[Mikrotik] [MikroTik] IPSec Configuration Problems

Butch Evans butche at butchevans.com
Fri Jan 18 20:48:01 CST 2008


On Fri, 18 Jan 2008, Gene Spiker wrote:

>Other versions of IPSec on other systems that work off a menu such 
>as winbox also build the interface and route.

Mikrotik uses a POLICY to route the traffic...there is not a route 
(at least not one visible under "/ip route") for IPSEC traffic.

>In version 2.9 of Mikrotik I manually built a route for the remote 
>subnet pointing to the Mikrotik IP address of the Mikrotik LAN. 
>This did not work.

Because it's not necessary.  What you need to do is add 
configurations as follows (this is not exact, but a GUIDE):

under "/ip ipsec policy", you define the following 4 values as 
appropriate:
src-address = the lan network address on the MT side
dst-address = the lan network address on the IPCOP side
sa-src-address = the PUBLIC IP on the MT side
sa-dst-address = the PUBLIC IP on the IPCOP side

The remainder of the ipsec config is likely to be correct, since you 
can communicate across the tunnel.

under "/ip firewall nat", you should run these commands:

/ip firewall nat print
/ip firewall nat
     add src-address=MTLAN dst-address=IPCOPLAN action=accept \
       place-before=0

of course, the "MTLAN" is the network address for the private 
subnet on the MT side and IPCOPLAN is the IPCOP side.  WHat this 
does, is cause traffic destined for the remote side of the tunnel to 
NOT be natted (assuming you are natting on the public side).  This 
is necessary because the NAT happens before the IPSEC part of the 
kernel, meaning that if the traffic is being natted, the IPSEC does 
not see traffic that matches the policy and, therefore, does not 
send it across the tunnel.

There is no need for routes or setting of proxy-arp.  MT does not 
add any IP addresses or visible interfaces for IPSEC tunnels.

After you set this up, you should be able to ping from one private 
lan to the other.  You should see (under "/ip ipsec installed-sa") 2 
tunnels - one in and one out.

The documentation says this, but (unlike most other parts of MT's 
documentation) I think this part is not very clear.

-- 
Butch Evans
Network Engineering and Security Consulting
573-276-2879
http://www.butchevans.com/
My calendar: http://tinyurl.com/y24ad6
Training Partners: http://tinyurl.com/smfkf
Mikrotik Certified Consultant
http://www.mikrotik.com/consultants.html



More information about the Mikrotik mailing list