Hello,
Upgraded CCR1036 v6.48.6 to v7.2.3 , ipsec tunnel was established, but incoming packets were not matching against DST_NAT rule. So the traffic was not able to pass the tunnel.
Rolled back to v6 and all is good.
Is it going to be fixed in next v7 release ?
Re: ROUTEROS 7 IPSEC NAT problem
So something with IPSec and dstnat works for you in v6 and not in v7. You didn't share any details beyond that, so nobody can really know what's happening. And you'd like to know if it's going it change. I don't think we can tell you without knowing what exactly it is.
Re: ROUTEROS 7 IPSEC NAT problem
I have shared enough details to see, that problem is in v7. DST-NAT stops working as soon as upgraded to v7, when back to v6, it works fine with ipsec.So something with IPSec and dstnat works for you in v6 and not in v7. You didn't share any details beyond that, so nobody can really know what's happening. And you'd like to know if it's going it change. I don't think we can tell you without knowing what exactly it is.
If you need something else, please ask
Re: ROUTEROS 7 IPSEC NAT problem
No, you didn't share any details. You just wrote that some dstnat rule supposedly broke in v7 and it's probably somehow related to IPSec tunnel, because you mentioned it. That's all. You didn't share the dstnat rule, didn't explain how it's related to IPSec tunnel, nothing.
As far as I can tell, dstnat in v7 works just fine, exactly the same way it worked in v6. So if you were unlucky to discover some corner case where it doesn't, and you want some help with that, you should provide some actual details. For example, posting exported config and explaining important parts often leads to great success.
As far as I can tell, dstnat in v7 works just fine, exactly the same way it worked in v6. So if you were unlucky to discover some corner case where it doesn't, and you want some help with that, you should provide some actual details. For example, posting exported config and explaining important parts often leads to great success.
Re: ROUTEROS 7 IPSEC NAT problem
Dst-nat rule contains ipsec tunnel far-end server address as src and ipsec tunnel peer ip address as dat address, then it makes dst-nat to my interneal host.No, you didn't share any details. You just wrote that some dstnat rule supposedly broke in v7 and it's probably somehow related to IPSec tunnel, because you mentioned it. That's all. You didn't share the dstnat rule, didn't explain how it's related to IPSec tunnel, nothing.
As far as I can tell, dstnat in v7 works just fine, exactly the same way it worked in v6. So if you were unlucky to discover some corner case where it doesn't, and you want some help with that, you should provide some actual details. For example, posting exported config and explaining important parts often leads to great success.
As soon as I upgrade to v7, matching to that rule dissapears, no matter I set incoming interface or not.
Re: ROUTEROS 7 IPSEC NAT problem
I can tell you that
is simple rule that definitely works in v7. If yours doesn't, then it's probably caused by something else in your config, but since nobody else has any idea what you might have there...
Code: Select all
/ip firewall nat
add src-address=X dst-address=Y action=dst-nat to-addresses=ZRe: ROUTEROS 7 IPSEC NAT problem
simple ipsec with 3des, which is established and this dst-nat rule. that's all.I can tell you that
is simple rule that definitely works in v7. If yours doesn't, then it's probably caused by something else in your config, but since nobody else has any idea what you might have there...Code: Select all/ip firewall nat add src-address=X dst-address=Y action=dst-nat to-addresses=Z
I saw another post where the same v7 problem is described [ somehow related to nat ]
just imagine, something works good on v6 for years and after upgrade rule stops matching, back and that's good. exactly the same thing other users are reporting
Re: ROUTEROS 7 IPSEC NAT problem
/ip ipsec policy group
add name=group2
/ip ipsec profile
add enc-algorithm=3des name=profile_1
/ip ipsec peer
add address=remote_peer_public_ip/32 local-address=local_peer_public_ip name=to_company_x profile=profile_1
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc
add enc-algorithms=3des name=to_company_x pfs-group=none
/ip ipsec identity
add peer=to_company_x secret="somesecret"
/ip ipsec policy
set 0 disabled=yes
add dst-address=remote_server_ip/32 level=unique peer=to_company_x proposal=to_company_x src-address=local_public_ip/32 tunnel=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="" dst-address=local_public_ip src-address=remote_server_ip to-addresses=local_server_ip
Requests are coming from remote server, to local server
add name=group2
/ip ipsec profile
add enc-algorithm=3des name=profile_1
/ip ipsec peer
add address=remote_peer_public_ip/32 local-address=local_peer_public_ip name=to_company_x profile=profile_1
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc
add enc-algorithms=3des name=to_company_x pfs-group=none
/ip ipsec identity
add peer=to_company_x secret="somesecret"
/ip ipsec policy
set 0 disabled=yes
add dst-address=remote_server_ip/32 level=unique peer=to_company_x proposal=to_company_x src-address=local_public_ip/32 tunnel=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="" dst-address=local_public_ip src-address=remote_server_ip to-addresses=local_server_ip
Requests are coming from remote server, to local server
Re: ROUTEROS 7 IPSEC NAT problem
That sure is a strange setup, probably not many users have that.
But probably it should work...
Anyway, it would be better to study and understand the concept of a tunnel. Then you do not need the NAT.
But probably it should work...
Anyway, it would be better to study and understand the concept of a tunnel. Then you do not need the NAT.
Re: ROUTEROS 7 IPSEC NAT problem
I know the purpose of the tunnels.
This tunnel is peering a bank, which needs public Ip on my side as a service dest., that's why dst nat is needed as intrernal server of the company sits in private pool.
It worked fine for 8 years till v7 and it's very usual practice in such scenarios. Hope it's clear now
This tunnel is peering a bank, which needs public Ip on my side as a service dest., that's why dst nat is needed as intrernal server of the company sits in private pool.
It worked fine for 8 years till v7 and it's very usual practice in such scenarios. Hope it's clear now
Last edited by lashguti on Sat Jun 04, 2022 4:18 pm, edited 1 time in total.
Re: ROUTEROS 7 IPSEC NAT problem
I have never seen it before.
Re: ROUTEROS 7 IPSEC NAT problem
Seems clear enough, but I don't see why it shouldn't work. I'll try to test it and I'm pretty sure it will be ok.
Re: ROUTEROS 7 IPSEC NAT problem
Test it on ccr, as some of the reports say ccr has this problem. Mine also is ccr1036Seems clear enough, but I don't see why it shouldn't work. I'll try to test it and I'm pretty sure it will be ok.
Re: ROUTEROS 7 IPSEC NAT problem
Sorry, I don't have any. I tried CHR and it works as expected, no problem. But if it should happen only with one architecture, and if you have spare device, then try to reproduce it with minimal config, just tunnel and one dstnat rule. If you succeed (and it won't work), you can report it to MikroTik and they should be able to reproduce it too and fix it. If it will work, then you'll have to find what difference between real and this minimal testing config is responsible for it.
Re: ROUTEROS 7 IPSEC NAT problem
I Have the same problem with IPsec after upgrade from V6.49.6 to V7.5 on CCR1016
Re: ROUTEROS 7 IPSEC NAT problem
I'm sure that it works fine if configured properly.
Re: ROUTEROS 7 IPSEC NAT problem
How does the v7 configuration looks like? Post an export.I Have the same problem with IPsec after upgrade from V6.49.6 to V7.5 on CCR1016
Re: ROUTEROS 7 IPSEC NAT problem
I Have the same problem with IPsec after upgrade from V6.49.6 to V7.5 on CCR1016
Form release topic:
This is too general, it may depend on how you have configured the device.
There have been many changes from 6.x to 7.x, especially in BGP and Routing,
which probably make the configuration incompatible with what you expect.
Re: ROUTEROS 7 IPSEC NAT problem
Indeed, now I also add:
It is perfectly useless to write like this.
If you do not provide an export before the update, an export after, and you do not create a supout
and do not send everything to support@mikrotik.com accompanied by an adequate description,
it is perfectly useless, it could also be fake, and it could also be a very trivial configuration error.
It is perfectly useless to write like this.
If you do not provide an export before the update, an export after, and you do not create a supout
and do not send everything to support@mikrotik.com accompanied by an adequate description,
it is perfectly useless, it could also be fake, and it could also be a very trivial configuration error.
Re: ROUTEROS 7 IPSEC NAT problem
I have problems with IPSEC too.
I have simple setup:
server<---lan--->routerboard1(ROS7)<---wireguard-->routerboard2(ROS7)<----l2tp/ipsec---->routerboard3(ROS6)
After upgrading routerboard2 from ROS 6.48.6 lts to ROS 7.5 stable - clients behind routerboard3 lost access to server. If i switch from l2tp/ipsec to simple pptp it works fine. Or i have to downgrade routerboard2 back to ROS6 to make it work again.
Is it a bug or feature?
I have simple setup:
server<---lan--->routerboard1(ROS7)<---wireguard-->routerboard2(ROS7)<----l2tp/ipsec---->routerboard3(ROS6)
After upgrading routerboard2 from ROS 6.48.6 lts to ROS 7.5 stable - clients behind routerboard3 lost access to server. If i switch from l2tp/ipsec to simple pptp it works fine. Or i have to downgrade routerboard2 back to ROS6 to make it work again.
Is it a bug or feature?
Re: ROUTEROS 7 IPSEC NAT problem
And where is v7 config. It may be that after an upgrade you have to change some in the config.
You can start over with no config and then add config step by step.
You can start over with no config and then add config step by step.
Re: ROUTEROS 7 IPSEC NAT problem
here it is:
Config is very simple - ipsec default values - nothing changed
EDIT:
Since the forum have the space for post the config, why does it come to mind to use a third party site to host the configuration?
Config is very simple - ipsec default values - nothing changed
EDIT:
Since the forum have the space for post the config, why does it come to mind to use a third party site to host the configuration?
Code: Select all
# sep/07/2022 10:58:27 by RouterOS 7.5
# software id = 8Y7Z-MPVF
#
# model = RB750Gr3
/interface pptp-server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
add name=pptp-in-komrat user=komrat
/interface bridge
add admin-mac=DC:2C:6E:A5:90:D5 auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full l2mtu=1598 speed=100Mbps
/interface l2tp-server
add name=l2tp-in-b.yurii user=b.yurii
add name=l2tp-in-bend_magazin user=bend_magazin
add name=l2tp-in-bendery user=bendery
add name=l2tp-in-bvp88 user=bvp88
add name=l2tp-in-dimasb user=dimasb
add name=l2tp-in-noodle user=noodle
add name=l2tp-in-oleg user=oleg
add name=l2tp-in-pavel.s user=pavel.s
add name=l2tp-in-rost user=rost
add name=l2tp-in-serghei_sw user=serghei_sw
/interface wireguard
add listen-port=51280 mtu=1420 name=wg-aaa
add listen-port=51281 mtu=1420 name=wg-mgmt
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.99
add name=vpn_pool ranges=10.10.66.10-10.10.66.100
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
/port
set 0 name=serial0
/ppp profile
set *0 only-one=yes
add change-tcp-mss=yes local-address=10.10.66.1 name=vpn_profile only-one=yes \
remote-address=vpn_pool
set *FFFFFFFE only-one=yes
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=vpn_profile enabled=yes one-session-per-host=yes \
use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=l2tp-in-bendery list=LAN
add interface=wg-aaa list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface wireguard peers
add allowed-address=10.100.9.2/32,172.16.64.0/24,172.16.48.0/24 interface=\
wg-aaa persistent-keepalive=1m public-key=\
"3xHf2EF8FOLsllOj/R5g0WkHKwbuLGU42tIDglyO0kA="
add allowed-address=172.16.100.1/32,172.16.128.240/28 endpoint-address=\
xx.xx.xx.xx endpoint-port=51281 interface=wg-mgmt persistent-keepalive=\
1m public-key="+bOAra4X60R6b2rFrU7x2hZKzrwSZpmpWcYB+GfiVj4="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=xx.xx.xx.xx/30 interface=ether1 network=xx.xx.xx.xx
add address=10.100.9.1/24 interface=wg-aaa network=10.100.9.0
add address=172.16.100.171/24 interface=wg-mgmt network=172.16.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=*2
/ip dhcp-server lease
add address=192.168.1.108 client-id=1:d0:50:99:85:31:9e mac-address=\
D0:50:99:85:31:9E server=defconf
add address=192.168.1.106 client-id=1:e0:d5:5e:27:91:1a mac-address=\
E0:D5:5E:27:91:1A server=defconf
add address=192.168.1.107 client-id=1:d8:5e:d3:58:6a:84 mac-address=\
D8:5E:D3:58:6A:84 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=xx.xx.xx.xx list=admin
add address=172.16.128.240/28 list=admin
add address=10.10.66.0/24 list=allow_rdp_apteka
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input src-address-list=admin
add action=accept chain=input comment="l2tp tunnel" dst-port=500,1701,4500 \
protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input dst-port=51280 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx
add disabled=no distance=1 dst-address=172.16.64.0/24 gateway=wg-aaa \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.101.0/24 gateway=*18 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=172.16.128.240/28 gateway=wg-mgmt \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=172.16.136.0/24 gateway=l2tp-in-bendery
add disabled=no distance=1 dst-address=172.16.48.247/32 gateway=wg-aaa \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=172.16.2.0/24 gateway=l2tp-in-bendery \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=rost profile=vpn_profile service=l2tp
add name=komrat profile=vpn_profile service=pptp
add name=noodle profile=vpn_profile service=l2tp
add name=oleg profile=vpn_profile service=l2tp
add name=pavel.s profile=vpn_profile service=l2tp
add local-address=10.10.66.1 name=bendery profile=vpn_profile remote-address=\
10.10.66.2 service=l2tp
add name=b.yurii profile=vpn_profile service=l2tp
add name=serghei_sw profile=vpn_profile service=l2tp
add name=bvp88 profile=vpn_profile service=l2tp
add name=dimasb profile=vpn_profile service=l2tp
add name=bend_magazin profile=vpn_profile service=l2tp
add name=qd profile=vpn_profile service=l2tp
/system clock
set time-zone-name=Europe/Chisinau
/system identity
set name=rb-core.almdn.ext
/system leds
add interface=*1 leds="" type=wireless-status
/system resource irq rps
set ether5 disabled=no
set ether4 disabled=no
set ether3 disabled=no
set ether2 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
Last edited by rextended on Wed Sep 07, 2022 11:15 am, edited 1 time in total.
Reason: removed 3rd party
Reason: removed 3rd party
Re: ROUTEROS 7 IPSEC NAT problem
Can someone also test with Device: CCR1016-12G
I have this configuration:
https://help.mikrotik.com/docs/display/ROS/IPsec
#Site to Site IPsec (IKEv1) tunnel
V6.49.6 - All working OK
V7.5 - IPsec connection established - NAT not working!
I have this configuration:
https://help.mikrotik.com/docs/display/ROS/IPsec
#Site to Site IPsec (IKEv1) tunnel
V6.49.6 - All working OK
V7.5 - IPsec connection established - NAT not working!
Re: ROUTEROS 7 IPSEC NAT problem
There's no NAT involved in Site-to-Site config, and there shouldn't be any.
Post your anonymized config in here or in another new topic.
Post your anonymized config in here or in another new topic.
Re: ROUTEROS 7 IPSEC NAT problem
Looks like there is nobody in mikroitk who is intrested in this issue solving. In my case i have replaced lt2p/isec server and clients with wireguard and all works as expected.
Re: ROUTEROS 7 IPSEC NAT problem
Glad you got a working vpn there HATS, I looked at your config and was to complex for me to figure out LOL.
Wireguard is direct and understandable, and probably adequate for any homeowner and small business.
As for the rest, if you don't share your config for FREE assistance, suggest find another forum.
Wireguard is direct and understandable, and probably adequate for any homeowner and small business.
As for the rest, if you don't share your config for FREE assistance, suggest find another forum.
Re: ROUTEROS 7 IPSEC NAT problem
Hello there.
I swap my CHR 7.5 to hEX with 7.5 stable-release firmware, and I have NAT problem with L2TP+ipsec.
NAT with another SSTP tunnels work well.
Networking map:
<host>---[RB-7.5](wireguard)---(wireguard)[RB-7.5_VPN-Server]<l2tp+ipsec>---<l2tp+ipsec>[RB-6.48_VPN-Client]
Maybe, it's trouble with hardware encrypting?
If I start ping, 1 packet per 100 maybe work correctly.
I make 1-to-1 configuration to new board:
I swap my CHR 7.5 to hEX with 7.5 stable-release firmware, and I have NAT problem with L2TP+ipsec.
NAT with another SSTP tunnels work well.
Networking map:
<host>---[RB-7.5](wireguard)---(wireguard)[RB-7.5_VPN-Server]<l2tp+ipsec>---<l2tp+ipsec>[RB-6.48_VPN-Client]
Maybe, it's trouble with hardware encrypting?
If I start ping, 1 packet per 100 maybe work correctly.
I make 1-to-1 configuration to new board:
Code: Select all
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes use-ipsec=required
Last edited by kiragun on Sun Sep 18, 2022 12:30 am, edited 1 time in total.
Re: ROUTEROS 7 IPSEC NAT problem
I have had exact case. 99% packet loss. 10 days support ignoring my ticket. Switched from l2tp/ipsec to wireguard. I can't wait for ages.Hello there.
I swap my CHR 7.5 to hEX with 7.5 stable-release firmware, and I have NAT problem with L2TP+ipsec.
NAT with another SSTP tunnels work well.
Networking map:
<host>---[RB-7.5](wireguard)---(wireguard)[RB-7.5_VPN-Server]<l2tp+ipsec>---<l2tp+ipsec>[RB-6.48_VPN-Client]
Maybe, it's trouble with hardware encrypting?
If I start ping, 1 packet per 100 maybe work correctly.
I make 1-to-1 configuration to new board:Code: Select all/interface l2tp-server server set authentication=mschap2 default-profile=l2tp-profile enabled=yes use-ipsec=required
Re: ROUTEROS 7 IPSEC NAT problem
At last i have answer from support:
"Thank you for the report. We are currently investigating issues with the crypto driver on MMIPS (including hEX) devices. Hopefully, the issue can be resolved soon."
"Thank you for the report. We are currently investigating issues with the crypto driver on MMIPS (including hEX) devices. Hopefully, the issue can be resolved soon."
Re: ROUTEROS 7 IPSEC NAT problem
That doesn't sound like a NAT issue that everyone was screaming about in this topic..
Re: ROUTEROS 7 IPSEC NAT problem
A lot of people complain about IPSEC. You can easily find it even in topic name.That doesn't sound like a NAT issue that everyone was screaming about in this topic..
Re: ROUTEROS 7 IPSEC NAT problem
Yes, with a magic keyword "NAT".
And the intial post was about CCR1036 that's a totally different beast than your tiny hEX.
And recently someone else hijacked this thread with CCR1016, that again is a totally different beast than your hEX.
You found a bug on mmips, congrats, but is it related to whatever else this topic is about? we don't know, because this topic is a pile of different unrelated issues right now thanks to all the hijackers, yourself included.
And the intial post was about CCR1036 that's a totally different beast than your tiny hEX.
And recently someone else hijacked this thread with CCR1016, that again is a totally different beast than your hEX.
You found a bug on mmips, congrats, but is it related to whatever else this topic is about? we don't know, because this topic is a pile of different unrelated issues right now thanks to all the hijackers, yourself included.