Public_IP src-address=\
192.168.218.0/24 tunnel=yes
/ip route
add distance=1 gateway=Site1_Default_Gateway
add disabled=yes distance=1 dst-address=10.99.88.0/23 gateway=ether10-Interconnect-FE
/lcd
set time-interval=hour
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name=radacted
/system logging
add topics=ipsec,error
/system ntp client
set enabled=yes primary-ntp=192.168.218.10 secondary-ntp=
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox



Site 2 Router Export

# may/10/2018 20:03:59 by RouterOS 6.42.1
# software id = 7UZ3-A7HR
#
# model = RouterBOARD 750G r2
/interface bridge
add admin-mac= arp=proxy-arp auto-mac=no fast-forward=no name=Internal protocol-mode=\
none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local-10.0.0.0
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-local-redacted
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity="radacted - MikroTik"
/ip dhcp-server
add authoritative=after-2sec-delay disabled=no interface=ether2-master-local-10.0.0.0 name=default
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=openVPN-employee-pool ranges=10.0.0.0/28
add name=openVPN-customer-pool ranges=10.0.0.16/28
add name=dhcp-lan-client-pool ranges=10.0.0.17-10.0.0.32
/ip dhcp-server
add address-pool=dhcp-lan-client-pool authoritative=after-2sec-delay disabled=no interface=Internal name=\
dhcp1
/ppp profile
add bridge=Internal local-address=10.0.0.228 name=openVPN-employee-profile remote-address=\
openVPN-employee-pool
add bridge=Internal local-address=10.0.0.228 name=openVPN-customer-profile remote-address=\
openVPN-customer-pool
set *FFFFFFFE bridge=Internal
/queue interface
set ovpn-in1 queue=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=Internal interface=ether2-master-local-10.0.0.0
add bridge=Internal interface=ether3-slave-local
add bridge=Internal interface=ether4-slave-local
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master-local-10.0.0.0 list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-local-redacted list=discover
add interface=Internal list=discover
add interface=ovpn-in1 list=discover
add interface=ether2-master-local-10.0.0.0 list=mactel
add interface=ether5-local-redacted list=mactel
add interface=ether2-master-local-10.0.0.0 list=mac-winbox
add interface=ether5-local-redacted list=mac-winbox
/interface ovpn-server server
set certificate=cert_1 cipher=blowfish128,aes128,aes192,aes256 default-profile=openVPN-employee-profile \
enabled=yes mode=ethernet
/interface pptp-server server
set authentication=mschap2 enabled=yes
/ip address
add address=10.0.0.228/24 interface=ether2-master-local-10.0.0.0 network=10.0.0.0
add address=Site2_Public_IP/30 interface=ether1-gateway network=redacted
add address=redacted interface=ether5-local-redacted network=redacted
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.228 netmask=24
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=redacted,redacted,8.8.8.8
/ip dns static
add address=10.0.0.228 name=router
/ip firewall filter
add action=accept chain=forward comment="RELATED/ESTABLISHED forward" connection-state=\
established,related
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=forward connection-state=established,related dst-address=10.0.0.0/24 src-address=\
192.168.218.0/24
add action=accept chain=forward connection-state=established,related dst-address=192.168.218.0/24 \
src-address=10.0.0.0/24
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=forward disabled=yes in-interface=ether5-local-redacted out-interface=\
Internal
add action=accept chain=forward disabled=yes in-interface=Internal out-interface=\
ether5-local-redacted
add action=accept chain=forward comment="Let all traffic in to the public IP space" dst-address=\
redacted in-interface=ether1-gateway
add action=accept chain=input disabled=yes src-address=
add action=accept chain=input in-interface=ether1-gateway src-address=redacted
add action=accept chain=input in-interface=ether1-gateway src-address=Site1_Public_IP
add action=accept chain=input dst-address=redacted
add action=accept chain=input disabled=yes dst-address=redacted
add action=accept chain=input disabled=yes dst-address=redacted
add action=accept chain=forward in-interface=ether5-local-redacted
add action=accept chain=forward dst-address=10.0.0.0/24
add action=accept chain=input src-address=10.0.0.0/24
add action=accept chain=forward comment="Allow internal servers internet connectivity." in-interface=\
Internal
add action=accept chain=input disabled=yes src-address=redacted
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=47 protocol=tcp
add action=drop chain=forward comment="Drop everything else forwarded"
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=10.0.0.0/24 src-address=redacted
add action=accept chain=postrouting disabled=yes dst-address=10.0.0.234 protocol=icmp src-address=\
redacted
add action=accept chain=prerouting disabled=yes dst-address=redacted src-address=10.0.0.0/24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="Masquerade for internal servers." out-interface=\
ether1-gateway src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-port=9101 in-interface=ether1-gateway protocol=tcp to-addresses=\
10.0.0.234 to-ports=9101
add action=dst-nat chain=dstnat dst-port=9102 in-interface=ether1-gateway protocol=tcp to-addresses=\
10.0.0.234 to-ports=9102
add action=dst-nat chain=dstnat dst-port=9103 in-interface=ether1-gateway protocol=tcp to-addresses=\
10.0.0.234 to-ports=9103
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add action=notrack chain=prerouting dst-address=10.0.0.0/24 src-address=192.168.218.0/24
/ip ipsec peer
add address=Site1_Public_IP/32 notrack-chain=prerouting send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.218.0/24 level=unique sa-dst-address=Site1_Public_IP sa-src-address=Site2_Public_IP \
src-address=10.0.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=
/ip service
set telnet disabled=yes
set www-ssl certificate=cert_1 disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="radacted - MikroTik"
/system logging
add topics=ovpn
add topics=ipsec,error
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add
/tool sniffer
set filter-interface=Internal
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 10:35 pm

Remove connection-state=related,established from the following rules an try again:
add action=accept chain=forward connection-state=established,related dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add action=accept chain=forward connection-state=established,related dst-address=192.168.218.0/24 src-address=10.0.0.0/24
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 10:54 pm

When I make this change I immediately begin to see packets start to flow on the src=192.198.218.0/24 dst=10.0.0.0/24 rule on Site 1. Those are packets flowing from the Site1 private network towards the Site2 private network. I don't see any packet activity on the Site2 rules or on the incoming Site1 rule.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Fri May 11, 2018 11:17 pm

Are you trying to reach the private address of the Mikrotik on Site2 itself or some other device on Site 2's LAN?

The thing is that ŕules in chain=forward only deal with forwarded traffic, you would have to add a rule to chain=input to permit connection to the private IP of the Mikrotik itself.

If you try to reach devices in Site 2's LAN, is the Mikrotik on Site 2 their default gateway?
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 8:55 pm

I was trying to connect to the Site 2 router's private IP interface to test the connection. I've since switched to connecting to a device inside the Site 2 private network. When I look at the firewall rules I only see traffic on the Raw rule going from the Site 1 private network towards the Site 2 private network. I see no traffic on the Site 2 rules and no traffic on the Site 1 rules for traffic coming from Site 2.
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 9:19 pm

Yes, the Mikrotik at Site 2 is the default gateway.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 9:22 pm

I was trying to connect to the Site 2 router's private IP interface to test the connection. I've since switched to connecting to a device inside the Site 2 private network. When I look at the firewall rules I only see traffic on the Raw rule going from the Site 1 private network towards the Site 2 private network. I see no traffic on the Site 2 rules and no traffic on the Site 1 rules for traffic coming from Site 2.
You have to look into the installed SA table. SAs are established according to the policies and as your policies now say "phase 2 established", the SAs should be there. If you ping and see the counters of the SA at site1 in direction site1->site2 to increase, it is likely that the issue is at site2; if the counters don't increase, it is likely that the policy at site1 didn't match them.

I cannot see anything else in your firewall rules than what you've already changed, and I can see that the 'Tik at each site sets itself as a default gateway to its DHCP clients. So the question is whether firewalls of those devices on LAN don't eventually block the ping or other requests? if you try to ping a LAN device on site 2 from LAN device on site1, you should see the counters increasing in the SAs for that direction at both ends; if you ping from site 1 to site 2, you should see the counters of the SAs in the opposite direction to increase. Does this happen or not?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10200
Joined: Mon Jun 08, 2015 12:09 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 10:18 pm

I would recommend you to scrap all that IPsec tunnel setup and instead at each end create a GRE tunnel with IPsec option enabled (and key entered).
Then at each end add a /30 network to the GRE tunnel (e.g. 192.168.255.1/30 and 192.168.255.2/30) and add a route to the far side via that tunnel.
You won't need the special NAT rules in this case.
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 10:50 pm

I've established my GRE tunnel and it seems to be working fine. That was so much easier. My question now is how do I enable IPsec. Do I just add the secret key? Is there any other option I need to check or enable?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 11:03 pm

I would recommend you to scrap all that IPsec tunnel setup and instead at each end create a GRE tunnel with IPsec option enabled (and key entered).
I've recently come across a thread in Croatian on other Mikrotik topics with a parable "it's like when you ask me to help you repair a tyre of your bicycle and I tell you to use a skateboard instead", but I fully agree with you that if you enjoy the luxury of having a public IP address at both ends, like in this case, a GRE tunnel encrypted using IPsec is a much better method of creating a site2site VPN. However, as soon as you need to use tunnelling mode of ESP because one of the peers does not have a public address, the overhead of one extra encapsulation may be the reason to go the IPsec-only way.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10200
Joined: Mon Jun 08, 2015 12:09 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 11:07 pm

I've established my GRE tunnel and it seems to be working fine. That was so much easier. My question now is how do I enable IPsec. Do I just add the secret key? Is there any other option I need to check or enable?
Just check the "Use IPsec" option and enter the key in the next field (at both sides).
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 11:10 pm

I've established my GRE tunnel and it seems to be working fine. That was so much easier. My question now is how do I enable IPsec. Do I just add the secret key? Is there any other option I need to check or enable?
As @pe1chl wrote, you add the pre-shared key and you set use-ipsec to yes in the GRE settings. Once you do that, the RouterOS creates a dynamic IPsec configuration (peer and policy). If you want to use different IPsec settings (like e.g. IKEv2 instead of main or a different set of encryption methods), the best way to do that is to copy the dynamic peer and policy created by the GRE with disabled=yes, modify what you need to modify in the static copies, uncheck the use-ipsec in GRE configuration and enable the static copies of peer and policy. And don't forget to add a firewall rule preventing GRE packets not matching ipsec-policy=in,ipsec from being accepted on WAN interfaces, so that if the IPsec breaks down, the GRE would not run without encryption.
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Mon May 14, 2018 11:36 pm

I don't see a use-ipsec option.
Image
Maybe the newer version has done away with this option and assumes that if you enter a secret key you want to use ipsec?
I do see Installed SAs, but my connection to Site 2 is no longer working
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Tue May 15, 2018 1:13 am

Here is a look at my Installed SAs and the associated traffic:

Site1
Image

Site2
Image
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Tue May 15, 2018 8:33 am

I don't see a use-ipsec option.
Maybe the newer version has done away with this option and assumes that if you enter a secret key you want to use ipsec?
I do see Installed SAs, but my connection to Site 2 is no longer working
You are right, it seems the configuration logic differs between GRE, IPIP, and EoIP on one hand and L2TP on the other, the former three do not support the use-ipsec parameter and the fact that ipsec-secret parameter is present (even if empty) is sufficient for them to use IPsec.

Here is a look at my Installed SAs and the associated traffic:
You can see that the SA traffic can get from Site 2 to Site 1, whereas traffic from Site 1 to Site 2 leaves Site 1 but is never seen at Site 2. The SAs show that ESP is used, and ESP is permitted in the input chain of your firewall filter at both sites, and no drop rule exists earlier in the firewall.

So the only explanation which comes to my mind is that one of the ISPs is blocking ESP in one direction. You should be able to confirm this by running the Torch tool on both WAN interfaces. Check the Protocol checkbox and choose ipsec as the Protocol value from the pre-defined list. When pinging the IP address associated to the GRE interface on Site 1 from Site 2 (you can start the ping and then switch over to Torch or you can have two tabs/windows open simultaneously), you should see ESP packets in both directions in the Torch results at Site 1, but only in one direction on Site 2. Don't worry if it shows Site 1 as source and Site 2 as destination, it's quite a mess in Torch, the important point is that you can see only one direction.

Come back with the result. If it confirms the suspicion, you can either talk to both ISPs or do a small trick to make RouterOS think that there is a NAT at one side, which will make it use the NAT traversal mode and thus encapsulate ESP into UDP.

If you can see ESP packets in both directions also on Site 2, post the output of /ip firewall connection print where protocol=ipsec-esp (after obfuscating the public addresses) from there.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10200
Joined: Mon Jun 08, 2015 12:09 pm

Re: Site to Site IPsec Tunnel

Tue May 15, 2018 10:56 am

I agree with that. The fact that plain GRE works OK and this simple config of IPsec doesn't points to some filtering.
You normally do not really need to open firewall ports or protocols with this symmetric IPsec because the "established/related" match will
process all replies to outgoing traffic, and both sides send outgoing traffic to eachother that perfectly matches the incoming traffic.

On an unfiltered connection the "GRE with automatic IPsec" configuration typically works on first try.
(sorry for mentioning "use IPsec", indeed it is not a separate parameter here but it is implied by "opening" the input field for IPsec secret)
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Tue May 15, 2018 10:36 pm

So the only explanation which comes to my mind is that one of the ISPs is blocking ESP in one direction. You should be able to confirm this by running the Torch tool on both WAN interfaces. Check the Protocol checkbox and choose ipsec as the Protocol value from the pre-defined list. When pinging the IP address associated to the GRE interface on Site 1 from Site 2 (you can start the ping and then switch over to Torch or you can have two tabs/windows open simultaneously), you should see ESP packets in both directions in the Torch results at Site 1, but only in one direction on Site 2. Don't worry if it shows Site 1 as source and Site 2 as destination, it's quite a mess in Torch, the important point is that you can see only one direction.
Yes, these are the results I get. Site 1 has traffic going both ways, Site 2 only has traffic going out.

How would I go about making RouterOS think there is NAT on one side? I'm assuming I would be doing this at Site 2, but please correct me if I'm wrong.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Tue May 15, 2018 10:57 pm

How would I go about making RouterOS think there is NAT on one side? I'm assuming I would be doing this at Site 2, but please correct me if I'm wrong.
It is actually not important at which side you imitate the NAT.

Let's define a couple of symbolic addresses:
  • p.p.p.p is the public IP address of the Mikrotik where you implement the trick,
  • i.i.i.i is one of its private addresses on LAN, it must not be from the subnet you use for GRE,
  • w.w.w.w is the WAN gateway (from the same subnet like p.p.p.p),
  • r.r.r.r is the public IP address of the remote Mikrotik.
The following should be sufficient:
/ip firewall nat
add chain=dstnat action=dst-nat src-address=r.r.r.r dst-adress=p.p.p.p protocol=udp dst-port=500,4500 to-addresses=i.i.i.i

/ip route
add dst-address=r.r.r.r gateway=w.w.w.w pref-src=i.i.i.i
On top of the above, change the local-address in the /interface gre configuration to i.i.i.i.

I assume that a src-nat or masquerade for traffic sent out via WAN already exists, and that no other rule in chain dstnat shadows the one above.
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Tue May 15, 2018 11:04 pm

[*]i.i.i.i is one of its private addresses on LAN, it must not be from the subnet you use for GRE,

When you say one of its private addresses on LAN, should it be an address that is not assigned to a device? Or does it not matter if it has been assigned?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Tue May 15, 2018 11:12 pm

When you say one of its private addresses on LAN, should it be an address that is not assigned to a device? Or does it not matter if it has been assigned?
It must be Mikrotik's own address assigned to some other interface than the WAN one and the GRE one, not an address of another device on the LAN.
 
lss
just joined
Topic Author
Posts: 17
Joined: Thu May 10, 2018 8:16 pm

Re: Site to Site IPsec Tunnel

Wed May 16, 2018 7:52 pm

Thank you for the clarification.

Configuring this at Site 1, would it look like this?

Image

Would this also work without GRE?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site IPsec Tunnel

Wed May 16, 2018 9:53 pm

Configuring this at Site 1, would it look like this?
Yes.
Would this also work without GRE?
Yes.

Who is online

Users browsing this forum: BrateloSlava, joshuapl, patrikg, Seekport [Bot] and 63 guests