Community discussions

MikroTik App
 
hunter2
just joined
Topic Author
Posts: 1
Joined: Fri Aug 24, 2012 2:40 pm

IPsec site to site MikroTik <-> Cisco VPN can only send

Fri Aug 24, 2012 2:51 pm

Hi,

I've established a IPsec tunnel between a MikroTik 5.x and a Cisco ASA for a site-to-site connection, but after establishing the tunnel successfully (no errors in log, shows all the correct algorithms in the Installed SAs menu) I don't receive anything back from the remote subnet (in the Installed SAs it shows sent bytes but 0 for received). I've added a Firewall NAT "accept" rule to communicate to the remote subnet.

I have no access to the Cisco device.

Any ideas for what to check ? How can I know the problem is not on MikroTik's end?
 
burkni
newbie
Posts: 29
Joined: Tue Mar 29, 2011 1:55 pm

Re: IPsec site to site MikroTik <-> Cisco VPN can only send

Fri Aug 24, 2012 4:47 pm

I'm not sure if you have the same scenario as I do but let's try.
I assume you have private subnets on both ends? Let's say Cisco site has 192.168.10.0/24 and MikroTik site has 192.168.20.0/24. Then you need to exempt your subnets from NAT so it goes through. It was something I had to add to the MikroTik config, it didn't do it automatically.
To do this I went (in WinBox) in to IP - Firewall. And on the NAT tab I added one srcnat rule. In the General tab of the rule, the chain is srcnat, Src Address is MikroTik's site subnet, 192.168.20.0/24, Dst Address is the Cisco site subnet, 192.168.10.0/24 and on Action tab it's Accept. Then you have to drag that rule to the top so it's before the masquerade rule.
Of course the Cisco has to be set up similiar, i.e. NoNat on the same traffic.
Hope this helps.
 
burkni
newbie
Posts: 29
Joined: Tue Mar 29, 2011 1:55 pm

Re: IPsec site to site MikroTik <-> Cisco VPN can only send

Sat Sep 01, 2012 2:34 am

Did you get this to work?

Who is online

Users browsing this forum: Amazon [Bot], bertus, Bing [Bot], GoogleOther [Bot], mogiretony, Ramalama and 105 guests