Setting up a VPN between Mikrotik and Zywall?

A

Alexander2019-07-07 12:04:55

Computer networks

Alexander, 2019-07-07 12:04:55

Добрый день, пытаюсь настроить IPSec VPN между Mikrotik и Zywall. VPN поднялся а пинга с сети
Mikrotik в сеть Zywall нету, обратно пинг есть.
Маршрутизацию на микротику прописал и появился пинг с Zywall в сеть микротика.
Отключал firewal на зуволе не помогло
Возможно проблема в маршрутизации, помогите разобраться
Настройки Zywall:
локальная сеть - 192.168.1.0

Настройка Mikrotik:
Локальная сеть - 192.168.88.0

/ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

 1  A  src-address=192.168.88.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt
       level=require ipsec-protocols=esp tunnel=yes sa-src-address=111.111.111.246 sa-dst-address=111.1111.111.158
       proposal=zyxel ph2-count=1

/ip ipsec>  peer print
Flags: X - disabled, D - dynamic, R - responder
 0     ;;; Unsafe configuration, suggestion to use certificates
       address=111.111.1111.158/32 profile=default auth-method=pre-shared-key secret="1111111" generate-policy=no
       policy-template-group=default exchange-mode=main send-initial-contact=yes

/ip ipsec> proposal print
Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
      pfs-group=modp1024

 1    name="zyxel" auth-algorithms=sha1 enc-algorithms=des lifetime=30m pfs-group=none

 /ip firewall>  filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix=""

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix=""

 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

 4    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix=""

 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix=""

 6 X  ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no
      log-prefix=""

 7    ;;; Allow IKE/NAT-T for IPSec
      chain=input protocol=udp dst-port=500,4500 log-prefix="IKE/NAT-T"

 8    ;;; Allow ESP for IPSec
      chain=input protocol=ipsec-esp log-prefix="ESP"
 9    ;;; Allow IKE/NAT-T for IPSec
      chain=output protocol=udp src-port=500,4500 log-prefix="IKE/NAT-T"

10    ;;; Allow ESP for IPSec
      chain=output protocol=ipsec-esp log-prefix="ESP"

11    ;;; Accept, when packet from internal net to internal net (between vlans)
      chain=forward action=accept src-address-list=Internal nets dst-address-list=Internal nets log=no log-prefix=""

12    chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

/ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade dst-address=!192.168.1.0/24 out-interface=ether1 log=no log-prefix=""

 2    ;;; masquerade hotspot network
      chain=srcnat action=masquerade log=no log-prefix=""

 3    ;;; masquerade hotspot network
      chain=srcnat action=masquerade log=no log-prefix=""

 4    ;;; masquerade hotspot network
      chain=srcnat action=masquerade log=no log-prefix=""

 5    ;;; masquerade hotspot network
      chain=srcnat action=masquerade log=no log-prefix=""

 6    ;;; masquerade hotspot network
      chain=srcnat action=masquerade log=no log-prefix=""

 7    ;;; masquerade hotspot network
      chain=srcnat action=masquerade log=no log-prefix=""

 8    ;;; Does not touch IPSec ESP packets to avoid break packets checksum
      chain=srcnat out-interface=ether1 log-prefix="NAT avoid" ipsec-policy=out,ipsec

 /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                         11111.1111.1111.241              1
 1 ADC  111111111111/28    11111111111    ether1                    0
 2 A S  192.168.1.0/24                     ether1                    1
 3 ADC  192.168.88.0/24    192.168.88.1    bridge                    0

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

�

ТыжСисАдмин, 2019-07-07
@POS_troi

2 A S  192.168.1.0/24                     ether1                    1

У вас сеть 192.168.1.0/24 с шлюзом на ether1 а шлюзом должен быть Zywall ну или интерфейс где ipsec тусит.

P

poisons, 2019-07-09
@poisons

1. There is no problem with routing, no manual routes need to be created. Everything is decided by policy. This is where you specify which networks are behind the tunnel. Should be mirrored on both sides. What rule 2 AS 192.168.1.0/24 ether1 1 should do is not clear.
2. We look at the 6th rule in the ip firewall filter, why is it higher than 12?
3. What's with nat? You can't do that chain=srcnat action=masquerade log=no log-prefix=""

A

Anton Ivanov, 2019-07-11
@zamaza

in the policy src-address=192.168.88.0/24 src-port=any dst-address=192.168.1.0/24 you specify external addresses here.
In nata from a masquerade you remove a remote network, it and so will not go there.
Disable everything in the firewall for the duration of the setup.
Create an interface for vpn connection, in the route you set it as a gateway.
Like so