Community discussions

 
jmerlos282
just joined
Topic Author
Posts: 2
Joined: Wed Nov 14, 2018 1:16 am

Problem IPSec Tunnel with DDNS and NAT

Sat May 18, 2019 3:51 am

Hello!

Thank you in advance!!!!

I have a problem with a VPN, I made all congigurations in this site https://blog.pessoft.com/2016/05/29/mik ... s-and-nat/
, but cant establish connection between routers (ping), I leave the routers configuration, in case you see something wrongly configured that I have not seen

****************************** Router Site: RB2011UiAS-2HnD ****************************************
/interface bridge
add comment="Bridge Madero LAN - WLAN" fast-forward=no name=bridge_vlan10

/interface ethernet
set [ find default-name=ether2 ] comment=Ether2 name=LAN speed=100Mbps
set [ find default-name=ether1 ] comment=Ether1 name=WAN speed=100Mbps

/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512 \
name=secure-profile

/ip ipsec peer
add address=200.XXX.XXX.XXX/32 comment=vpn01 exchange-mode=ike2 name=vpn01 \
profile=secure-profile

/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal \
pfs-group=modp4096

/ip pool
add comment="Pool DHCP LAN" name=dhcp_pool_LAN ranges=10.10.1.20-10.10.1.253

/ip dhcp-server
add address-pool=dhcp_pool_LAN authoritative=after-2sec-delay disabled=no \
interface=bridge_vlan10 name=dhcp_Server_LAN

/interface bridge port
add bridge=bridge_vlan10 comment="BRIDGE LAN" hw=no interface=LAN

/ip address
add address=10.10.1.254/24 comment="Listado de direcciones LAN" interface=LAN \
network=10.10.1.0

/ip dhcp-client
add comment="WAN ip por DHCP" dhcp-options=hostname,clientid disabled=no \
interface=WAN

/ip dhcp-server network
add address=10.10.1.0/24 comment="Direcciones DHCP LAN" gateway=10.10.1.254

/ip dns
set allow-remote-requests=yes cache-size=12288KiB servers=\
176.103.130.130,176.103.130.131

/ip firewall filter
add chain=forward comment=vpn01 dst-address=10.10.1.0/24 in-interface=WAN \
ipsec-policy=in,ipsec src-address=10.10.2.0/24
add action=accept chain=input comment=ipsec-ike-natt dst-port=4500 \
in-interface=WAN protocol=udp
add action=accept chain=input in-interface=WAN protocol=icmp

/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=10.10.2.0/24 \
src-address=10.10.1.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=10.10.1.0/24 \
src-address=10.10.2.0/24
add action=dst-nat chain=dstnat dst-port=4500 in-interface=WAN protocol=udp \
to-addresses=10.10.1.254 to-ports=4500
add action=masquerade chain=srcnat comment="NAT Internet Clientes" fragment=\
no out-interface=WAN

/ip ipsec identity
add comment=vpn01 peer=vpn01 secret=XXXXXXX

/ip ipsec policy
add comment=vpn01 dst-address=10.10.2.0/24 proposal=secure-proposal \
sa-dst-address=200.XXX.XXX.XXX sa-src-address=187.XXX.XXX.XXX src-address=\
10.10.1.0/24 tunnel=yes

****** This script if for dyndns service, in case to someone is heplful *************

/system script
add dont-require-permissions=no name=DYNDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global ddnsuser \"DYNDNS USERNAME\"\r\
\n:global ddnspass \"DYNDNS PASSWORD\"\r\
\n:global ddnshost \"example.dyndns.org\"\r\
\n\r\
\n:log info \"DynDNS: Sending UPDATE!\"\r\
\n:local str \"/nic/update\?hostname=\$ddnshost&wildcard=NOCHG&mx=NOCHG&ba\
ckmx=NOCHG\"\r\
\n/tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$d\
dnsuser password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)"

********************** Router Remote: RB951G-2HnD *****************************
/interface bridge
add comment="Bridge PS LAN - WLAN" fast-forward=no name=bridge_vlan20

/interface ethernet
set [ find default-name=ether2 ] comment=Ether2 name=LAN speed=100Mbps
set [ find default-name=ether1 ] comment=Ether1 name=WAN speed=100Mbps

/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512 \
name=secure-profile

/ip ipsec peer
add address=187.XXX.XXX.XXX/32 comment=vpn01 exchange-mode=ike2 name=vpn01 \
profile=secure-profile

/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal \
pfs-group=modp4096

/ip pool
add comment="Pool DHCP LAN" name=dhcp_pool_LAN ranges=10.10.2.20-10.10.2.253

/ip dhcp-server
add address-pool=dhcp_pool_LAN authoritative=after-2sec-delay disabled=no \
interface=bridge_vlan20 name=dhcp_Server_LAN

/interface bridge port
add bridge=bridge_vlan20 comment="BRIDGE LAN" hw=no interface=LAN

/ip address
add address=10.10.2.254/24 interface=LAN network=10.10.2.0

/ip dhcp-client
add comment="WAN ip por DHCP" dhcp-options=hostname,clientid disabled=no \
interface=WAN

/ip dhcp-server network
add address=10.10.2.0/24 comment="Direcciones DHCP LAN" gateway=10.10.2.254

/ip dns
set allow-remote-requests=yes cache-size=2288KiB servers=\
176.103.130.130,176.103.130.131

/ip dns static
add address=192.168.88.1 name=router.lan

/ip firewall filter
add action=accept chain=input in-interface=WAN protocol=icmp
add chain=input comment=ipsec-ike-natt dst-port=4500 in-interface=WAN \
protocol=udp
add chain=forward comment=vpn01 dst-address=10.10.2.0/24 in-interface=WAN \
ipsec-policy=in,ipsec src-address=10.10.1.0/24

/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=10.10.1.0/24 \
src-address=10.10.2.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=10.10.2.0/24 \
src-address=10.10.1.0/24
add action=dst-nat chain=dstnat dst-port=4500 in-interface=WAN protocol=udp \
to-addresses=10.10.2.254 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 in-interface=WAN protocol=udp \
to-addresses=10.10.2.254 to-ports=500
add action=masquerade chain=srcnat comment="NAT Internet Clientes" \
out-interface=WAN

/ip ipsec identity
add comment=vpn01 peer=vpn01 secret=XXXXXX

/ip ipsec policy
add comment=vpn01 dst-address=10.10.1.0/24 proposal=secure-proposal \
sa-dst-address=187.XXX.XXX.XXX sa-src-address=200.XXX.XXX.XXX src-address=\
10.10.2.0/24 tunnel=yes

Who is online

Users browsing this forum: No registered users and 8 guests