You need to configure whatever passes traffic from ipsec for mikrotik?

Configure ipsec Mikritik-DFL260e.
Mesh for DFL visible from the side of the grid for the microtome, but the mesh for the microtome is not visible (except for microti).
I understand that it is somewhere in marketization on microte "buried", however, does not reach where it is.
Fellow techs, please tell me.
March 19th 20 at 08:28
2 answers
March 19th 20 at 08:30
Solution
Blame it on the firewall rule on the clients that block the connection from the second network.
March 19th 20 at 08:32
If the question concerns a "pure" IPSec, then:
- it is not routing as such. All the information is laid in SAD and SPD. SPD is a bookmark Policies in the IPSec window, SAD tab Installed SAs, it is formed dynamically.
Here you need to remember:
IPSec is firewall two times. For a clear understanding of how it all furychet - always recommend this picture.
Let us examine for example my home router (RB450G), where 1.1.1.1 is my external IP address 2.2.2.2 external IP of the remote network. My LEDs - 10.54.2.0/24 remote - 10.54.1.0/24
The first is setting policy (policy). It is the policy decides - you need this package to encrypt or not?
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=1h name=proposal1
/ip ipsec policy
add comment="To Cat's Home main VPN" dst-address=10.54.1.0/24 proposal=proposal1 sa-dst-address=\
 2.2.2.2 sa-src-address=1.1.1.1 src-address=10.54.2.0/24 tunnel=yes

What to do:
Added proposal1 in which the encryption algorithm selected ASES256 with Galois counter . Because it samouchitelya, separate authentication algorithms do not need to set. Replacement encryption keys every hour.
Asked a policy under which all packets in the network 10.,54.1.0/24 from 10.54.2.0/24 will be transformed into the ESP Protocol packets from IP 1.1.1.1 to IP 2.2.2.2. Actually this is our "routing table".
/ip ipsec peer
add address=2.2.2.2/32 auth-method=rsa-signature certificate=\
 "RB2011 cert (SHA256) with key" comment="To Cat's Home main VPN" dpd-interval=\
 disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=2h nat-traversal=no \
 proposal-check=strict remote-certificate="cert RB450G (SHA256)"

What to do:
Added PIR to the remote server. Authentication certificates, encryption, AES256, re-exchange keys after 2 hours.
Now we must configure the firewall. Because as drawn in the picture, the IPSec packets pass it two times.
Suppose I'm on a computer with the address 10.54.2.1 type "ping 10.54.1.1".
The package takes the mangle table PREROUTING policy, nat PREROUTING policy, mangle forward filter forward (and here, if You have strict filtering and no rule allowing traffic from 10.54.2.0/24 on 10.54.1.0/24, it will die), mangle postrouting nat postrouting and is ready to go to the default gateway, but at this point, the bucket checks it at SPD and whether it is necessary to encrypt it and reship? Yeah, the package is subject to policy, then we encrypt it and convert. And the icmp packet from 10.54.2.1 on 10.54.1.1 is encrypted and packaged in the esp packet from 1.1.1.1 to 2.2.2.2!
Here it is necessary not to forget to insure against NAT. The fact is that when the packet was nat postrouting, General rule
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether6 to-addresses=1.1.1.1

replaced the source IP to "return address" was unique and now the package is not suitable under the policy. Not suitable under the policy - will not be encrypted and will follow the General rules of routing. And default gateway the router out of the package out - and say "who are you? Come on, goodbye".
To avoid this, you need to specify not to touch the packets to which IPSec policy is applicable - even behind NAT are unchanged, they still have to encrypt:
add chain=srcnat comment="Does not touch the IPSec ESP packets to avoid break packets checksum" \
 ipsec policy=out ipsec log-prefix="NAT avoid" out-interface=ether6

Passirovanny package bucket again redirected in the network stack, it is again - in his new capacity - is mangle output nat output filter output (and here, if there is no resolution on traffic in the direction or to 2.2.2.2 Protocol esp, it will die), mangle postrouting nat postrouting - and sent to the raw footage to a remote point.

Predlagaem, that the other router is configured the same way, that is, it has its own SPD and its list of peers. What happens when a packet is received:
the packet will be mangle PREROUTING policy, nat PREROUTING policy, mangle input filter input (and if the traffic from 1.1.1.1 or the esp Protocol is not allowed here and will die)...and is ready to be transferred to the higher levels of the OSI, but then the bucket checks - and whether it is necessary to decode it? (and here, if the checksum does not add up - he will die). If the package falls under the policy - it will be transcribed and transformed from the esp packet from 1.1.1.1 to 2.2.2.2 in icmp packet from 10.54.1.1 to 10.54.2.1 and will be re-placed in the network stack. And then go mangle PREROUTING policy, nat PREROUTING policy, mangle forward filter forward (and here, if traffic is not permitted from 10.54.2.0/24 to 10.54.1.0/24 he will die), mangle postrouting nat postrouting - and finally you will get on output interface place where we have connected 10.54.2.1.
The routing table (the one in the bucket) - not used, all traffic routers looks like a local :)
Added in NAT:
add chain=srcnat comment="Does not touch the IPSec ESP packets to avoid break packets checksum" \
 ipsec policy=out ipsec log-prefix="NAT avoid" out-interface=ether6

it did not help. I understand ether6 is a LAN? - Isabella commented on March 19th 20 at 08:35
@Isabella, No. ether6 is the external interface. This rule should stand above the General natasaha rules. The meaning of his what - if the packet carries an ipsec policy, then it does not touch the nat chain postrouting (accept immediately), if not, move to next rule - Gerald_Quigley41 commented on March 19th 20 at 08:38
@Gerald_Quigley41, 5c99d91b5a907594089868.png
The same - Isabella commented on March 19th 20 at 08:41
@Isabella, and what counters to zeros? Nothing goes through that rule? - Gerald_Quigley41 commented on March 19th 20 at 08:44
to pictures do not do it every time, it is better to copy-paste from the terminal - Gerald_Quigley41 commented on March 19th 20 at 08:47
5c99dad28d401841615314.png
When you ping from the grid Glinka here such fresh-water sponge. - Isabella commented on March 19th 20 at 08:50
peers grappled? on the tab installed sas has data? at least the zeros? - Gerald_Quigley41 commented on March 19th 20 at 08:53
and what counters are on zero? Nothing goes through that rule?

@Gerald_Quigley41, probably not - Isabella commented on March 19th 20 at 08:56
peers grappled? on the tab installed sas has data? at least the zeros?

@Gerald_Quigley41, not just grappled. there's a bunch of bytes.
I'm telling you, if I was with the company for the microtome .7.240 I go to the computer for Lincom 0.100 (for example) is not only ping, but also see the resources on the computer.
If I ping him from Dlink or network for Lincom microt, it pinged and Winbox connected, but all that the microtome is not visible (no ping)
Flags: H - hw-aead A - AH, E - ESP
0 HE spi=0xCE312A2 src-address=77............
dst-address=195......... state=dying
auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=128
auth-key="3f33..........."
enc-key="95eb.............."
addtime=mar/26/2019 10:16:54 expires-in=8m7s
add-lifetime=48m/1h current-bytes=537787
current-packets=8018 replay=128

1 HE spi=0x30A4A18F src-address=195..............
dst-address=77........... state=dying
auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=128
auth-key="e9b....................."
enc-key="d9f............."
addtime=mar/26/2019 10:16:54 expires-in=8m7s
add-lifetime=48m/1h current-bytes=6974840
current-packets=8146 replay=128 - Isabella commented on March 19th 20 at 08:59
Policy. Carefully review the IPSec policy. And try to "manually" trace the path of the package. By the way, if the policy is active, then it has the letter a is in the list of policies. Yet - on the side that is - Mikrotik? - Gerald_Quigley41 commented on March 19th 20 at 09:02
@Gerald_Quigley41,
Yet - on the side that is - Mikrotik?

Configure ipsec Mikritik-DFL260e.


And try to "manually" trace the path of the package.

what is it like?

1)
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc \
lifetime=1h pfs-group=none
/ip ipsec peer
add address=77.@.@.@/32 dh-group=modp1024 \
enc-algorithm=aes-128 local-address=195.@.@.@ \
mode-config=request-only secret=@@@@@
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=\
77.@.@.@ sa-src-address=195.@.@.@ \
src-address=192.168.7.0/24 tunnel=yes

2)
/ip firewall nat
add action=accept chain=srcnat comment="Does not
ec ESP packets to avoid break packets checks
ipsec policy=out ipsec log-prefix="NAT avoid
add action=masquerade chain=srcnat log=yes out-i
ether1-wan src-address=192.168.7.0/24
/ip firewall service-port
set sip disabled=yes
3)
/ip route
add check-gateway=ping distance=1 gateway=195.@.@@
add distance=1 dst-address=192.168.0.0/24 gateway=ether1-wan
4)
Flags: H - hw-aead A - AH, E - ESP
0 HE spi=0x1E084EF src-address=77.@.@.@ dst-address=195.@.@
state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=128
auth-key="@@@@@@@@@@@@@"
enc-key="@@@@@@@@@@@@@@@"
addtime=mar/26/2019 16:07:42 expires-in=54m19s add-lifetime=4
current-bytes=78156 current-packets=1175 replay=128

1 HE spi=0x7D391470 src-address=195.@.@.@ dst-address=77.247.
state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
enc-key-size=128
auth-key="@@@@@@@@@@@@@@@@@"
enc-key="@@@@@@@@@@@@@@@@@@@"
addtime=mar/26/2019 16:07:42 expires-in=54m19s add-lifetime=4
current-bytes=846636 current-packets=1076 replay=128 - Isabella commented on March 19th 20 at 09:05
/ip ipsec policy? That's the main thing. This is for IPSec routing table - Gerald_Quigley41 commented on March 19th 20 at 09:08
@Isabella, so after all what equipment on Your part and what is with that? I had a case when Mikrotik with Schwan hard not to knit until the hash to sha1 is not thrown off. - Gerald_Quigley41 commented on March 19th 20 at 09:11
@Gerald_Quigley41, on the one hand RB750Gr3 with other d-link dfl-260e
I have, and so the algorithm is sha1 - Isabella commented on March 19th 20 at 09:14
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

1 A src-address=192.168.7.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=195.@.@.@ sa-dst-address=77.@.@.@ proposal=default ph2-count=1 - Isabella commented on March 19th 20 at 09:17
@Isabella, that you can explain to me what's the encryption? If I ping him from 192.168.0.111 - 192.168.7.1(internal SP microta) - pass. If I pingou 192.168.7.240 - is not - Isabella commented on March 19th 20 at 09:20
@Gerald_Quigley41,

Suppose I'm on a computer with the address 10.54.2.1 type "ping 10.54.1.1".
The package takes the mangle table PREROUTING policy, nat PREROUTING policy, mangle forward filter forward (and here, if You have strict filtering and no rule allowing traffic from 10.54.2.0/24 on 10.54.1.0/24, it will die), mangle postrouting nat postrouting and is ready to go to the default gateway, but at this point, the bucket checks it at SPD and whether it is necessary to encrypt it and reship? Yeah, the package is subject to policy, then we encrypt it and convert. And the icmp packet from 10.54.2.1 on 10.54.1.1 is encrypted and stored in the esp packet from 1.1.1.1 to 2.2.2.2!
Passirovanny package bucket again redirected in the network stack, it is again - in his new capacity - is mangle output nat output filter output (and here, if there is no resolution on traffic in the direction or to 2.2.2.2 Protocol esp, it will die), mangle postrouting nat postrouting - and sent to the raw footage to a remote point.
That's just a remote end point does not want to accept it, she'll be discarded as corrupted.
Why?
When a packet has passed the nat postrouting, we have worked standatnyy replacement rule src-ip, which replaces all the internal IP to our external IP:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether6 to-addresses=1.1.1.1

...which had replaced the IP and us and broke the checksum of the package, so now it doesn't add up and the bucket, trying to decrypt the ESP packet, discards it as damaged! What to do? It is necessary to specify not to touch the already prepared ESP packets - they are all placed correctly:


Uh...everything is a little way from Mikrotik checking ipsec policy is performed after the postrouting and src-nat, hence 10.54.2.1 will be replaced with 1.1.1.1 and 1.1.1.1 -> 10.54.1.1 ≠ 10.54.2.0/24 -> 10.54.1.0/24 so the packet will be unencrypted
Mikrotik IPsec Encryption/Decryption - malika.Gibson24 commented on March 19th 20 at 09:23
@malika.Gibson24, @Isabella, because I'm not sure that You have the pings - encrypted :) a Piece of iron from DLink of course Fiesta. However, as it is running IPSec, I can not say whether there are routes, or not needed, at which point there is encryption going on, how are the ESP packets... This is just experiment to find out. - Gerald_Quigley41 commented on March 19th 20 at 09:26
@malika.Gibson24, Um... yeah, I agree. Fixed. - Gerald_Quigley41 commented on March 19th 20 at 09:29

Find more questions by tags Mikrotik