Thanks...Using pure IPsec (IKEv2), you can use /ip ipsec user to configure username, "password" and IP address in a similar way as with /ppp secret for ppp interfaces if you use pre-shared key & xauth authentication mode (it doesn't work with certificates). However, there is no script you could associate with the event of IPsec connection to come up, so I'm not sure whether assigning the IP address to the clients from the server side brings any advantage over "hardcoding" it at client side.
I didn't think I could choose a tunnel/transport mode when the tunnel was IKEv2?You need to assign unique private addresses to the client routers (best attached to a bridge with no member ports) and set the GRE tunnels between an address on the server router and these addresses, using the IPsec in tunnel mode. So the IPsec policy transports GRE between the private address at the client side and the address on the server side. The rest is routed via the GRE. You can use IPsec policies alone but it is easy to get lost.
# oct/09/2018 23:44:46 by RouterOS 6.43.1
# software id =
#
# model = RouterBOARD 1100x4
# serial number =
/interface bridge
add fast-forward=no name=IPSec_Bridge
add fast-forward=no name=loopback_test
/interface gre
add !keepalive name=gre-tunnel1 remote-address=192.168.77.3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=rw-policies
/ip ipsec proposal
add name=rw-proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.110
add name=rw-pool ranges=192.168.77.2-192.168.77.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=rw-conf split-include=192.168.89.0/24,192.168.90.0/24
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
/ip address
add address=210.xxx.xxx.98/30 interface=ether1 network=210.xxx.xxx.96
add address=192.168.90.10/24 interface=IPSec_Bridge network=192.168.90.0
add address=192.168.89.1/24 interface=ether2 network=192.168.89.0
add address=172.30.30.1 interface=loopback_test network=172.30.30.1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-address=192.168.89.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=192.168.89.0/24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.89.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec peer
add auth-method=rsa-signature certificate=server1 exchange-mode=ike2 generate-policy=port-strict mode-config=rw-conf passive=yes policy-template-group=rw-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=rw-policies proposal=rw-proposal src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=210.xxx.xxx.97
add distance=1 dst-address=210.xxx.xxx.104/32 gateway=*F
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set silent-boot=no
Transport/tunnel mode is a choice related to ESP used to transport the tunnelled data; both IKE and IKEv2 are used only to set up the AH or ESP transport and negotiate the mode.I didn't think I could choose a tunnel/transport mode when the tunnel was IKEv2?
This cannot work. A gre interface is an L3 one so it cannot be a member port of a bridge - only L2 interfaces can be bridge ports. But you can attach addresses from different subnets to the two ends of a gre tunnel and it will still work if the routing configuration is appropriate. So on server side, you set /ip address add interface=gre-1 address=a.a.a.a/32 network=b.b.b.b/32; on client side, you set /ip address add interface=gre-1 address=b.b.b.b/32 network=a.a.a.a/32. If the server receives a packet for b.b.b.b, it sends it via gre-1 thanks to the dynamic route created. But to make sure that the server receives the packet, you need to configure routing accordingly before the server. So if b.b.b.b/32 is in server's WAN subnet, you have to set arp=proxy-arp on server's WAN interface; if it is not in server's WAN subnet, you have to advertise it using BGP or RIP dependning on what the ISP tells you, or ask for a static route.I did try messing around with a GRE tunnel by setting it up as a bridge interface, but didn't get anywhere there either.
# oct/13/2018 18:53:32 by RouterOS 6.43.1
# software id =
#
# model = RouterBOARD 1100x4
# serial number =
/interface bridge
add fast-forward=no name=IPSec_Bridge
add fast-forward=no name=loopback_test
/interface gre
add !keepalive local-address=172.20.20.1 name=gre-tunnel1 remote-address=172.20.20.2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128
/ip ipsec policy group
add name=rw-policies
add name=11B9
add name=EC5B
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=none
/ip pool
add name=rw-pool ranges=192.168.77.2-192.168.77.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=rw-conf split-include=192.168.89.0/24,192.168.90.0/24
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
/ip address
add address=210.xxx.xxx.98/30 interface=ether1 network=210.xxx.xxx.96
add address=192.168.89.1/24 interface=ether2 network=192.168.89.0
add address=172.30.30.1 interface=loopback_test network=172.30.30.1
add address=192.168.90.10 interface=IPSec_Bridge network=192.168.90.10
add address=172.20.20.1 interface=gre-tunnel1 network=172.20.20.1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-address=192.168.89.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=192.168.89.0/24
/ip firewall mangle
add action=change-mss chain=forward new-mss=1240 out-interface=gre-tunnel1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.89.0/24
add action=accept chain=srcnat dst-address=172.20.20.2 src-address=172.20.20.1
add action=src-nat chain=srcnat src-address=10.0.0.2 to-addresses=210.xxx.xxx.104
add action=accept chain=srcnat disabled=yes dst-address=10.0.0.0/24 src-address=192.168.89.0/24
add action=dst-nat chain=dstnat dst-address=210.xxx.xxx.104 to-addresses=10.0.0.2
add action=masquerade chain=srcnat disabled=yes
/ip ipsec peer
add auth-method=rsa-signature certificate=server1 disabled=yes exchange-mode=ike2 generate-policy=port-strict mode-config=rw-conf passive=yes policy-template-group=\
rw-policies
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-strict my-id=fqdn:server.11b9 passive=yes policy-template-group=11B9 secret=\
secret send-initial-contact=no
# This entry is unreachable
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-strict my-id=fqdn:server.ec5b passive=yes policy-template-group=EC5B secret=\
secret send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.88.0/24 src-address=192.168.89.0/24 template=yes
add dst-address=172.20.20.2/32 group=11B9 src-address=172.20.20.1/32 template=yes
add dst-address=172.20.20.6/32 group=EC5B src-address=172.20.20.5/32 template=yes
/ip ipsec user
add name=user1 password=Password1
add name=user2 password=Password2
/ip route
add distance=1 gateway=210.xxx.xxx.97
add distance=1 dst-address=10.0.0.0/29 gateway=gre-tunnel1
add distance=1 dst-address=172.20.20.2/32 gateway=gre-tunnel1
add distance=1 dst-address=192.168.88.0/24 gateway=gre-tunnel1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no
# oct/13/2018 18:51:18 by RouterOS 6.43.2
# software id =
#
# model = RouterBOARD 750G r3
# serial number =
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
/interface gre
add !keepalive local-address=172.20.20.2 name=gre-tunnel1 remote-address=172.20.20.1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128
/ip ipsec policy group
add name=11B9
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.5-10.0.0.6
/ip dhcp-server
add address-pool=dhcp disabled=no name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether2 list=LAN
add interface=ether1 list=WAN
add interface=gre-tunnel1 list=LAN
/ip address
add address=10.0.0.1/29 comment=defconf interface=ether2 network=10.0.0.0
add address=172.20.20.2 interface=gre-tunnel1 network=172.20.20.2
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/29 comment=defconf gateway=10.0.0.1 netmask=29
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=1330 passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=GRE passthrough=yes src-address=10.0.0.2
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=172.20.20.1 src-address=172.20.20.2
add action=accept chain=srcnat out-interface=gre-tunnel1 src-address=10.0.0.2
add action=accept chain=srcnat disabled=yes out-interface=gre-tunnel1 src-address=10.0.0.1
/ip ipsec peer
add address=210.xxx.xxx.98/32 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-strict my-id=fqdn:client.11b9 policy-template-group=11B9 secret=secret \
xauth-login=user2 xauth-password=Password2
/ip ipsec policy
add dst-address=172.20.20.1/32 level=unique sa-dst-address=210.xxx.xxx.98 sa-src-address=0.0.0.0 src-address=172.20.20.2/32 tunnel=yes
/ip route
add distance=1 gateway=gre-tunnel1 routing-mark=GRE
add distance=1 dst-address=192.168.89.0/24 gateway=gre-tunnel1
/system clock
set time-zone-name=America/Toronto
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Three possibilities of "automatic NAT traversal" exist:The cameras we use have an "automatic NAT traversal" that talks to a mediator server on the outside, but with this particular WISP they have such aggressive NAT policies that the connection often gets killed and client can't access the cameras from the app.
I didn't know that it's the cameras what actively establishes outbound connections (I'm not a remote surveillance specialist), so I was thinking in the old-fashioned "make my server on private LAN accessible from outside" way.One solution is obviously to DST-NAT the cameras using the IPSEC mode-config address as you alluded to, but is there a way to force the client device to have it's 0.0.0.0/0 gateway go over the IPSEC tunnel rather than out the 0.0.0.0/0 at ether1 which is the WAN source for the client Mikrotik? That's partly why I was using the GRE tunnel, because I could mark the packet and send it over a specific tunnel.
I've made a test, if you set enc-algorithms to null, the hardware acceleration doesn't work although the auth-algorithms is one of those supported by hardware acceleration. So it only makes sense to use null encryption where none of the peer devices can benefit from hardware acceleration; where both ends support it, choose the strongest auth-algorithm and enc-algorithm combination which both ends support and forget about it.I now have two "client" devices connecting to the server from behind the same NAT, and was able to either provide an address via mode-config (with a template on both sides), or statically assign a policy on the client side and put a generic template (covering the intended ranges) on the server side. I was also able to use null/null, though I don't see much of an improvement in throughput.
When you /ip ipsec installed-sa print on the server, can you see the port number in the dst-address and src-address of the SAs? If not, it means that the NAT discovery has failed and that the peers use plain ESP for the transported data, which means that the two destinations cannot be distinguished from one another by anything else than the SPI. Another explanation could be that your policies overlap. So show me your /ip ipsec policy print and /ip ipsec installed-sa print from the server in this situation and be careful when obfuscating (i.e. modify only the "most significant = first" two bytes of the IP addresses so that the context doesn't get lost.I am seeing a strange issue once the clients connect though, the first client is fine, and I see traffic passing on both sides of the SA that is created, however when the second client connects, I only see traffic coming from the "client" side of the SA, I don't see any return traffic from the server side of the SA. Not sure what that is about, but possibly with how my home router is handling the two connections, not sure?
The default gateway for the camera itself is always the client Mikrotik. The default gateway for the traffic from the cameras on the client Mikrotik is what you need tto affect, and if you have a GRE tunnel, you use the GRE tunnel interface name or the network address from the IP configuration (somehow misleadingly called /ip address) attached to that interface as a gateway in the default route with the routing-mark. But without the GRE tunnel, you put the address pool range you use to assign addresses to the cameras onto an /ip firewall address-list to which the action=src-nat rule, dynamically created by the IPsec astro clock once the SA establishes, refers. So any outgoing connection from any of these addresses will be src-nated to the address provided by mode-config, and this is the reason why the policy will match and steal them. So instead of the routing-mark, you use the src-address assigned by the src-nat rule to choose the outgoing path.I am going to continue along the GRE path, I can force the cameras to use the tunnel as a default gateway
The point is that with plain IPsec and mode-config, you don't do any dst-nat on the IPsec server. The server receives, via WAN, a packet for the address assigned to the IPsec client. It routes it according to the default route (which most likely would send it back to the WAN so you must make sure that a firewall doesn't drop such packet, which is otherwise a good practice), but at the last moment before the packet would be sent out the interface, the ipsec policy kicks in and steals it to deliver it via the SA to the client. In another words, the public address is not up on your IPsec server, it is up on the client. So you can filter the traffic for it on the server, but the dst-nat will be done on the client the way I've described above.in the case where static addressing and PAT is required, I can provide a static address on the server side and DST-NAT it to the IP handed off at the "client" side Mikrotik.
A lot of hidden magic happens internally, and sometimes there are bugs in it. Depending on the authentication algorithm used and the "plain ESP" or "ESP over UDP" transport mode chosen, the amount of overhead differs for the IPsec transport packets, leaving different space for the payload. I've seen someone complain here recently that for sha-256 used for authentication, the MTU calculations were correct while for sha-1 they were not, or vice versa. The GRE tunnel gets an information about MTU from the IPsec part, which gets it from the physical layer, etc. And if one element in the chain reports a wrong (too optimistic) value, you run into trouble. At least when everything gets correct, you should see equal values at/for all clients.I also am having an issue with the MTU... I had two "client" routers set up exactly the same, and GRE tunnels the same, but one had a MTU of 1280 and the other one was 1370 on the server side (from PMTU). On the client side, they were both the same (from PMTU), but different than both the displayed server side numbers. It doesn't make much sense to me why that is happening, and it's making it a challenge to set up correct MSS values.
The only thing which comes to my mind is that you have an action=fasttrack rule active without limitations at the server side or at the client side. Fasttracking is an optimization technique which is based on skipping some stages of packet processing for the bulk of packets belonging to already established connections, and these stages include not only firewall but also ipsec policy matching. So if you could reach 10 Mbit/s with fasttracking misrouting most of your traffic into a blackhole, chapeauAlso having a strange issue when I do internet speed tests... If directly ping the server being used, I get something reasonable 7ms, etc. however when I use speedtest.net the ping is showing over 1000ms, and although I get a "download" result, the upload is just a flat line and never works. All firewall options were disabled and still an issue. Not sure what that's about... obviously I can upload because I can browse...
The right thing to do is to add some match conditions to the action=fasttrack rule which will prevent it from matching on either direction of the traffic which must be seen by the ipsec policy, or to use /ip firewall raw rules to prevent this traffic from being connection-tracked at all (if you do that, you cannot use distinct connection-state and connection-nat-state values for that traffic elsewhere in /ip firewall, all of it matches to connection-state=untracked).So, first with the fasttrack... When I said I had the firewall stuff disabled, I meant the block entries. I disabled fasttrack and all of a sudden I am getting almost line speed. I'll see what happens when I turn encryption back on now.
I know, I just like things to be written precisely because it avoids a lot of confusion.I didn't mean making the default gateway of the cameras the GRE endpoint, but routing them that way in the Mikrotik, I mis-wrote that as obviously that wouldn't work.
That's correct. Most NATs try to keep the original src-port when doing src-nat if possible, so the first connection comes from 4500 because that's what the client uses, for the second connection that port is already occupied for the same remote socket (ser.ver.ip:4500), so the NATing device has to choose another one.Looking at the SA's, the first one used 4500, but the next one used 1024 as a port...
If you haven't changed a single bit and it started working anyway, it's weird of course. What is your software version at both ends? There used to be an issue with SA key negotiation when pfs-group was different than none which has been fixed only very recently. Should this be the reason, you would see packets being counted on the sending SA on each device, but not being counted at the remote end of that SA. It had nothing to do with client and server roles, both directions were affected as the authentication of these packets was failing on receiving side due to the difference of keys which you could see if you had access to both the client and the server while the tunnel was down.They did both come up eventually, not sure why there was hesitancy at first. I spend a lot of time reading the forums, and sometimes I can't tell if something is or isn't working because I screwed up, or because they broke something in a firmware version that used to work on the last one, etc... I know Cisco, Juniper, etc have the same issues sometimes, but these seem to be particularly vulnerable...
which implies that you were watching it at the server side. If exactly so, then the reason must different than suggested above; if you were actually observing the SA statistics at the client side, the reason suggested above may be the explanation.I only see traffic coming from the "client" side of the SA, I don't see any return traffic from the server side of the SA.
# oct/15/2018 16:41:15 by RouterOS 6.43.2
# software id =
#
# model = RouterBOARD 1100x4
# serial number =
/interface gre
add !keepalive local-address=10.0.10.12 name=gre-62EC5B remote-address=10.0.11.12
add !keepalive local-address=10.0.10.1 name=gre-658B9B remote-address=10.0.11.1
add !keepalive local-address=10.0.10.11 name=gre-4911B9 remote-address=10.0.11.11
/interface list
add name=WAN
add name=LAN
add name=GRE-Out
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256
add enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1
/ip ipsec policy group
add name=FLS
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc pfs-group=none
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=proposal1 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.110
add name=rw-pool ranges=192.168.77.2-192.168.77.5
add name=mode-confid ranges=172.20.20.0/24
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/ip ipsec mode-config
add address-pool=mode-confid name=cfg1 split-include=172.30.30.0/24
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=gre-658B9B list=GRE-Out
add interface=gre-62EC5B list=GRE-Out
add interface=gre-4911B9 list=GRE-Out
/ip address
add address=192.168.89.1/24 interface=ether2 network=192.168.89.0
add address=10.0.10.11 interface=gre-4911B9 network=10.0.10.11
add address=10.0.10.12 interface=gre-62EC5B network=10.0.10.12
add address=10.0.10.1 interface=gre-658B9B network=10.0.10.1
add address=210.xxx.xxx.230/30 comment="WAN PtP" interface=ether1 network=210.xxx.xxx.228
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-address=192.168.89.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=192.168.89.0/24
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=GRE-Out passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu out-interface=gre-62EC5B passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.89.0/24
add action=accept chain=srcnat dst-address=172.20.20.2 src-address=172.20.20.1
add action=src-nat chain=srcnat src-address=10.0.101.0/29 to-addresses=210.xxx.xxx.128
add action=accept chain=srcnat disabled=yes dst-address=10.0.0.0/8 src-address=192.168.89.0/24
add action=dst-nat chain=dstnat dst-address=210.xxx.xxx.129 to-addresses=10.0.111.5
add action=masquerade chain=srcnat
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-strict passive=yes policy-template-group=FLS profile=profile1 secret=\
SECRET_REDACTED send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.20.20.2/32 group=FLS proposal=proposal1 src-address=172.20.20.1/32 template=yes
add dst-address=172.20.20.6/32 group=FLS proposal=proposal1 src-address=172.20.20.5/32 template=yes
add dst-address=172.20.20.0/24 group=FLS proposal=proposal1 src-address=172.30.30.0/24 template=yes
add disabled=yes dst-address=172.20.20.10/32 group=FLS proposal=proposal1 src-address=172.30.30.10/32 template=yes
add dst-address=10.0.11.0/24 group=FLS proposal=proposal1 src-address=10.0.10.0/24 template=yes
/ip ipsec user
add name=658b9b password=REDACTED
add name=62ec5b password=REDACTED
add name=4911b9 password=REDACTED
/ip route
add distance=1 gateway=210.xxx.xxx.229
add distance=1 dst-address=10.0.11.1/32 gateway=gre-658B9B
add distance=1 dst-address=10.0.11.11/32 gateway=gre-4911B9
add distance=1 dst-address=10.0.11.12/32 gateway=gre-62EC5B
add distance=1 dst-address=10.0.101.0/29 gateway=gre-658B9B
add distance=1 dst-address=10.0.111.0/29 gateway=gre-4911B9
add distance=1 dst-address=10.0.112.0/30 gateway=gre-62EC5B
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no
# oct/15/2018 16:46:10 by RouterOS 6.43.2
# software id =
#
# model = RouterBOARD 750G r3
# serial number =
/interface bridge
add admin-mac=CC:2D:E0:65:8B:9C auto-mac=no comment=defconf name=bridge
/interface gre
add !keepalive local-address=10.0.11.1 name=gre-658B9B remote-address=10.0.10.1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec policy group
add name=FLS
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
add enc-algorithms=aes-256-cbc name=proposal1 pfs-group=none
/ip pool
add name=dhcp ranges=10.0.101.2-10.0.101.6
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=gre-658B9B list=LAN
/ip address
add address=10.0.101.1/29 comment=defconf interface=ether2 network=10.0.101.0
add address=10.0.11.1 interface=gre-658B9B network=10.0.11.1
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.101.0/29 comment=defconf gateway=10.0.101.1 netmask=30
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.100.9 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp src-address=10.0.101.0/29 tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=GRE passthrough=yes src-address=10.0.101.0/29
/ip firewall nat
add action=accept chain=srcnat src-address=10.0.101.0/29
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add address=210.xxx.xxx.230/32 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-strict policy-template-group=FLS secret=REDACTED \
xauth-login=658b9b xauth-password=REDACTED
/ip ipsec policy
add dst-address=10.0.10.1/32 level=unique sa-dst-address=210.xxx.xxx.230 sa-src-address=0.0.0.0 src-address=10.0.11.1/32 tunnel=yes
/ip route
add distance=1 gateway=gre-658B9B routing-mark=GRE
/system clock
set time-zone-name=
/system identity
set name=CC2DE0658B9B
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
address
network
/ip address
# oct/26/2018 10:21:46 by RouterOS 6.43.4
# software id =
#
# model = RouterBOARD 1100x4
# serial number =
/interface bridge
add fast-forward=no name=bri-5E5DCB
add fast-forward=no name=bri-62EC5B
add fast-forward=no name=bri-658B9B
add fast-forward=no name=bri-658C27
add fast-forward=no name=bri-4911B9
/interface gre
add !keepalive local-address=10.0.10.13 name=gre-5E5DCB remote-address=10.0.11.13
add !keepalive local-address=10.0.10.12 name=gre-62EC5B remote-address=10.0.11.12
add !keepalive local-address=10.0.10.1 name=gre-658B9B remote-address=10.0.11.1
add !keepalive local-address=10.0.10.14 name=gre-658C27 remote-address=10.0.11.14
add !keepalive local-address=10.0.10.11 name=gre-4911B9 remote-address=10.0.11.11
/interface list
add name=WAN
add name=LAN
add name=GRE-Out
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=profile1
/ip ipsec policy group
add name=FLS
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc pfs-group=none
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=proposal1 pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.9
add name=rw-pool ranges=192.168.77.2-192.168.77.5
add name=mode-confid ranges=172.20.20.0/24
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/routing bgp instance
set default as=65000 disabled=yes redistribute-other-bgp=yes router-id=10.255.255.0
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=GRE-Out
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=gre-658B9B list=GRE-Out
add interface=gre-62EC5B list=GRE-Out
add interface=gre-4911B9 list=GRE-Out
add interface=gre-5E5DCB list=GRE-Out
add interface=gre-658C27 list=GRE-Out
/ip address
add address=10.0.0.1/24 comment="Management LAN" interface=ether2 network=10.0.0.0
add address=10.10.111.1/30 interface=gre-4911B9 network=10.10.111.0
add address=10.0.10.12 interface=bri-62EC5B network=10.0.10.12
add address=10.0.10.1 interface=bri-658B9B network=10.0.10.1
add address=210.xxx.xxx.230/30 comment="WAN PtP" interface=ether1 network=210.xxx.xxx.228
add address=10.10.101.1/30 interface=gre-658B9B network=10.10.101.0
add address=10.10.112.1/30 interface=gre-62EC5B network=10.10.112.0
add address=10.10.113.1/30 interface=gre-5E5DCB network=10.10.113.0
add address=10.0.10.13 interface=bri-5E5DCB network=10.0.10.13
add address=10.0.10.11 interface=bri-4911B9 network=10.0.10.11
add address=10.0.10.14 interface=bri-658C27 network=10.0.10.14
add address=10.10.114.1/30 interface=gre-658C27 network=10.10.114.0
/ip dhcp-server network
add address=10.0.0.0/28 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.0.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.0.0.0/24 list=admin_allow_in
add address=210.xxx.xxx.104 list=admin_allow_in
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list=admin_allow_in
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=gre
add action=accept chain=forward disabled=yes dst-address=10.0.11.0/24 src-address=10.0.0.0/24
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input log=yes log-prefix=IPSEC
add action=accept chain=forward disabled=yes dst-address=192.168.88.0/24 src-address=192.168.89.0/24
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=GRE-Out passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu out-interface=gre-62EC5B passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=192.168.89.0/24
add action=accept chain=srcnat disabled=yes dst-address=172.20.20.2 src-address=172.20.20.1
add action=accept chain=srcnat disabled=yes dst-address=10.0.11.0/24 src-address=10.0.0.0/24
add action=src-nat chain=srcnat src-address=10.0.101.0/29 to-addresses=210.xxx.xxx.128
add action=src-nat chain=srcnat src-address=10.100.111.0/24 to-addresses=210.xxx.xxx.130
add action=dst-nat chain=dstnat dst-address=210.xxx.xxx.129 to-addresses=10.0.111.5
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=210.xxx.xxx.131 dst-port=8000 protocol=tcp to-addresses=10.0.111.5 to-ports=8180
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-override local-address=210.xxx.xxx.230 passive=yes \
policy-template-group=FLS profile=profile1 send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=172.20.20.2/32 group=FLS proposal=proposal1 src-address=172.20.20.1/32 template=yes
add disabled=yes dst-address=172.20.20.6/32 group=FLS proposal=proposal1 src-address=172.20.20.5/32 template=yes
add disabled=yes dst-address=172.20.20.0/24 group=FLS proposal=proposal1 src-address=172.30.30.0/24 template=yes
add disabled=yes dst-address=172.20.20.10/32 group=FLS proposal=proposal1 src-address=172.30.30.10/32 template=yes
add dst-address=10.0.11.0/24 group=FLS proposal=proposal1 src-address=10.0.10.0/24 template=yes
/ip ipsec user
add name=658b9b
add name=62ec5b
add name=4911b9
add name=5e5dcb
add name=658c27
/ip route
add distance=1 gateway=210.xxx.xxx.229
add distance=1 dst-address=10.100.101.0/29 gateway=10.10.101.2
add distance=1 dst-address=10.100.111.0/30 gateway=10.10.111.2
add distance=1 dst-address=10.100.112.0/30 gateway=10.10.112.2
add distance=1 dst-address=10.100.113.0/30 gateway=10.10.113.2
add distance=1 dst-address=10.100.114.0/30 gateway=10.10.114.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl certificate=server1 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/routing bgp network
add disabled=yes network=10.0.0.0/24 synchronize=no
/routing bgp peer
add disabled=yes name=62EC5B remote-address=10.10.112.2 remote-as=65000 ttl=default
add disabled=yes name=658B9B remote-address=10.10.101.2 route-reflect=yes ttl=default
add disabled=yes name=4911B9 remote-address=10.10.111.2 remote-as=65000 ttl=default
add disabled=yes name=5E5DCB remote-address=10.10.113.2 remote-as=65000 ttl=default
add disabled=yes name=658C27 remote-address=10.10.114.2 remote-as=65000 ttl=default
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no enabled=no
[admin@MikroTik] >
# oct/26/2018 13:20:05 by RouterOS 6.43.4
# software id =
#
# model = RouterBOARD 750G r3
# serial number =
/interface bridge
add fast-forward=no name=bri-4911B9
add admin-mac=64:D1:54:49:11:BA auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface gre
add !keepalive local-address=10.0.11.11 name=gre-4911B9 remote-address=10.0.10.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-128 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=10.100.111.2
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/queue simple
add disabled=yes max-limit=5M/5M name=queue1 target=10.100.111.0/24
/routing bgp instance
set default as=65000 disabled=yes router-id=10.255.255.11
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=gre-4911B9 list=LAN
/ip address
add address=10.100.111.1/30 comment=defconf interface=ether2 network=10.100.111.0
add address=10.0.11.11 interface=bri-4911B9 network=10.0.11.11
add address=10.10.111.2/30 interface=gre-4911B9 network=10.10.111.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.100.111.0/30 comment=defconf gateway=10.100.111.1 netmask=30
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.100.111.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=GRE passthrough=yes src-address=10.100.111.0/30
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=gre-4911B9 passthrough=yes protocol=tcp src-address=10.100.111.0/30 tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="VPN NAT Bypass" out-interface=gre-4911B9 src-address=10.100.111.0/30
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add address=210.xxx.xxx.230/32 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-override xauth-login=4911b9
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.10.11/32 level=unique sa-dst-address=210.xxx.xxx.230 sa-src-address=0.0.0.0 src-address=10.0.11.11/32 tunnel=yes
/ip route
add check-gateway=ping distance=10 gateway=10.10.111.1 routing-mark=GRE
add distance=1 dst-address=10.0.0.0/24 gateway=10.10.111.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bgp network
add network=10.100.111.0/30 synchronize=no
/routing bgp peer
add disabled=yes name=peer1 remote-address=10.10.111.1 remote-as=65000 ttl=default
/system clock
set time-zone-name=America/Toronto
/system identity
set name=FLS_01
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# oct/26/2018 13:17:41 by RouterOS 6.43.4
# software id =
#
# model = RouterBOARD 750G r3
# serial number =
/interface bridge
add fast-forward=no name=bri-658B9B
add admin-mac=CC:2D:E0:65:8B:9C auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface gre
add !keepalive local-address=10.0.11.1 name=gre-658B9B remote-address=10.0.10.1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-128 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=10.100.101.2
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=gre-658B9B list=LAN
/ip address
add address=10.100.101.1/29 comment=defconf interface=ether2 network=10.100.101.0
add address=10.0.11.1 interface=bri-658B9B network=10.0.11.1
add address=10.10.101.2/30 interface=gre-658B9B network=10.10.101.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.100.101.0/29 comment=defconf gateway=10.100.101.1 netmask=29
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.100.101.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=GRE passthrough=yes src-address=10.100.101.0/29
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=gre-658B9B passthrough=yes protocol=tcp src-address=10.100.101.0/29 tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat out-interface=gre-658B9B src-address=10.100.101.0/29
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add address=210.xxx.xxx.230/32 auth-method=pre-shared-key-xauth exchange-mode=ike2 generate-policy=port-override xauth-login=658b9b
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.10.1/32 level=unique sa-dst-address=210.xxx.xxx.230 sa-src-address=0.0.0.0 src-address=10.0.11.1/32 tunnel=yes
/ip route
add check-gateway=ping distance=10 gateway=10.10.101.1 routing-mark=GRE
add distance=1 dst-address=10.0.0.0/24 gateway=10.10.101.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=CTL_01
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 TX group=FLS src-address=172.20.20.1/32 dst-address=172.20.20.2/32 protocol=all proposal=proposal1 template=yes
2 TX group=FLS src-address=172.20.20.5/32 dst-address=172.20.20.6/32 protocol=all proposal=proposal1 template=yes
3 TX group=FLS src-address=172.30.30.0/24 dst-address=172.20.20.0/24 protocol=all proposal=proposal1 template=yes
4 TX group=FLS src-address=172.30.30.10/32 dst-address=172.20.20.10/32 protocol=all proposal=proposal1 template=yes
5 T group=FLS src-address=10.0.10.0/24 dst-address=10.0.11.0/24 protocol=all proposal=proposal1 template=yes
6 DA src-address=10.0.10.11/32 src-port=any dst-address=10.0.11.11/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=210.xxx.xxx.230 sa-dst-address=50.100.53.111 proposal=proposal1 ph2-count=1
7 DA src-address=10.0.10.12/32 src-port=any dst-address=10.0.11.12/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=210.xxx.xxx.230 sa-dst-address=50.100.53.111 proposal=proposal1 ph2-count=1
8 DA src-address=10.0.10.13/32 src-port=any dst-address=10.0.11.13/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=210.xxx.xxx.230 sa-dst-address=50.100.53.111 proposal=proposal1 ph2-count=1
9 DA src-address=10.0.10.14/32 src-port=any dst-address=10.0.11.14/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=210.xxx.xxx.230 sa-dst-address=50.100.53.111 proposal=proposal1 ph2-count=1
10 DA src-address=10.0.10.1/32 src-port=any dst-address=10.0.11.1/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=210.xxx.xxx.230 sa-dst-address=50.100.53.111 proposal=proposal1 ph2-count=1
[admin@MikroTik] > ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0xC4C5D3C src-address=50.100.53.111:1027 dst-address=210.xxx.xxx.230:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="1c37b709a3c4c5bdacabaab97dabc322010c392fc32235a4f3baa738112cf94f" enc-key="29e4249d45ddb533794cc0b749124d0d" addtime=oct/26/2018 10:57:49 expires-in=17m38s
add-lifetime=24m14s/30m18s current-bytes=7868 current-packets=88 replay=128
1 HE spi=0xF53E093 src-address=210.xxx.xxx.230:4500 dst-address=50.100.53.111:1027 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="f091236fbd08745385a5764e40e83f470e4117380a6d5bc686695abe95069703" enc-key="4437f221764da4583121eaebd6e6b49a" add-lifetime=24m14s/30m18s replay=128
2 HE spi=0x88651BB src-address=50.100.53.111:1025 dst-address=210.xxx.xxx.230:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="781250cfe14e46431cf06a7cb1215d298ff06b4392122f613c7150c86859ea43" enc-key="7893908e6cf6d30bb88e7d7c7b5d2a2d" addtime=oct/26/2018 10:58:40 expires-in=18m18s
add-lifetime=24m5s/30m7s current-bytes=7468 current-packets=83 replay=128
3 HE spi=0x3B5739E src-address=210.xxx.xxx.230:4500 dst-address=50.100.53.111:1025 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="2a70f266cb2411766d20c78dddc31c8a10e848ef92ec718a201b491f8bf4677c" enc-key="bdc8ca10894bea48ecd13246c88bbc34" addtime=oct/26/2018 10:58:40 expires-in=18m18s
add-lifetime=24m5s/30m7s current-bytes=7492 current-packets=83 replay=128
4 HE spi=0x7A0DFE2 src-address=50.100.53.111:4500 dst-address=210.xxx.xxx.230:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="50bfea5c5581a09389757e12750d663da1ec44496a8695f16c3028ffd39ca6ce" enc-key="c38231b37d534fac242d705670eba65c" addtime=oct/26/2018 10:58:43 expires-in=18m37s
add-lifetime=24m18s/30m23s current-bytes=345394 current-packets=364 replay=128
5 HE spi=0xCD64E82 src-address=50.100.53.111:1026 dst-address=210.xxx.xxx.230:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="0fceca304d27ddd478fe6adb82f22d59af36b9b089b59e488e77b37896d33de8" enc-key="0788d7ef4e9c4c0eac7b98fbbc3f4455" addtime=oct/26/2018 10:58:46 expires-in=18m44s
add-lifetime=24m21s/30m27s current-bytes=1788 current-packets=12 replay=128
6 HE spi=0xF50BA7 src-address=210.xxx.xxx.230:4500 dst-address=50.100.53.111:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="9c8dd11c24bb2ea5fca208006539a1f62ee65e827192079380cb295a65f239ef" enc-key="bd5b67aac9b95bca7feb4e1b1cc8c72b" addtime=oct/26/2018 10:58:48 expires-in=18m42s
add-lifetime=24m18s/30m23s current-bytes=154395 current-packets=593 replay=128
7 HE spi=0xC878F2F src-address=210.xxx.xxx.230:4500 dst-address=50.100.53.111:1026 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="034ed54a34932892542a14e0d43b6caa3221f66651637936bb7bfff0b08a5a53" enc-key="adf1ac6837dc54ab21ca9c32d12716d7" addtime=oct/26/2018 10:58:51 expires-in=18m49s
add-lifetime=24m21s/30m27s current-bytes=1812 current-packets=12 replay=128
8 HE spi=0x18EECE6 src-address=50.100.53.111:1024 dst-address=210.xxx.xxx.230:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="1c9477171e95ab90c19b442d53cd7e6351eef50c76e9dfc0d9cebac0646bfeb8" enc-key="af7c121045c6dc150ee1e52c04b15568" addtime=oct/26/2018 10:59:10 expires-in=19m
add-lifetime=24m15s/30m19s current-bytes=7079 current-packets=79 replay=128
9 HE spi=0x4BB6F13 src-address=210.xxx.xxx.230:4500 dst-address=50.100.53.111:1024 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="385229a0cd747fa08bfb6e7153bdb0d966613b90e432b512011b65c0c4aa32e5" enc-key="2b517e1cd039569faa042e91392964c0" addtime=oct/26/2018 10:59:10 expires-in=19m
add-lifetime=24m15s/30m19s current-bytes=7252 current-packets=80 replay=128
[admin@MikroTik] >
[admin@CTL_01] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 A src-address=10.0.11.1/32 src-port=any dst-address=10.0.10.1/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=0.0.0.0 sa-dst-address=210.xxx.xxx.230 proposal=default ph2-count=1
[admin@CTL_01] > ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0xF53E093 src-address=210.xxx.xxx.230:4500 dst-address=192.168.1.108:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="f091236fbd08745385a5764e40e83f470e4117380a6d5bc686695abe95069703" enc-key="4437f221764da4583121eaebd6e6b49a" add-lifetime=24m2s/30m3s
replay=128
1 HE spi=0xC4C5D3C src-address=192.168.1.108:4500 dst-address=210.xxx.xxx.230:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=128
auth-key="1c37b709a3c4c5bdacabaab97dabc322010c392fc32235a4f3baa738112cf94f" enc-key="29e4249d45ddb533794cc0b749124d0d" addtime=oct/26/2018 13:57:49
expires-in=13m17s add-lifetime=24m2s/30m3s current-bytes=10464 current-packets=117 replay=128
[admin@CTL_01] >
Output:Show me /ip firewall connection print detail where protocol=gre from the server side (Ctrl-F for the public address before posting).
[admin@MikroTik] > ip firewall connection print detail where protocol=gre
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC protocol=gre src-address=10.0.11.14 dst-address=10.0.10.14 reply-src-address=10.0.10.14 reply-dst-address=10.0.11.14 gre-key=0 timeout=2m51s orig-packets=104
orig-bytes=9 355 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=104 repl-bytes=9 385 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
1 SAC protocol=gre src-address=10.0.11.51 dst-address=10.0.10.51 reply-src-address=10.0.10.51 reply-dst-address=10.0.11.51 gre-key=0 timeout=2m54s orig-packets=103
orig-bytes=9 275 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=88 repl-bytes=7 040 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
2 C s protocol=gre src-address=10.0.10.1 dst-address=10.0.11.1 reply-src-address=10.0.11.1 reply-dst-address=210.xxx.xxx.230 gre-key=0 timeout=28s orig-packets=629
orig-bytes=53 908 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=672bps
repl-rate=0bps
3 SAC protocol=gre src-address=10.0.11.12 dst-address=10.0.10.12 reply-src-address=10.0.10.12 reply-dst-address=10.0.11.12 gre-key=0 timeout=2m52s orig-packets=104
orig-bytes=9 355 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=104 repl-bytes=9 385 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
4 SAC protocol=gre src-address=10.0.11.11 dst-address=10.0.10.11 reply-src-address=10.0.10.11 reply-dst-address=10.0.11.11 gre-key=0 timeout=2m55s orig-packets=104
orig-bytes=9 355 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=104 repl-bytes=9 385 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
[admin@MikroTik] > ip firewall nat export
# oct/26/2018 13:34:22 by RouterOS 6.43.4
# software id =
#
# model = RouterBOARD 1100x4
# serial number =
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=192.168.89.0/24
add action=accept chain=srcnat disabled=yes dst-address=172.20.20.2 src-address=172.20.20.1
add action=accept chain=srcnat dst-address=10.0.11.0/24 src-address=10.0.10.0/24
add action=accept chain=srcnat dst-address=10.0.10.0/24 src-address=10.0.11.0/24
add action=src-nat chain=srcnat src-address=10.0.101.0/29 to-addresses=210.xxx.xxx.128
add action=src-nat chain=srcnat src-address=10.100.111.0/24 to-addresses=210.xxx.xxx.130
add action=dst-nat chain=dstnat dst-address=210.xxx.xxx.129 to-addresses=10.0.111.5
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=210.xxx.xxx.131 dst-port=8000 protocol=tcp to-addresses=10.0.111.5 to-ports=8180
[admin@MikroTik] >