Community discussions

MikroTik App
 
michaelantony012
just joined
Topic Author
Posts: 5
Joined: Mon Jul 04, 2022 7:48 am

Need Help! Cannot connect Local Client to Remote Router, after IPSec between CHR and RB is Established

Fri Jul 08, 2022 12:31 pm

Hello guys.
I have these CHR Mikrotik (RouterOS 7.3.1 version) and RB450G (RouterOS 6.49.6 version),
Between them, I managed to setup and established an IPSec tunnel connection (with Installed SA is already showing and Active Peers status Established).
Now come the test. Between both router, they could ping each other local IP (using command: ping <remote local IP> src-address=<local IP>).
The problem come from the VPS (on the CHR Mikrotik side), that seems to be cannot pinging the RB's router Local IP.
That VPS's gateway is already set to CHR Mikrotik Local IP. And that VPS can ping to that gateway as well.
When I try to trace route from VPS to RB's local IP. result is like this screenshot:
(192.168.88.1 is remote router IP, 192.168.50.10 is CHR's IP)
tracert rb local IP from vps.jpg
On both router, to be able to communicate to each other, I also setup Firewall NAT (chain:src-nat ; action:accept ; source: <remote local IP>. destination: <local IP>) on top of the masquerade NAT.

Please help me solve this guys.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need Help! Cannot connect Local Client to Remote Router, after IPSec between CHR and RB is Established

Sat Jul 09, 2022 12:10 pm

Post configuration exports from both routers, see my automatic signature regarding their obfuscation. hide-sensitive is only required for ROS 6.x, for 7.0 it is a default behaviour and this keyword is not recognized (the logic is inverted and you have to use show-sensitive if you want to see the passwords etc. in the export)
 
michaelantony012
just joined
Topic Author
Posts: 5
Joined: Mon Jul 04, 2022 7:48 am

Re: Need Help! Cannot connect Local Client to Remote Router, after IPSec between CHR and RB is Established

Mon Jul 11, 2022 5:31 am

This is the configuration /export on both router (RB450G is recently updated to 7.3.1 as well).
Please take a look.

CHR Mikrotik configuration:
# jul/11/2022 01:17:31 by RouterOS 7.3.1
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] advertise="" disable-running-check=no
set [ find default-name=ether2 ] name=ether3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1 nat-traversal=no
/ip ipsec peer
add address=<ip-public-rb450g>/32 name=ike1-site1 profile=ike1-site1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
/ip pool
add name=dhcp_pool0 ranges=\
    192.168.50.1-192.168.50.9,192.168.50.11-192.168.50.254
/ip address
add address=192.168.50.10/24 interface=ether3 network=192.168.50.0
/ip dhcp-client
add interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.50.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add peer=ike1-site1
/ip ipsec policy
add dst-address=192.168.88.0/24 peer=ike1-site1 proposal=ike1-site1 \
    src-address=192.168.50.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes

RB450G configuration:
# jul/11/2022 08:43:38 by RouterOS 7.3.1
# software id =
#
# model = 450G
# serial number =
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=<ip-public-chr>/32 name=ike1-site2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2 nat-traversal=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=3d name=dhcp1
/port
set 0 name=serial0
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=<ip-public-rb450g>/24 interface=ether1 network=<ip-network-rb450g>
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.50.0/24 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=ike1-site2
/ip ipsec policy
add dst-address=192.168.50.0/24 peer=ike1-site2 proposal=ike1-site2 \
    src-address=192.168.88.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=<ip-gateway-public-rb450g>
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Asia/Jakarta
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need Help! Cannot connect Local Client to Remote Router, after IPSec between CHR and RB is Established

Tue Jul 12, 2022 7:46 am

Given how simple your configurations are (including a complete absence of firewall filter rules, which is bad for security but removes one area of potential misconfiguration for IPsec), the following may be the cause:
  • something on the path between the routers drops ESP packets
  • the Local Client does not have the 450 as a gateway to 192.168.50.0/24 (unlikely since it is a DHCP client of the 450)
  • there's a bug in 7.3.1
At both devices, open a command line window as wide as your screen allows, run /tool sniffer quick ip-protocol=esp in it, and try to ping from the client to 192.168.50.10. What do the sniffers show at both machines?
 
michaelantony012
just joined
Topic Author
Posts: 5
Joined: Mon Jul 04, 2022 7:48 am

Re: Need Help! Cannot connect Local Client to Remote Router, after IPSec between CHR and RB is Established

Tue Jul 12, 2022 11:40 am

At both devices, open a command line window as wide as your screen allows, run /tool sniffer quick ip-protocol=esp in it, and try to ping from the client to 192.168.50.10. What do the sniffers show at both machines?
This is the result of ping & packet sniffer from both client to the both remote-gateway, using ipsec-esp protocol.

Site1 = from client VPS on CHR side, pinging to remote rb450g gateway 192.168.88.1 (ping result: timeout. But the CHR itself when pinging to this IP, the result is reply).
sniffer site1-client to remote-gateway.jpg

Site 2 = from client PC on rb450g side, pinging to remote CHR gateway 192.168.50.10 (ping result: reply)
sniffer site2-client to remote-gateway.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need Help! Cannot connect Local Client to Remote Router, after IPSec between CHR and RB is Established

Tue Jul 12, 2022 7:24 pm

Are the configuration exports complete?

Try running the sniffers the following way:

/tool sniffer quick ip-protocol=ipsec-esp,icmp

Try only the direction/combination of hosts where the pings are not responded (i.e. VPS at CHR side pinging 192.168.88.1), and sniff simultaneously at both routers for that scenario.
 
michaelantony012
just joined
Topic Author
Posts: 5
Joined: Mon Jul 04, 2022 7:48 am

Re: Need Help! Cannot connect Local Client to Remote Router, after IPSec between CHR and RB is Established  [SOLVED]

Thu Aug 04, 2022 11:43 am

It turned out to be 'ebtables' on my VPS (CHR Mikrotik) that blocked the connection between my local client and remote router.
image_2022-08-04_154336696.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 91 guests