Hi, I am quit new to this. But I am trying to establisch an IPSEC tunnel between a Mikrotik and ER-X.
Situation is as follow:
Mikrotik:
WAN: 94.208.*.*
Local: 192.168.88.0/24
ER-X
WAN: 94.215.*.*
Local: 192.168.15.0/24
The tunnel it self is up and working.
From the ER-X I can ping all devices on the Mikrotik network.
From the Mikrotik network I can only reach the ER-X but no devices behind the router.
This is the point where I'm getting stuck, this as I've setup also a L2TP/IPSEC vpn server, if I connect directly from device on the Mikrotik side to this VPN I'm able to reach everything.
But over the IPSEC tunnel not.
As I can reach the ER-X over the tunnel and nothing behind it, I assume(at least this is what 'm thinking) the problem is located on the ER-X side.
Examples:
From device in Mikrotik network to the ER-X
PING 192.168.15.1 (192.168.15.1): 56 data bytes 64 bytes from 192.168.15.1: icmp_seq=0 ttl=63 time=14.789 ms 64 bytes from 192.168.15.1: icmp_seq=1 ttl=63 time=14.184 ms 64 bytes from 192.168.15.1: icmp_seq=2 ttl=63 time=16.590 ms 64 bytes from 192.168.15.1: icmp_seq=3 ttl=63 time=17.213 ms ^C --- 192.168.15.1 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 14.184/15.694/17.213/1.246 ms
To other IP:
PING 192.168.15.49 (192.168.15.49): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ^C --- 192.168.15.49 ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss
THe other way around:
ubnt@router:~$ ping 192.168.88.1 PING 192.168.88.1 (192.168.88.1) 56(84) bytes of data. 64 bytes from 192.168.88.1: icmp_req=1 ttl=64 time=12.5 ms 64 bytes from 192.168.88.1: icmp_req=2 ttl=64 time=19.9 ms ^C --- 192.168.88.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 12.549/16.262/19.975/3.713 ms ubnt@router:~$ ping 192.168.88.220 PING 192.168.88.220 (192.168.88.220) 56(84) bytes of data. 64 bytes from 192.168.88.220: icmp_req=1 ttl=63 time=15.1 ms 64 bytes from 192.168.88.220: icmp_req=2 ttl=63 time=11.8 ms 64 bytes from 192.168.88.220: icmp_req=3 ttl=63 time=12.9 ms ^C --- 192.168.88.220 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 11.821/13.298/15.136/1.383 ms
Here the configuration (parts from which I think that are important)
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 30 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow VPN"
destination {
address 192.168.88.0/24
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
address 192.168.15.0/24
}
state {
established disable
invalid disable
new enable
related disable
}
}
rule 20 {
action accept
description "Allow VPN"
destination {
address 192.168.15.0/24
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 192.168.88.0/24
}
state {
established disable
invalid disable
new enable
related disable
}
}
rule 30 {
action accept
description "Settings L2TP VPN"
destination {
port 500,1701,4500
}
log disable
protocol udp
}
rule 40 {
action accept
description "Setting ESP for VPN"
log disable
protocol esp
}
rule 50 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 60 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}vpn {
ipsec {
auto-firewall-nat-exclude enable
disable-uniqreqids
esp-group FOO0 {
compression disable
lifetime 28800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 94.208.*.* {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description ""
ike-group FOO0
ikev2-reauth inherit
local-address 94.215.*.*
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.15.0/24
}
remote {
prefix 192.168.88.0/24
}
}
}
}
}
l2tp {
remote-access {
authentication {
local-users {
username Username {
password ****************
}
username Username2 {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.15.90
stop 192.168.15.94
}
dhcp-interface eth0
dns-servers {
server-1 208.67.222.222
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
ike-lifetime 3600
}
mtu 1400
}
}
}
ubnt@router:~$ show vpn ipsec sa
peer-94.208.*.*-tunnel-1: #1, ESTABLISHED, IKEv1, a172a6731d433ab4:407e7eaf9b71dcfe
local '94.215.*' @ 94.215.*
remote '94.208.*' @ 94.208.*
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 1179s ago, reauth in 26856s
peer-94.208.1*-tunnel-1: #3, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
installed 1081 ago, rekeying in 26824s, expires in 27720s
in c953fe31, 93362 bytes, 1242 packets, 0s ago
out 070e0cd4, 96836 bytes, 797 packets, 15s ago
local 192.168.15.0/24
remote 192.168.88.0/24ubnt@router:~$ show vpn ipsec status
IPSec Process Running PID: 1337
1 Active IPsec Tunnels
IPsec Interfaces :
eth0 (94.215.*.*)
ubnt@router:~$ show vpn ipsec policy
src 192.168.88.0/24 dst 192.168.15.0/24
dir fwd priority 2883
tmpl src 94.208.*.* dst 94.215.*.*
proto esp reqid 3 mode tunnel
src 192.168.88.0/24 dst 192.168.15.0/24
dir in priority 2883
tmpl src 94.208.*.* dst 94.215.*.*
proto esp reqid 3 mode tunnel
src 192.168.15.0/24 dst 192.168.88.0/24
dir out priority 2883
tmpl src 94.215.*.* dst 94.208.*.*
proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
Hope that someone can give me some tips/tricks where to look at and hopefully get this solved.
Thanks!