IPSES S-to-S VPN Mikrotik + NSX Edge

[vtuchk]

Здравствуйте

Имеется Site-to-Site VPN между Mikrotik hAP ac^2 (RouterOS 6.47.8) и VMWare NSX Edge Gateway.
Сеть за микротиком - 192.168.88.0/24
Сеть за Edge - 192.168.100.0/24
После обновления микротика до версии прошивки 6.47.8, возникла проблема: теряются пакеты, приходяшие с vpn-туннеля.
Выражается это тем, что, например, при попытке открыть сайт (443) порт с узла за VPN-он, бразуер выдает ошибку "Не удается открыть эту страницу. Сайт 192.168.100.25 слишком долго отвечал". Если судить по логам микротика, пакет до него доходит, но конецное устройство, с которого открывается сайт (192.168.88.245) все равно сталкивается с ошибкой. Лог прилагаю.
Я уже голову сломал, в чем проблема. До обновления RouterOS все прекрасно работало.

Конфигурация микротика::

 

# dec/06/2020 15:57:09 by RouterOS 6.47.8
# software id = AV3W-L55G
#
# model = RBD52G-5HacD2HnD
# serial number = A6490A9F9C4C
/interface bridge
add admin-mac=74:4D:28:60:E1:0E auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=*************** use-peer-dns=yes user=***************
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=russia disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=MikroTik-2G station-roaming=enabled wireless-protocol=\
802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=russia disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=MikroTik-5G station-roaming=enabled \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=*************** wpa2-pre-shared-key=***************
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=Edge_Profile
/ip ipsec peer
add address=213.159.206.143/32 exchange-mode=ike2 local-address=188.235.1.195 name=VINF-KZN profile=Edge_Profile
add address=93.90.221.9/32 exchange-mode=ike2 local-address=188.235.1.195 name=MSK_IX profile=Edge_Profile
add address=93.90.220.50/32 exchange-mode=ike2 local-address=188.235.1.195 name=MSK_DTLN profile=Edge_Profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Edge_Proposal pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.88.80-192.168.88.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/snmp community
set [ find default=yes ] addresses=192.168.88.0/24
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=KZN_V-INF-VRN dst-address=192.168.88.0/24 log=yes src-address=192.168.100.0/24
add action=accept chain=forward comment=VRN-KZN_V-INF dst-address=192.168.100.0/24 log=yes src-address=192.168.88.0/24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 log=yes src-address=192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 log=yes src-address=192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=10.10.20.0/24 src-address=192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=10.10.20.0/24
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.10.0/24
add action=accept chain=srcnat dst-address=10.10.30.0/24 src-address=192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=10.10.30.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.100.0/24 log=yes src-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=192.168.88.0/24 log=yes src-address=192.168.100.0/24
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=192.168.88.0/24 src-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=10.10.20.0/24 src-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=192.168.88.0/24 src-address=10.10.20.0/24
add action=accept chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=192.168.88.0/24 src-address=192.168.10.0/24
add action=accept chain=prerouting dst-address=10.10.30.0/24 src-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=192.168.88.0/24 src-address=10.10.30.0/24
/ip ipsec identity
add notrack-chain=prerouting peer=VINF-KZN secret="***************"
add notrack-chain=prerouting peer=MSK_IX secret=***************
add notrack-chain=prerouting peer=MSK_DTLN secret=***************
/ip ipsec policy
add dst-address=192.168.100.0/24 level=unique peer=VINF-KZN proposal=Edge_Proposal sa-dst-address=213.159.206.143 sa-src-address=188.235.1.195 src-address=192.168.88.0/24 tunnel=yes
add dst-address=10.10.10.0/24 level=unique peer=VINF-KZN proposal=Edge_Proposal sa-dst-address=213.159.206.143 sa-src-address=188.235.1.195 src-address=192.168.88.0/24 tunnel=yes
add dst-address=192.168.1.0/24 level=unique peer=MSK_IX proposal=Edge_Proposal sa-dst-address=93.90.221.9 sa-src-address=188.235.1.195 src-address=192.168.88.0/24 tunnel=yes
add dst-address=10.10.20.0/24 level=unique peer=MSK_IX proposal=Edge_Proposal sa-dst-address=93.90.221.9 sa-src-address=188.235.1.195 src-address=192.168.88.0/24 tunnel=yes
add dst-address=192.168.10.0/24 level=unique peer=MSK_DTLN proposal=Edge_Proposal sa-dst-address=93.90.220.50 sa-src-address=188.235.1.195 src-address=192.168.88.0/24 tunnel=yes
add dst-address=10.10.30.0/24 level=unique peer=MSK_DTLN proposal=Edge_Proposal sa-dst-address=93.90.220.50 sa-src-address=188.235.1.195 src-address=192.168.88.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/snmp
set contact=vtuchk@v-inf.ru enabled=yes location=VRN_Ir23 trap-version=2
/system clock
set time-zone-name=Europe/Moscow
/system logging
add topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Лог:

Код: Выделить всё

16:13:35 firewall,info prerouting: in:bridge out:(unknown 0), src-mac b0:6e:bf:c1:aa:b1, proto TCP (ACK,FIN), 192.168.88.245:22544->192.168.100.25:443, len 40 
16:13:35 firewall,info prerouting: in:pppoe-out1 out:(unknown 0), src-mac 00:00:5e:00:01:93, proto TCP (ACK,FIN), 192.168.100.25:443->192.168.88.245:22544, len 40 
16:13:35 firewall,info prerouting: in:bridge out:(unknown 0), src-mac b0:6e:bf:c1:aa:b1, proto TCP (ACK), 192.168.88.245:22544->192.168.100.25:443, len 52 
16:13:36 firewall,info prerouting: in:bridge out:(unknown 0), src-mac b0:6e:bf:c1:aa:b1, proto TCP (SYN), 192.168.88.245:22565->192.168.100.25:443, len 52 
16:13:36 firewall,info srcnat: in:(unknown 0) out:pppoe-out1, src-mac b0:6e:bf:c1:aa:b1, proto TCP (SYN), 192.168.88.245:22565->192.168.100.25:443, len 52 
16:13:36 firewall,info prerouting: in:pppoe-out1 out:(unknown 0), src-mac 00:00:5e:00:01:93, proto TCP (SYN,ACK), 192.168.100.25:443->192.168.88.245:22565, len 52 
16:13:36 firewall,info prerouting: in:bridge out:(unknown 0), src-mac b0:6e:bf:c1:aa:b1, proto TCP (ACK), 192.168.88.245:22565->192.168.100.25:443, len 40 
16:13:36 firewall,info prerouting: in:bridge out:(unknown 0), src-mac b0:6e:bf:c1:aa:b1, proto TCP (ACK,PSH), 192.168.88.245:22565->192.168.100.25:443, len 557 
16:13:36 firewall,info prerouting: in:pppoe-out1 out:(unknown 0), src-mac 00:00:5e:00:01:93, proto TCP (ACK), 192.168.100.25:443->192.168.88.245:22565, len 40 
16:13:36 firewall,info prerouting: in:pppoe-out1 out:(unknown 0), src-mac 00:00:5e:00:01:93, proto TCP (ACK,PSH), 192.168.100.25:443->192.168.88.245:22565, len 163 
16:13:36 firewall,info prerouting: in:bridge out:(unknown 0), src-mac b0:6e:bf:c1:aa:b1, proto TCP (ACK), 192.168.88.245:22565->192.168.100.25:443, len 52