[Mikrotik] [MikroTik] IPSec Configuration Problems
butche at butchevans.com
Fri Jan 18 20:48:01 CST 2008
On Fri, 18 Jan 2008, Gene Spiker wrote:
>Other versions of IPSec on other systems that work off a menu such
>as winbox also build the interface and route.
Mikrotik uses a POLICY to route the traffic...there is not a route
(at least not one visible under "/ip route") for IPSEC traffic.
>In version 2.9 of Mikrotik I manually built a route for the remote
>subnet pointing to the Mikrotik IP address of the Mikrotik LAN.
>This did not work.
Because it's not necessary. What you need to do is add
configurations as follows (this is not exact, but a GUIDE):
under "/ip ipsec policy", you define the following 4 values as
src-address = the lan network address on the MT side
dst-address = the lan network address on the IPCOP side
sa-src-address = the PUBLIC IP on the MT side
sa-dst-address = the PUBLIC IP on the IPCOP side
The remainder of the ipsec config is likely to be correct, since you
can communicate across the tunnel.
under "/ip firewall nat", you should run these commands:
/ip firewall nat print
/ip firewall nat
add src-address=MTLAN dst-address=IPCOPLAN action=accept \
of course, the "MTLAN" is the network address for the private
subnet on the MT side and IPCOPLAN is the IPCOP side. WHat this
does, is cause traffic destined for the remote side of the tunnel to
NOT be natted (assuming you are natting on the public side). This
is necessary because the NAT happens before the IPSEC part of the
kernel, meaning that if the traffic is being natted, the IPSEC does
not see traffic that matches the policy and, therefore, does not
send it across the tunnel.
There is no need for routes or setting of proxy-arp. MT does not
add any IP addresses or visible interfaces for IPSEC tunnels.
After you set this up, you should be able to ping from one private
lan to the other. You should see (under "/ip ipsec installed-sa") 2
tunnels - one in and one out.
The documentation says this, but (unlike most other parts of MT's
documentation) I think this part is not very clear.
Network Engineering and Security Consulting
My calendar: http://tinyurl.com/y24ad6
Training Partners: http://tinyurl.com/smfkf
Mikrotik Certified Consultant
More information about the Mikrotik