Community discussions

MikroTik App
 
AWC2023
just joined
Topic Author
Posts: 4
Joined: Thu Mar 09, 2023 10:55 pm

IPSEC Tunnel - What Am I Missing?

Wed Mar 15, 2023 4:45 pm

I have established an IPSEC tunnel between Mikrotik routers, both with version 6.49.7. When Checking for updates, both routers say they're up to date. Site A has a static AT&T address, Site B has a static Broadband Company address. At Site A, my laptop can ping all addresses at Site B and Winbox will connect to Site B's router. At Site B, my laptop can only ping the router at Site A and Site A router rejects the connection of Winbox from Site B. What am I missing?

Site A - (Jakes) - in addition to the tunnel, Site A has ports forwarded to a telephone switch for outside lines connected by SIP.
Site B - (Midland) - has remote IP phones that need to connect to the telephone switch at Site A and a Backup Server that needs access the pc's at Site A.

Setup : Site A lan addresses - 192.168.0.0/24. Site B lan addresses - 10.10.1.0/24
Site A (Jakes) IPSEC - Profile: IPSEC to Midland, sha512, auto, aes256, modp2048. all other settings are at default.
Peers: IPSEC Midland, remote static address, Profile - IPSEC to Midland, IKE2, Send initial contact
Identities: Peer - Midland, Pre Shared Key, Secret - entered security key here
Proposal:IKE2 Proposal, sha512, aes256cbc, modp2048
Policies: Peer - IPSEC Midland, Tunnel box checked, Src - 192.168.0.0/24, Dst - 10.10.1.0/24, Protocol all (255)
Action: encrypt, require, esp, use IKE2 proposal

Site B (Midland) IPSEC - Profile: IPSEC to Jakes, sha512, aes256, modp2048. all other setting are at default.
Peers: IPSEC Jakes, remote static address, Profile - IPSEC to Jakes, IKE2, Send initial contact
Identities: Peer - Jakes, Pre Shared Key, Secret - entered security key here
Proposal:IKE2 Proposal, sha512, aes256cbc, modp2048
Policies: Peer - IPSEC Jakes, Tunnel box checked, Src - 10.10.1.0/24, Dst - 192.168.0.0/24, Protocol all (255)
Action: encrypt, require, esp, use IKE2 proposal

These NAT rules have been moved to the top position 0.
NAT Rule Site A (Jakes) - src - 192.168.0.0/24. dst - 10.10.1.0/24. Action - accept
NAT rule Site B (Midland) - src - 10.10.1.0/24, dst - 192.168.0.0/24. Action - accept

Site A (Jakes) has filter rules in the Firewall section. I suspect they were created automatically when the port forwarding was done.
Site B (Midland) has no filter rules in the Firewall section
 
dot02
Member Candidate
Member Candidate
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: IPSEC Tunnel - What Am I Missing?

Thu Mar 16, 2023 12:48 pm

I would try to start with an explicit inbound rule on site B router, which allows Winbox connections. Try that and see if you have matches on that rule.

Are the IP's you get public IP's or CG-NATed?
 
AWC2023
just joined
Topic Author
Posts: 4
Joined: Thu Mar 09, 2023 10:55 pm

Re: IPSEC Tunnel - What Am I Missing?

Thu Mar 16, 2023 6:29 pm

Yes, the public IP's come from AT&T at site A and Astound Broadband at Site B. I am a rookie on this router. Please give an example of an explicit inbound rule on site B router, which allows Winbox connection.

The router at Site A is the Hex model (5 port). The router at Site B is an 8 port rackmount model. At the moment I don't have the exact model numbers.
To recap, with a laptop at Site B it can only ping the router at Site A through the tunnel and no devices on the LAN at Site A. The Winbox connection through the tunnel is rejected at Site A. With the laptop at Site A, it can ping devices on LAN B and Winbox will connect to the router over the tunnel.

Thanks very much for your advice !
 
dot02
Member Candidate
Member Candidate
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: IPSEC Tunnel - What Am I Missing?

Mon Mar 20, 2023 11:44 am

could you post the parts of your config regarding ike, ipsec and firewall?
 
AWC2023
just joined
Topic Author
Posts: 4
Joined: Thu Mar 09, 2023 10:55 pm

Re: IPSEC Tunnel - What Am I Missing?

Fri Mar 24, 2023 3:59 am

I apologize for the delay dot02. The router at Site A (previously a Hex S) developed issues last week and was replaced with the Cloud Core Series. Both sites have the same router model now. Once the port forwarding to the Phone server was rebuilt, the IPSEC tunnel was rebuilt, the Lan addresses were done as dstnat in the NAT section and moved to position 0, it worked as expected. The remote IP Phones had to have SIP (port 5060) enabled in the Service Ports section of the Firewall. I had been advised to turn that off on both ends from the phone system provider and a Mikrotik certified trainer. So bottom line is the tunnel is operational, the remote phones work, and the backup server can now access remote pc's. I suspect the problem existed in the HEX-S Firewall/Filter section as it had numerous filters.
 
dot02
Member Candidate
Member Candidate
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: IPSEC Tunnel - What Am I Missing?

Tue Mar 28, 2023 3:25 pm

Thanks for the feedback! Indeed, the SIP service port function should be disabled. That's actually an issue I had myself when setting up my networks (setup quite similar to yours). If you were using the same ROS version on the Hex S, then yeah, you should have a close look at the FW rules, chances are pretty good that the problem is there. But I'm glad to hear that it's working now!

Who is online

Users browsing this forum: dozer46 and 44 guests