Answer the question
In order to leave comments, you need to log in
N
N
nois2020-01-21 15:38:16
nois, 2020-01-21 15:38:16
Why did the Internet stop working when the ipsec tunnel was up?
Hello!
An ipsec strongswan (server) <-> Mikrotik (client) tunnel has been set up. Everything worked fine until I updated the firmware on Mikrotik from 6.40.5 to 6.44.6 - the network on the Mikrotik side stopped working, or rather Internet access. At the same time, the tunnel rises and works, but external addresses are not pinged (sometimes they are selectively pinged). It can be seen that a packet from LAN arrives at Mikrotik, is sent to the WAN interface and returns back to Mikrotik, and that's it, it no longer gets to the bridge.
The firewall is empty, only NAT masquerading.
What could be the problem? In which direction to dig?
Linux gateway:
Internal network: 192.168.10.0/24
Gateway address: 192.168.10.1
External address: xxxx
Mikrotik:
Internal network:
192.168.88.0/24
Gateway address: 192.168.88.1
External address: dynamic (yyyy)
Strongswan config
dpdaction=clear
dpddelay=35s
dpdtimeout=300s
fragmentation=yes
rekey=no
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes182-sha1-modp2048,aes128-sha1-modp1024,aes128-sha1,3des-sha1!
left=%any
leftauth=pubkey
leftcert=server.crt
leftsendcert=always
leftsubnet=192.168.10.0/24
right=%any
rightauth=pubkey
rightcert=client.crt
rightsendcert=yes
rightsourceip=192.168.88.200/32
rightsubnet=192.168.88.0/24
rightdns=8.8.8.8
keyexchange=ikev2
auto=add
dpddelay=35s
dpdtimeout=300s
fragmentation=yes
rekey=no
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes182-sha1-modp2048,aes128-sha1-modp1024,aes128-sha1,3des-sha1!
left=%any
leftauth=pubkey
leftcert=server.crt
leftsendcert=always
leftsubnet=192.168.10.0/24
right=%any
rightauth=pubkey
rightcert=client.crt
rightsendcert=yes
rightsourceip=192.168.88.200/32
rightsubnet=192.168.88.0/24
rightdns=8.8.8.8
keyexchange=ikev2
auto=add
Config Mikrotik
policy
src-address=192.168.88.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=x.x.x.x proposal=default ph2-count=0
peers
name="peer1" address=x.x.x.x/32 profile=default exchange-mode=ike2 send-initial-contact=yes
identity
peer=peer1 auth-method=rsa-signature mode-config=request-only certificate=client.crt_0 generate-policy=port-override
firewall nat
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=""
src-address=192.168.88.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=x.x.x.x proposal=default ph2-count=0
peers
name="peer1" address=x.x.x.x/32 profile=default exchange-mode=ike2 send-initial-contact=yes
identity
peer=peer1 auth-method=rsa-signature mode-config=request-only certificate=client.crt_0 generate-policy=port-override
firewall nat
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=""
Similar questions
V
S
G
D
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question