Community discussions

MikroTik App
 
felipefonsecabh
just joined
Topic Author
Posts: 21
Joined: Wed May 20, 2020 9:57 pm
Location: Brazil

IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 2:28 pm

Hi!
I'm tryning to setup a VPN with IPSec tunnel, but one site is behind a NAT:
image1.png
The internet provider created NAT rules to redirect ports 500 and 4500 to mikrotik B. After making all the settings, the error "ipsec failed to pre-process ph2 packet" appears.

Config Mikrotik A:
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des name=hybrazil

/ip ipsec peer
add address=189.84.205.X/32 comment="SALTO DOS CRAVOS" name=peer12 profile=\
    hybrazil

/ip ipsec proposal
add enc-algorithms=3des name=hybrazil

/ip ipsec identity
add peer=peer12

/ip ipsec policy
add comment="VPN SALTO" disabled=yes dst-address=192.168.19.0/24 peer=peer12 \
    proposal=hybrazil src-address=192.168.80.0/24 tunnel=yes
Config Mikrotik B:
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024
add dh-group=modp1024 enc-algorithm=3des name=profile_1

/ip ipsec peer
add address=187.115.194.X/32 comment="VPN HY BRAZIL" name=peer1 passive=yes \
    profile=profile_1

/ip ipsec proposal
add enc-algorithms=3des name=hybrazil

/ip ipsec identity
add peer=peer1

/ip ipsec policy
add comment="VPN HY BRAZIL" disabled=yes dst-address=192.168.80.0/24 peer=\
    peer1 proposal=hybrazil src-address=192.168.19.0/24 tunnel=yes
 
I read many posts about this problem, but not find any solution.
Any ideas?

Thanks a lot!
You do not have the required permissions to view the files attached to this post.
Last edited by felipefonsecabh on Mon Nov 22, 2021 6:08 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 5:58 pm

Config from Mikrotik A says that remote subnet is 192.168.19.0/24, but config from Mikrotik B says that local subnet is 192.168.18.0/24, so that can't work.

Also peer on Mikrotik B doesn't need to be passive, that's when peer can't accept incoming connections, but in this case both can (well, should), one because it has public address and the other because it has forwarded ports to it.

And 3DES is not exactly modern and recommended algorithm.
 
felipefonsecabh
just joined
Topic Author
Posts: 21
Joined: Wed May 20, 2020 9:57 pm
Location: Brazil

Re: IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 6:12 pm

Config from Mikrotik A says that remote subnet is 192.168.19.0/24, but config from Mikrotik B says that local subnet is 192.168.18.0/24, so that can't work.

Also peer on Mikrotik B doesn't need to be passive, that's when peer can't accept incoming connections, but in this case both can (well, should), one because it has public address and the other because it has forwarded ports to it.

And 3DES is not exactly modern and recommended algorithm.
The wrong IP range in Mikrotik B was typing error, is correctly configured in equipment.
Regarding passive peer, I tried several possible combinations between the two sides, but none worked.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 8:58 pm

Is IPsec a hard requirement?
I have a few different deployments of this type which use Wireguard and that works really well.
Doesn't help you with IPsec unfortunately...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 10:09 pm

I don't see anything else obviously wrong, aside from disabled policies, but I assume that you did try with them enabled. You can enable verbose ipsec logs (in System->Logging) and see if there's some interesting info there. It's not the most pleasant work, since there's a lot of details there. Especially if you have multiple peers that you can't disable, that can be quite annoying because it's all mixed together.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 10:37 pm

Keeping passive=yes at Mikrotik B prevents issues with NAT on the ISP router from occurring when Mikrotik B eventually starts sending before it receives the first packet from Mikrotik A after power loss at Site B. As you've tried with different settings throughout the time, it's better to keep it like that (passive=yes), disable the relevant identity at both Mikrotiks for 10 minutes and then re-enable them. During that time, all tracked UDP connections related to the IPsec session should time out on all firewalls and NATs.

If this doesn't help, I'd have to see the log from both Mikrotiks to give some further advice.
  1. enable detailed logging of IPsec at both Mikrotiks: /system logging add topics=ipsec,!packet
  2. disable the identity at Mikrotik A to stop its connection attempts, wait for 10 minutes to let the retransmissions die out
  3. at both routers, run /log print follow-only file=ipsec-start-router-X where topics~"ipsec" (replace X with A or B as appropriate)
  4. enable the identity at Mikrotik A
  5. after 1 minute, break the /log print ... at both machines, download the files, and see what the difference is; if it doesn't show anything helpful, obfuscate the IP addresses and post the files.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 11:23 pm

@sindy: I'll think twice before I start to fight with you about IPSec, so this is definitely not it, just an innocent question. What can go wrong without passive? If both peers are aware of possible NAT, they can both connect to each other, figure out that there is one, switch to udp encapsulation, and communicate happily. At least I'd expect them to.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec Site to Site with one side behind NAT

Mon Nov 22, 2021 11:41 pm

That's all correct regarding the peers; what I'm afraid of is unknown behaviour of the ISP router, which may decide to replace the source port of a connection initiated by a LAN->WAN packet from port 500 because there is the port forwarding of that port in WAN->LAN direction. And if later a packet from Mikrotik A arrives to port 500 at the public IP, the ISP router will deliver it to Router B, but it will send the response of Router B from the random port, so router A will ignore that response. By setting passive=yes at Mikrotik B, you make sure that the pinhole in ISP router will be created thanks to the port forwarding (dst-nat) rule.
 
felipefonsecabh
just joined
Topic Author
Posts: 21
Joined: Wed May 20, 2020 9:57 pm
Location: Brazil

Re: IPsec Site to Site with one side behind NAT

Tue Nov 23, 2021 3:13 pm

Hi! I enable the ipsec log in mikoritk B. The phase 1 connects successfully, but phase not.

Result:
10:08:16 ipsec respond new phase 2 negotiation: 192.168.188.10[4500]<=>187.115.194.X[4500] 
10:08:16 ipsec,debug,packet encryption(3des) 
10:08:16 ipsec,debug,packet IV was saved for next processing: 
10:08:16 ipsec,debug,packet 8e86c07d a92967d1 
10:08:16 ipsec,debug,packet encryption(3des) 
10:08:16 ipsec,debug,packet with key: 
10:08:16 ipsec,debug,packet bce4092e d613c2ed 93e296f8 e1a33e4d 490d57f7 e370c149 
10:08:16 ipsec,debug,packet decrypted payload by IV: 
10:08:16 ipsec,debug,packet 824db843 8ba136f5 
10:08:16 ipsec,debug,packet decrypted payload, but not trimed. 
10:08:16 ipsec,debug,packet 01000018 70ee54d5 16e57bed ee500617 f0e782df eebe956f 0a000034 00000001 
10:08:16 ipsec,debug,packet 00000001 00000028 01030401 031d504e 0000001c 01030000 80010001 80020708 
10:08:16 ipsec,debug,packet 80040003 80050002 80030002 0400001c d8ac2be2 4d4e655c 17e4a53b e74ba01e 
10:08:16 ipsec,debug,packet fe4f6e6a 28078296 05000084 9b7ba8a4 d3b090b2 726c7cb7 e5205a79 8436ed65 
10:08:16 ipsec,debug,packet d92ab522 952a0dfc a1ce6a88 3b4cbe71 4679d830 fa892591 5d96efc0 3ac8fa35 
10:08:16 ipsec,debug,packet 83d2e1b0 ddae0674 4d0518ec ab40aa9a 8cec2ab8 6cea908d b528af4d 1b3a5151 
10:08:16 ipsec,debug,packet 0bb6acdd 8d66a755 68c475eb f2ff34b9 7fb7845f f2bd3615 1a8e56bc dc94af44 
10:08:16 ipsec,debug,packet 27a24c57 0ab69c6e 65e99c4c 05000010 04000000 c0a85000 ffffff00 00000010 
10:08:16 ipsec,debug,packet 04000000 c0a81300 ffffff00 b3159d03 
10:08:16 ipsec,debug,packet padding len=4 
10:08:16 ipsec,debug,packet skip to trim padding. 
10:08:16 ipsec,debug,packet decrypted. 
10:08:16 ipsec,debug,packet dc9b44fb 11c31df1 271857bf 38bbbfc1 08102001 fc7a26a7 0000012c 01000018 
10:08:16 ipsec,debug,packet 70ee54d5 16e57bed ee500617 f0e782df eebe956f 0a000034 00000001 00000001 
10:08:16 ipsec,debug,packet 00000028 01030401 031d504e 0000001c 01030000 80010001 80020708 80040003 
10:08:16 ipsec,debug,packet 80050002 80030002 0400001c d8ac2be2 4d4e655c 17e4a53b e74ba01e fe4f6e6a 
10:08:16 ipsec,debug,packet 28078296 05000084 9b7ba8a4 d3b090b2 726c7cb7 e5205a79 8436ed65 d92ab522 
10:08:16 ipsec,debug,packet 952a0dfc a1ce6a88 3b4cbe71 4679d830 fa892591 5d96efc0 3ac8fa35 83d2e1b0 
10:08:16 ipsec,debug,packet ddae0674 4d0518ec ab40aa9a 8cec2ab8 6cea908d b528af4d 1b3a5151 0bb6acdd 
10:08:16 ipsec,debug,packet 8d66a755 68c475eb f2ff34b9 7fb7845f f2bd3615 1a8e56bc dc94af44 27a24c57 
10:08:16 ipsec,debug,packet 0ab69c6e 65e99c4c 05000010 04000000 c0a85000 ffffff00 00000010 04000000 
10:08:16 ipsec,debug,packet c0a81300 ffffff00 b3159d03 
10:08:16 ipsec,debug begin. 
10:08:16 ipsec,debug seen nptype=8(hash) len=24 
10:08:16 ipsec,debug seen nptype=1(sa) len=52 
10:08:16 ipsec,debug seen nptype=10(nonce) len=28 
10:08:16 ipsec,debug seen nptype=4(ke) len=132 
10:08:16 ipsec,debug seen nptype=5(id) len=16 
10:08:16 ipsec,debug seen nptype=5(id) len=16 
10:08:16 ipsec,debug succeed. 
10:08:16 ipsec,debug received IDci2: 
10:08:16 ipsec,debug 04000000 c0a85000 ffffff00 
10:08:16 ipsec,debug received IDcr2: 
10:08:16 ipsec,debug 04000000 c0a81300 ffffff00 
10:08:16 ipsec,debug HASH(1) validate: 
10:08:16 ipsec,debug 70ee54d5 16e57bed ee500617 f0e782df eebe956f 
10:08:16 ipsec,debug,packet HASH with: 
10:08:16 ipsec,debug,packet fc7a26a7 0a000034 00000001 00000001 00000028 01030401 031d504e 0000001c 
10:08:16 ipsec,debug,packet 01030000 80010001 80020708 80040003 80050002 80030002 0400001c d8ac2be2 
10:08:16 ipsec,debug,packet 4d4e655c 17e4a53b e74ba01e fe4f6e6a 28078296 05000084 9b7ba8a4 d3b090b2 
10:08:16 ipsec,debug,packet 726c7cb7 e5205a79 8436ed65 d92ab522 952a0dfc a1ce6a88 3b4cbe71 4679d830 
10:08:16 ipsec,debug,packet fa892591 5d96efc0 3ac8fa35 83d2e1b0 ddae0674 4d0518ec ab40aa9a 8cec2ab8 
10:08:16 ipsec,debug,packet 6cea908d b528af4d 1b3a5151 0bb6acdd 8d66a755 68c475eb f2ff34b9 7fb7845f 
10:08:16 ipsec,debug,packet f2bd3615 1a8e56bc dc94af44 27a24c57 0ab69c6e 65e99c4c 05000010 04000000 
10:08:16 ipsec,debug,packet c0a85000 ffffff00 00000010 04000000 c0a81300 ffffff00 
10:08:16 ipsec,debug,packet hmac(hmac_sha1) 
10:08:16 ipsec,debug,packet HASH computed: 
10:08:16 ipsec,debug,packet 70ee54d5 16e57bed ee500617 f0e782df eebe956f 
10:08:16 ipsec,debug total SA len=48 
10:08:16 ipsec,debug 00000001 00000001 00000028 01030401 031d504e 0000001c 01030000 80010001 
10:08:16 ipsec,debug 80020708 80040003 80050002 80030002 
10:08:16 ipsec,debug begin. 
10:08:16 ipsec,debug seen nptype=2(prop) len=40 
10:08:16 ipsec,debug succeed. 
10:08:16 ipsec,debug proposal #1 len=40 
10:08:16 ipsec,debug begin. 
10:08:16 ipsec,debug seen nptype=3(trns) len=28 
10:08:16 ipsec,debug succeed. 
10:08:16 ipsec,debug transform #1 len=28 
10:08:16 ipsec,debug type=SA Life Type, flag=0x8000, lorv=seconds 
10:08:16 ipsec,debug type=SA Life Duration, flag=0x8000, lorv=1800 
10:08:16 ipsec,debug life duration was in TLV. 
10:08:16 ipsec,debug type=Encryption Mode, flag=0x8000, lorv=UDP-Tunnel 
10:08:16 ipsec,debug UDP encapsulation requested 
10:08:16 ipsec,debug type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha1 
10:08:16 ipsec,debug type=Group Description, flag=0x8000, lorv=2 
10:08:16 ipsec,debug dh(modp1024) 
10:08:16 ipsec,debug pair 1: 
10:08:16 ipsec,debug  0x4ac770: next=(nil) tnext=(nil) 
10:08:16 ipsec,debug proposal #1: 1 transform 
10:08:16 ipsec,debug got the local address from ID payload 192.168.19.0[0] prefixlen=24 ul_proto=255 
10:08:16 ipsec,debug got the peer address from ID payload 192.168.80.0[0] prefixlen=24 ul_proto=255 
10:08:16 ipsec searching for policy for selector: 192.168.19.0/24 <=> 192.168.80.0/24 
10:08:16 ipsec policy not found 
10:08:16 ipsec failed to get proposal for responder. 
10:08:16 ipsec,error 187.115.194.X failed to pre-process ph2 packet.
I see the error "ipsec policy not found", but i don't understand the reasons of this error.
 
felipefonsecabh
just joined
Topic Author
Posts: 21
Joined: Wed May 20, 2020 9:57 pm
Location: Brazil

Re: IPsec Site to Site with one side behind NAT

Tue Nov 23, 2021 4:19 pm

I try to change hash and encryption algorithms, but the same mistake occurs.
In other mikrotik the error NO-PROPOSAL-CHOSEN appears:
11:17:21 ipsec,debug,packet compute IV for phase2 
11:17:21 ipsec,debug,packet phase1 last IV: 
11:17:21 ipsec,debug,packet b67f7c52 d79a52d7 c3d023e3 db4718ee d742c445 
11:17:21 ipsec,debug hash(sha2_256) 
11:17:21 ipsec,debug,packet encryption(aes) 
11:17:21 ipsec,debug,packet phase2 IV computed: 
11:17:21 ipsec,debug,packet f66c376c a2d09864 7332db4a 54ec753d 
11:17:21 ipsec,debug,packet encryption(aes) 
11:17:21 ipsec,debug,packet IV was saved for next processing: 
11:17:21 ipsec,debug,packet 4ce852fa b868ffe3 33b0711c d0687757 
11:17:21 ipsec,debug,packet encryption(aes) 
11:17:21 ipsec,debug,packet with key: 
11:17:21 ipsec,debug,packet 294230b0 e3fa758e 0b18cdd6 fd3bc853 
11:17:21 ipsec,debug,packet decrypted payload by IV: 
11:17:21 ipsec,debug,packet f66c376c a2d09864 7332db4a 54ec753d 
11:17:21 ipsec,debug,packet decrypted payload, but not trimed. 
11:17:21 ipsec,debug,packet 0b000024 d81f695c 86f7de67 af2ecc9d c8c50e8c 8d84828a f04aab3b f17bf367 
11:17:21 ipsec,debug,packet 13c6a770 0000000c 00000001 0100000e 47cc2b9b a8750cb6 58bcbd28 c951280f 
11:17:21 ipsec,debug,packet padding len=16 
11:17:21 ipsec,debug,packet skip to trim padding. 
11:17:21 ipsec,debug,packet decrypted. 
11:17:21 ipsec,debug,packet 7b0982fe e7291c13 b42cadc0 36756473 08100501 d742c445 0000005c 0b000024 
11:17:21 ipsec,debug,packet d81f695c 86f7de67 af2ecc9d c8c50e8c 8d84828a f04aab3b f17bf367 13c6a770 
11:17:21 ipsec,debug,packet 0000000c 00000001 0100000e 47cc2b9b a8750cb6 58bcbd28 c951280f 
11:17:21 ipsec,debug,packet HASH with: 
11:17:21 ipsec,debug,packet d742c445 0000000c 00000001 0100000e 
11:17:21 ipsec,debug,packet hmac(hmac_sha2_256) 
11:17:21 ipsec,debug,packet HASH computed: 
11:17:21 ipsec,debug,packet d81f695c 86f7de67 af2ecc9d c8c50e8c 8d84828a f04aab3b f17bf367 13c6a770 
11:17:21 ipsec,debug hash validated. 
11:17:21 ipsec,debug begin. 
11:17:21 ipsec,debug seen nptype=8(hash) len=36 
11:17:21 ipsec,debug seen nptype=11(notify) len=12 
11:17:21 ipsec,debug succeed. 
11:17:21 ipsec,debug 189.84.205.X notify: NO-PROPOSAL-CHOSEN 
11:17:21 ipsec 189.84.205.X fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Any Ideas?
 
felipefonsecabh
just joined
Topic Author
Posts: 21
Joined: Wed May 20, 2020 9:57 pm
Location: Brazil

Re: IPsec Site to Site with one side behind NAT

Tue Nov 23, 2021 6:07 pm

I implemented a VPN identical to this one with another mikrotik, and the VPN worked normally.
So, something on the ISP's router is blocking connection with Mikrotik A.

I'll check with ISP and return.

Thanks a lot!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec Site to Site with one side behind NAT  [SOLVED]

Tue Nov 23, 2021 6:22 pm

I don't think it is an ISP issue. What happens is:
10:08:16 ipsec searching for policy for selector: 192.168.19.0/24 <=> 192.168.80.0/24
given that the traffic selector is in accord with the policy you've posted in the OP, and that the policies are symmetrical (the dst-address of one of them matches the src-address of the other one and vice versa), my assumption is that the incoming IKE session has landed on a wrong peer. So the policy with a matching traffic selector does exists, but for another peer than the one chosen using identity. So the result is
10:08:16 ipsec policy not found

As no policy could be found using the traffic selector as a key, there is no way to find a proposal to use, hence
10:08:16 ipsec failed to get proposal for responder (and the NO_PROPOSAL_CHOSEN notification to the initiator).

So post /ip ipsec export verbose hide-sensitive from both machines, with properly obfuscated public IPs (properly means that all occurrences of each IP address are substituted by exactly the same string).

Who is online

Users browsing this forum: jhbarrantes, kub1x, Valerio5000 and 82 guests