Community discussions

MikroTik App
 
emanuelp
just joined
Topic Author
Posts: 2
Joined: Wed May 25, 2022 4:11 pm

IPSec with NAT issues

Tue Jun 07, 2022 4:39 pm

Hello,

I am trying to configure an IPSec with NAT and I'm not sure what I'm missing. I took overt the router from someone else and it's pretty difficult to spot the issue.
The VPN tunnel is working, I see established in each policy. However, I cannot ping the other side and they can't ping me. It might be some firewall/route issue.
From my local network (192.168.88.x) I only need to NAT 5 IP addresses and route them through the tunnel. I need bidirectional communication from my 5 NAT-ed IP addresses (10.251.251.x) to the remote 194.x.x.x/16 network.
Here is the configuration of the router:

/interface bridge
add admin-mac=000000000 auto-mac=no comment=defconf name=bridge
/interface ipip
add disabled=yes name=ipip-tunnel1 remote-address=185.x.x.x
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256 hash-algorithm=sha256 name=phase1
/ip ipsec peer
add address=206.x.x.1/32 disabled=yes name=SRS_2 profile=phase1
add address=185.x.x.1/32 name=SRS profile=phase1
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=1h \
name=phase2 pfs-group=modp4096
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool_l2tp_rmn ranges=192.168.88.70-192.168.88.79
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.88.254 name=L2TP remote-address=\
pool_l2tp_rmn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.254/24 comment=defconf interface=ether2 network=192.168.88.0
add address=86.x.x.x/23 interface=ether1 network=86.x.x.0
add address=10.251.251.1 interface=bridge network=10.251.251.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=213.154.124.1,193.231.252.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input dst-port=8291,8728 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=194.x.x.16/29 log-prefix=in src-address=\
10.251.251.0/24
add action=accept chain=dstnat dst-address=192.168.88.0/24 log-prefix=out src-address=\
194.x.x.16/29
add action=accept chain=srcnat disabled=yes dst-address=129.x.x.88/29 src-address=\
10.251.251.0
add action=dst-nat chain=dstnat comment=ip_fw disabled=yes dst-address=!192.168.88.254 \
dst-port=8081 protocol=tcp to-addresses=192.168.88.64 to-ports=80
add action=dst-nat chain=dstnat dst-address=10.251.251.51 to-addresses=192.168.88.90
add action=dst-nat chain=dstnat dst-address=10.251.251.52 to-addresses=192.168.88.92
add action=dst-nat chain=dstnat dst-address=10.251.251.53 to-addresses=192.168.88.70
add action=netmap chain=dstnat dst-address=10.251.251.54 to-addresses=192.168.88.94
add action=dst-nat chain=dstnat dst-address=10.251.251.65 src-address-list=\
194.x.x.16/29 to-addresses=192.168.88.95
add action=src-nat chain=srcnat dst-address-list="" src-address=192.168.88.90 \
to-addresses=10.251.251.51
add action=src-nat chain=srcnat src-address=192.168.88.92 to-addresses=10.251.251.52
add action=src-nat chain=srcnat dst-address-list="" src-address=192.168.88.70 \
src-address-list="" to-addresses=10.251.251.53
add action=netmap chain=srcnat src-address=192.168.88.94 to-addresses=10.251.251.54
add action=src-nat chain=srcnat dst-address-list=194.x.x.16/29 src-address=\
192.168.88.95 to-addresses=10.251.251.65
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat comment=HAIRPIN_NAT dst-address=!192.168.88.254 \
src-address=192.168.88.0/24
/ip ipsec identity
add peer=SRS
add disabled=yes peer=SRS_2
/ip ipsec policy
add dst-address=194.x.x.16/29 peer=SRS proposal=phase2 src-address=\
10.251.251.51/32 tunnel=yes
add disabled=yes dst-address=129.x.x.88/29 peer=SRS_2 proposal=phase2 \
src-address=10.251.251.51/32 tunnel=yes
add dst-address=194.x.x.16/29 peer=SRS proposal=phase2 src-address=\
10.251.251.52/32 tunnel=yes
add disabled=yes dst-address=129.x.x.88/29 peer=SRS_2 proposal=phase2 \
src-address=10.251.251.52/32 tunnel=yes
add dst-address=194.x.x.16/29 peer=SRS proposal=phase2 src-address=\
10.251.251.53/32 tunnel=yes
add disabled=yes dst-address=129.x.x.88/29 peer=SRS_2 proposal=phase2 \
src-address=10.251.251.53/32 tunnel=yes
add dst-address=194.x.x.16/29 peer=SRS proposal=phase2 src-address=\
10.251.251.54/32 tunnel=yes
add disabled=yes dst-address=129.x.x.88/29 peer=SRS_2 proposal=phase2 \
src-address=10.251.251.54/32 tunnel=yes
add dst-address=194.x.x.16/29 peer=SRS proposal=phase2 src-address=\
10.251.251.65/32 tunnel=yes
add disabled=yes dst-address=129.x.x.88/29 peer=SRS_2 proposal=phase2 \
src-address=10.251.251.65/32 tunnel=yes
/ip route
add distance=1 gateway=86.x.x.1
/ppp secret
add name=vpn profile=default-encryption
add name=Vpn_RMN_CT profile=L2TP_RMN_CT service=l2tp

Who is online

Users browsing this forum: karlisi, onnyloh and 43 guests