Need help with IPSec (and AWS VPN)
I am trying to get an AWS VPN going to a MikroTik. I have gotten *so close* - AWS says the tunnel is UP, I see valid SAs at my end, I can even ping across the link - but only from the router. Not from within my network. I feel it just has to be some simple NAT or firewall thing, but I've run out of ideas. If anyone out there would be prepared to help, I'd be most grateful. Call me any time on 0-65947435, or email me and I'll call you... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
Have you got an SRCNAT Accept rule for the subnets you are trying to VPN to at the remote end ? Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Wednesday, 1 June 2016 5:00 PM To: MikroTik Public Subject: [MT-AU Public] Need help with IPSec (and AWS VPN) I am trying to get an AWS VPN going to a MikroTik. I have gotten *so close* - AWS says the tunnel is UP, I see valid SAs at my end, I can even ping across the link - but only from the router. Not from within my network. I feel it just has to be some simple NAT or firewall thing, but I've run out of ideas. If anyone out there would be prepared to help, I'd be most grateful. Call me any time on 0-65947435, or email me and I'll call you... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
This is my standard config, works everytime. Only bother bringing up one of the tunnels I’m sure you can work out the $ variables :) /ip address add address=$MT_TU_IP/30 interface=Outside comment=AWS /ip ipsec proposal add lifetime=8m name=AWS /ip ipsec policy add src-address=0.0.0.0/0 src-port=any dst-address=$AWS_NET dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=$MT_Ext_IP sa-dst-address=$AWS_VPG proposal=AWS priority=0 comment=AWS /ip ipsec policy add src-address=$MT_TU_IP/32 src-port=any dst-address=$AWS_TU_IP/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=$MT_Ext_IP sa-dst-address=$AWS_VPG proposal=AWS priority=0 comment=AWS /ip ipsec peer add address=$AWS_VPG/32 local-address=$MT_Ext_IP passive=no port=500 auth-method=pre-shared-key secret="$AWS_PSK" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=10s dpd-maximum-failures=3 comment=AWS /ip firewall filter add chain=input action=accept protocol=ipsec-esp src-address=$AWS_VPG dst-address=$MT_Ext_IP comment=“AWS /ip firewall filter add chain=input action=accept protocol=udp src-address=$AWS_VPG dst-address=$MT_Ext_IP src-port=500 dst-port=500 comment=AWS /ip firewall filter add chain=forward action=accept src-address=$AWS_NET comment=AWS /ip firewall filter add chain=forward action=accept dst-address=$AWS_NET comment=AWS /ip firewall nat add chain=srcnat action=src-nat to-addresses=$MT_NET dst-address=$AWS_NET comment=AWS /ip firewall nat add chain=dstnat action=accept src-address=$AWS_NET comment=AWS /tool netwatch add comment=AWS host=$AWS_TU_IP Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 From: Karl Auer Sent: June 1, 2016 at 4:59:46 PM GMT+10 To: MikroTik Public Subject: [MT-AU Public] Need help with IPSec (and AWS VPN) I am trying to get an AWS VPN going to a MikroTik. I have gotten *so close* - AWS says the tunnel is UP, I see valid SAs at my end, I can even ping across the link - but only from the router. Not from within my network. I feel it just has to be some simple NAT or firewall thing, but I've run out of ideas. If anyone out there would be prepared to help, I'd be most grateful. Call me any time on 0-65947435, or email me and I'll call you... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (3)
-
Dave Browning
-
Karl Auer
-
Paul Julian