Community discussions

MikroTik App
 
User avatar
BlackRat
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Jul 21, 2012 8:37 am

Duplicated ACK tunnel...

Mon Sep 20, 2021 2:02 pm

Two sites.
First site - two ISP (first ISP-wired connection "ISP1" = bridge-inet, the second ISP-LTE passthrough connection "ISP2" = bridge-yota).
Second connection (LTE) we don't use now (but all rules for it exists).
My internal network: 192.168.XXX.0/24
Clien's internal network: 192.168.YYY.0/24
There are several rules to organize two ISP's:
/ip route rule
add action=lookup-only-in-table src-address=ISP1ExternalIP table=maininet
add action=lookup-only-in-table src-address=ISP2ExternalIP table=backup

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=bridge-inet new-connection-mark=maininet-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=bridge-yota new-connection-mark=backup-in passthrough=yes
add action=mark-routing chain=prerouting connection-mark=maininet-in in-interface-list=!wan new-routing-mark=maininet passthrough=yes
add action=mark-routing chain=prerouting connection-mark=backup-in in-interface-list=!wan new-routing-mark=backup passthrough=yes
add action=mark-routing chain=output connection-mark=maininet-in new-routing-mark=maininet passthrough=yes
add action=mark-routing chain=output connection-mark=backup-in new-routing-mark=backup passthrough=yes

/ip route
add distance=1 gateway=ISP1gateway routing-mark=maininet
add distance=1 gateway=ISP2gateway routing-mark=backup
add distance=1 gateway=ISP1gateway
add distance=2 gateway=ISP2gateway

I created IPSec tunnel beetwen my router and client's router.
/ip ipsec policy
add dst-address=192.168.YYY.0/24 peer=CLIENT proposal=hardware-proposal src-address=192.168.XXX.0/24 tunnel=yes

/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=hardware-proposal

/ip ipsec peer
add address=client's_external_address disabled=yes name=CLIENT profile=hardware-profile

/ip ipsec identity
add disabled=yes peer=CLIENT secret=StrongPassword

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=hardware-profile

Tunnel is "established".
I can connect to the internal interface of Client's router by SSH - working perfect!
But!
When I try winbox connection I can see NO CONFIGS in the any winbox windows firts several seconds (10-20...).
Then winbox is disconnecting.
I try to Wiresharking connections and I see bad information (ONLY for Winbox):
1. TCP Dup ACK
2. TCP Retransmission (many)
What's wrong with my config?

I recreated tunnels to GRE-tunnels without IPSec (with TCP MSS clamping and Fast Path):
/interface gre
add local-address=ISP1ExternalIP name=gre-CLIENT remote-address=client's_external_address

But the situation not changed (SSH is working, Winbox - doesn't)!

Who is online

Users browsing this forum: almdandi, baragoon, GoogleOther [Bot], loloski, pajapatak and 77 guests