Community discussions

MikroTik App
 
linkomatas
just joined
Topic Author
Posts: 5
Joined: Thu Sep 19, 2019 1:47 pm

Site to Site VPN

Thu Mar 26, 2020 8:26 am

Hi,

I have implemented site to site VPN. Tunnel is established and working but I can't ping each router from one another (always getting timeout). When I tracerout nothing special happens, seems packets are lost. I tried googling around, tried adding NAT rule etc. nothing seems working, obviously I am missing something. Below you will find configuration one of two routers, hope that helps just to know what is happening. Can someone show me the light here?
RouterOS 6.46.4
# software id = CFKF-AW4Y
#
# model = RBwAPGR-5HacD2HnD
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface l2tp-server
add disabled=yes name=l2tp-in1 user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn= authentication=chap default-route-distance=1 \
    name=apn1 password=omni user=omni
/interface lte
set [ find ] apn-profiles=apn1 mac-address= mtu=1480 name=\
    lte1 pin=
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add address= name=GB_Office
/ip ipsec profile
set [ find default=yes ] nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
    Office1 pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address= list=winbox
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input connection-state=established,related protocol=\
    udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    winbox
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.2.0/24 src-address=\
    192.168.88.0/24
/ip ipsec identity
add peer=GB_Office secret=
/ip ipsec policy
add dst-address=192.168.2.0/32 peer=Office proposal=Office1 \
    sa-dst-address= sa-src-address= src-address=\
    192.168.88.0/32 tunnel=yes
/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=lte1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site VPN

Thu Mar 26, 2020 10:31 am

It's the source address, router by default chooses the one from WAN. If you just want to ping remote router, you can manually set source address. Another way is to add route to remote subnet and set router's local address (covered by policy) as preferred source, that will fix also traceroute (route on one router fixes traceroute from the other). Gateway of this route can be anything, it's not really used, because IPSec intercepts those packets.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
linkomatas
just joined
Topic Author
Posts: 5
Joined: Thu Sep 19, 2019 1:47 pm

Re: Site to Site VPN

Thu Mar 26, 2020 1:58 pm

Thanks for your reply @Sob.

I already tried ping and set source address but still got nothing but timeout.
Also I used your suggestion and add route with pref source and that won't fixed my problem. I'm kind of lost in this situation since firewall rules and routes seems are in place...
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site VPN

Thu Mar 26, 2020 7:49 pm

It can be also firewall. You allow icmp in chain=input in the config you posted, so ping from other router to this one should work. Do you have the same on the other one?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
linkomatas
just joined
Topic Author
Posts: 5
Joined: Thu Sep 19, 2019 1:47 pm

Re: Site to Site VPN

Fri Mar 27, 2020 2:46 pm

You mean if I allow icmp on another router? Yes. But...
As I continually troubleshoot the problem seems not only that I cannot ping between routers, I also can't ping end devices between those sites. So I believe problem is in firewall since packets are lost before encrypting and sending them via tunnel. Also in firewall srcnat rule no packets been captured since counter stays at 0. What am I missing here?
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site VPN

Fri Mar 27, 2020 6:24 pm

You wrote that "Tunnel is established and working", so I thought that device (not router) in LAN 1 can communicate with device in LAN 2 (other direction too), and only problem is when source device is router. That's common problem, so that's what my advice was about. I didn't examine whole config in detail. But now when I look closely, your policy is wrong, you have /32 masks, but you need /24 on both sides.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN

Fri Mar 27, 2020 7:23 pm

Thats what i figure out too.
.0/32 ?
/32 is used for point to point addressing and for sure not with a zero...
 
DavidBell8819
just joined
Posts: 4
Joined: Fri Mar 27, 2020 11:41 am

Re: Site to Site VPN

Sat Mar 28, 2020 12:32 pm

Check the firewall too, maybe you need to make some changes there.
 
linkomatas
just joined
Topic Author
Posts: 5
Joined: Thu Sep 19, 2019 1:47 pm

Re: Site to Site VPN

Mon Mar 30, 2020 10:07 am

Seems everything working fine since I changed mask from /32 to /24. Now I remember when I configured tunnel I didn't provide mask at all so by default it was /32. Stupid mistake. Thanks anyone for your help.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN

Mon Mar 30, 2020 10:31 am

Yes tunnels are a different story...

Who is online

Users browsing this forum: No registered users and 180 guests