Community discussions

MikroTik App
 
OBONYOM
just joined
Topic Author
Posts: 1
Joined: Thu May 07, 2020 12:28 pm

IPsec basic config problem

Sun Dec 11, 2022 11:39 pm

I am not very experienced in mikrotik. Trying to learn how to achieve IPsec tunnel. I have read a lot of manual instruction on step by step configuration but i dont succed. I two mikrotik routers placed them on my local subnet and tried to get a vpn btw them. the tunnel comes up but i can not ping across their local LANs. my set up is below
# dec/11/2022 22:50:16 by RouterOS 6.49.7
# software id = UNB8-ZRER
#
# model = RB951G-2HnD



/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2
/ip ipsec peer
add address=192.168.1.31/32 name=ike1-site2 profile=ike1-site2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
/ip address
add address=192.168.1.30/24 interface=ether1 network=192.168.1.0
add address=10.1.202.1/24 interface=ether2 network=10.1.202.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.101.0/24 src-address=\
    10.1.202.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=10.1.202.0/24 src-address=\
    10.1.101.0/24
add action=notrack chain=prerouting dst-address=10.1.101.0/24 src-address=\
    10.1.202.0/24
/ip ipsec identity
add peer=ike1-site2 secret=thisisnotasecurepsk
/ip ipsec policy
add dst-address=10.1.101.0/24 peer=ike1-site2 proposal=ike1-site2 \
    src-address=10.1.202.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.1.10

/system identity
set name=MikroTikSiteA



# dec/11/2022 22:58:13 by RouterOS 6.49.7
# software id = 87F0-5BWF
#
# model = 750

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1
/ip ipsec peer
add address=192.168.1.30/32 name=ike1-site1 profile=ike1-site1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.1.31/24 interface=ether1 network=192.168.1.0
add address=10.1.101.1/24 interface=ether2 network=10.1.101.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.202.0/24 src-address=\
    10.1.101.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=10.1.202.0/24 src-address=\
    10.1.101.0/24
add action=notrack chain=prerouting dst-address=10.1.101.0/24 src-address=\
    10.1.202.0/24
/ip ipsec identity
add peer=ike1-site1 secret=thisisnotasecurepsk
/ip ipsec policy
add dst-address=10.1.202.0/24 peer=ike1-site1 proposal=ike1-site1 \
    src-address=10.1.101.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.1.10

/system identity
set name=MikroTikSiteB
/tool user-manager database
set db-path=user-manager



are there firewall rule to be added or can someone help me?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec basic config problem

Thu Dec 15, 2022 5:50 pm

The configurations look OK to me (in terms that the IPsec should work - as it is a lab setup I won't comment on absence of firewall rules). IPsec-wise, the notrack rules in raw are redundant to the accept rules in nat, but that's not the reason why it doesn't work.

So the next questions are:
  • what does /ip ipsec active-peers print show?
  • what are the devices in the 10.1.x0x.y networks that you are trying to ping? With the default firewall settings, Windows only respond to pings coming from the same subnet like the address being pinged.

Who is online

Users browsing this forum: 0xAA55, jamesperks and 31 guests