Community discussions

MikroTik App
 
marcinkacper
just joined
Topic Author
Posts: 1
Joined: Thu May 19, 2022 4:09 pm

Dual WAN, VLAN, IPSec IKEv2

Thu May 19, 2022 4:27 pm

Hi,

I have problem with exchanging data by the VPN. I got the VPN login details from Octawave. There was a network address on the VPN side, however I don't know how to set up the Firewall.my actual setup:

IP Firewall NAT
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=10.150.10.0/24 
      dst-address=192.168.100.0/24 

 1    chain=srcnat action=masquerade src-address=192.168.100.0/23 log=no 
      log-prefix="" ipsec-policy=out,none 

 2    chain=srcnat action=masquerade src-address=192.168.200.0/24 log=no 
      log-prefix="" 

 3    chain=srcnat action=masquerade src-address=192.168.50.0/24 log=no 
      log-prefix="" 

 4    chain=srcnat action=masquerade src-address=192.168.40.0/24 log=no 
      log-prefix="" 

5    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 
      ipsec-policy=out,none 

6    chain=srcnat action=src-nat to-addresses=85.221.196.154 
      src-address=10.150.10.0/24 out-interface=ether1 log=no log-prefix="" 
      ipsec-policy=out,none 
IP Firewall

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=forward action=accept connection-state=established,related 
      src-address=10.150.10.0/24 dst-address=192.168.100.0/24 log=no 
      log-prefix="" ipsec-policy=in,ipsec 

 2    chain=forward action=accept connection-state=established,related 
      src-address=192.168.100.0/24 dst-address=10.150.10.0/24 log=no 
      log-prefix="" ipsec-policy=out,ipsec 

 3    chain=input action=accept protocol=udp src-address=176.119.63.106 
      dst-port=4500 log=no log-prefix="" 

 4 X  chain=input action=accept protocol=udp src-address=176.119.63.106 
      dst-port=1701 log=no log-prefix="" 

 5    chain=input action=accept protocol=udp src-address=176.119.63.106 
      dst-port=500 log=no log-prefix="" 

 6    chain=input action=accept protocol=ipsec-esp src-address=176.119.63.106 
      log=no log-prefix="" 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 9 X  ;;; FastTrack: established & related
      chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

10    chain=forward action=fasttrack-connection 
      connection-state=established,related 

11 X  chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

12    ;;; Accept Related or Established Connections
      chain=input action=accept connection-state=established,related log=no 
      log-prefix="" 

13    ;;; Accept New Connections
      chain=forward action=accept connection-state=new log=no log-prefix="" 

14    ;;; Accept Related or Established Connections
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

15    chain=input action=drop protocol=udp in-interface=ether1 dst-port=53 log=n>
      log-prefix="" 

16    chain=input action=drop protocol=udp in-interface=ether2 dst-port=53 log=n>
      log-prefix="" 

17    chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53 log=n>
      log-prefix="" 

18    chain=input action=drop protocol=tcp in-interface=ether2 dst-port=53 log=n>
      log-prefix="" 

19    chain=forward action=drop in-interface=OFFICE out-interface=CCTV log=no 
      log-prefix="" 

20    chain=forward action=drop in-interface=CCTV out-interface=OFFICE log=no 
      log-prefix="" 

21    chain=forward action=drop in-interface=WIFI out-interface=CCTV log=no 
      log-prefix="" 

22    chain=forward action=drop in-interface=CCTV out-interface=WIFI log=no 
      log-prefix=""
IP Address

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.100.1/23   192.168.100.0   OFFICE                                   
 1   85.221.196.154/30  85.221.196.152  ether1                                    
 2   192.168.200.1/24   192.168.200.0   WIFI                                     
 3   192.168.50.1/24    192.168.50.0    CCTV                                     
 4   192.168.40.1/24    192.168.40.0    MGMT                                     
 5   192.168.88.2/24    192.168.88.0    ether2                                   
 6 I 192.168.1.0/24     192.168.1.0     vlan1                                    

IP IPSEC installed-sa

Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0x4F911F0 src-address=176.119.63.106 dst-address=85.221.196.154 
      state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="xx"
          
      
      enc-key="xx" 
      add-lifetime=19h12m20s/1d26s replay=128 

 1  E spi=0xC348E7AF src-address=85.221.196.154 dst-address=176.119.63.106 
      state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="xx"
          
      
      enc-key="xx" 
      add-lifetime=19h12m20s/1d26s replay=128 
policy print detail

Flags: T - template, B - backup, 
X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T X* group=default src-address=176.119.63.106/32 dst-address=85.221.196.154/32 
        protocol=all proposal=default template=yes 

 1   A  peer=Octawave tunnel=yes src-address=192.168.100.0/24 src-port=any 
        dst-address=10.150.10.0/24 dst-port=any protocol=all action=encrypt 
        level=require ipsec-protocols=esp sa-src-address=85.221.196.154 
        sa-dst-address=176.119.63.106 proposal=Oktawave ph2-count=1
anyone can repair my cofiguration?

Who is online

Users browsing this forum: sid5632 and 41 guests