Community discussions

MikroTik App
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Palo Alto to Mikrotik Routing

Fri May 26, 2023 3:27 pm

Hi,
There is an ipsec tunnel running between mikrotik and palo alto. In this topology Mikrotik sends all traffic to the tunnel. Everything as i want,
1.png
Now, i want to route some ip traffic Palo Alto to Mikrotik.. I did it with Policy Based Forwarding.
Source: 192.168.101.34 -> Destination: 35.206.xxx.xxx -> Forwarding : tunnel.80
I can see in the logs that the traffic is going to tunnel.80. But I can't reach the address. What am I doing wrong or missing in Mikrotik?
/interface bridge
add name=bridge
/interface list
add name=LAN
add name=WAN
/ip ipsec policy group
add name=group5
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name=ike_crypto
/ip ipsec peer
add address=82.222.xxx.xxx/32 exchange-mode=ike2 local-address=5.25.xxx.xxx \
    name=test profile=ike_crypto
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ipsec_crypto pfs-group=\
    modp2048
/ip pool
add name=5 ranges=10.10.5.20-10.10.5.200
/ip dhcp-server
add address-pool=5 interface=bridge name=DHCP
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.10.5.1/24 interface=bridge network=10.10.5.0
add address=5.25.xxx.xxx comment=pubaddr interface=ether1 network=\
    5.25.xxx.xxx
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
/ip dhcp-server network
add address=10.10.5.0/24 dns-server=192.168.200.5,192.168.200.6 gateway=\
    10.10.5.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec Out" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec In" \
    ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=0.0.0.0/0 src-address=10.10.5.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add peer=test
/ip ipsec policy
add action=none dst-address=10.10.5.0/24 src-address=10.10.5.0/24
add comment=ipsec dst-address=0.0.0.0/0 peer=test proposal=ipsec_crypto \
    src-address=10.10.5.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Istanbul

You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Palo Alto to Mikrotik Routing

Fri May 26, 2023 4:11 pm

Your Palo Alto is probably doing "VTI". MikroTik does not support that.
Instead you can use a GRE tunnel over IPsec transport.
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: Palo Alto to Mikrotik Routing

Fri May 26, 2023 5:30 pm

Your Palo Alto is probably doing "VTI". MikroTik does not support that.
Instead you can use a GRE tunnel over IPsec transport.
I tried gre first too;

[admin@MikroTik] > interface/gre/print
Flags: X - disabled; R - running
0 R name="gre-tunnel" mtu=auto actual-mtu=1398 local-address=10.10.5.1 remote-address=192.168.101.1 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no allow-fast-path=yes

[admin@MikroTik] > ip address/print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 10.10.5.1/24 10.10.5.0 bridge
1 5.25.xxx.xxx/32 5.25.xxx.xxx ether1
2 192.168.1.4/24 192.168.1.0 ether1
3 10.10.6.1/30 10.10.6.0 gre-tunne

[admin@MikroTik] > ip route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 192.168.1.1 1
DAc 5.25.xxx.xxx/32 ether1 0
DAc 10.10.5.0/24 bridge 0
DAc 10.10.6.0/30 gre-tunnel 0
DAc 192.168.1.0/24 ether1

also palo alto can ping mikrotik;
admin@pa> ping source 10.10.6.2 host 10.10.6.1
PING 10.10.6.1 (10.10.6.1) from 10.10.6.2 : 56(84) bytes of data.
64 bytes from 10.10.6.1: icmp_seq=1 ttl=64 time=31.6 ms
64 bytes from 10.10.6.1: icmp_seq=2 ttl=64 time=34.4 ms

But still same problems.. Mikrotik can not ping 10.10.6.2 and i can not reach 35.206.xxx.xxx
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Palo Alto to Mikrotik Routing

Fri May 26, 2023 6:16 pm

When you have setup the GRE tunnel (that seems OK) of course then you need to add a route to the destination network via the remote IP on the GRE tunnel (10.10.6.2).
 
LifeGame
newbie
Topic Author
Posts: 40
Joined: Mon Sep 26, 2016 5:30 pm

Re: Palo Alto to Mikrotik Routing

Fri May 26, 2023 6:59 pm

When you have setup the GRE tunnel (that seems OK) of course then you need to add a route to the destination network via the remote IP on the GRE tunnel (10.10.6.2).
i found the mistake.. after adding palo alto site netword to miktorik adress list all done !!!
.
[ud@Al] > ip address/print 
0 192.168.80.1/24     192.168.80.0     bridge    
;;; pubaddr
1 130.164.xxx.xxx/32  130.164.xxx.xxx  ether1    
2 192.168.85.5/24     192.168.85.0     ether1    
;;; GRE
3 192.168.81.1/30     192.168.81.0     gre-tunnel
4 192.168.100.0/23    192.168.100.0    gre-tunne
.
[ud@Al] > ip route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS         GATEWAY       DISTANCE
0  As 0.0.0.0/0           192.168.85.1         1
  DAc 130.164.xxx.xxx/32  ether1               0
  DAc 192.168.80.0/24     bridge               0
  DAc 192.168.81.0/30     gre-tunnel           0
  DAc 192.168.85.0/24     ether1               0
  DAc 192.168.100.0/23    gre-tunnel           0
Thanks for help !!! It's nice to know someone's here when you're stuck
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Palo Alto to Mikrotik Routing

Fri May 26, 2023 7:43 pm

Well, normally you would not add another address on the tunnel interface, but rather a static route like this:
/ip route add dst-address=192.168.100.0/23 gateway=192.168.81.2

Who is online

Users browsing this forum: No registered users and 47 guests