Can't SSH through IPSEC Tunnels

Cactus9051 · Wed Jan 31, 2024 4:27 pm

Hello,

I have an odd issue. I have 8 Mikrotik routers at different locations that connect to an 1100AH via IPSec. The 1100AH then connects, via IPSec, to another company. Through the IPSec tunnels, both myself and the other company can ping and view the web GUI of an appliance at each one of the locations. However, we cannot SSH to the device connected to the 1100AH. I believe this is also preventing them from being able to SSH into the other 8 devices at the other locations. Below are my firewall rules. What am I missing?

Of note, the AllowedAddresses list contains the IPs needed for the remote locations and the other company.

/ip firewall filter
add action=drop chain=input comment="Drop Anything not from AllowedAddresses" src-address-list=\
!AllowedAddresses

add action=accept chain=input dst-port=22 protocol=tcp

add action=accept chain=forward dst-port=22 protocol=tcp src-address-list=AllowedAddresses

add action=accept chain=input comment="defconf: accept established,related" connection-state=\
established,related,untracked

add action=accept chain=input comment="Allow UDP 500 (ISAKMP)" dst-port=500 in-interface-list=WAN \
protocol=udp

add action=accept chain=input comment="Allow UDP 4500 (NAT-T)" dst-port=4500 in-interface-list=WAN \
protocol=udp

add action=accept chain=input comment="Allow ESP (IPsec)" in-interface-list=WAN protocol=ipsec-esp

add action=accept chain=output comment="[MyCompany] -> [OtherCompany]" dst-address=192.168.2.0/24 src-address=\
172.16.0.0/16

add action=accept chain=forward comment="[MyCompany] -> [OtherCompany]" dst-address=192.168.2.0/24 src-address=\
172.16.0.0/16

add action=accept chain=forward comment="[MyCompany] -> [MyCompany]" dst-address=172.16.0.0/16 src-address=\
172.16.0.0/16

add action=accept chain=forward comment="[OtherCompany] -> [MyCompany]" dst-address=172.16.0.0/16 src-address=\
192.168.2.0/24

add action=accept chain=input comment="Accept [OtherCompany]" disabled=yes dst-address=172.16.0.0/24 log=\
yes src-address=192.168.2.0/24

add action=accept chain=input comment="Allow ICMP from PT" protocol=icmp

add action=accept chain=input comment="Allow SSH input from [Management]" dst-port=27 protocol=tcp src-address=\
[ManagementIP] src-port=""

add action=accept chain=input comment="Allow SSH input" disabled=yes dst-address-list=\
AllowedAddresses dst-port=22 protocol=tcp src-address-list=AllowedAddresses

add action=accept chain=output disabled=yes dst-address-list=AllowedAddresses protocol=tcp \
src-address-list=AllowedAddresses src-port=22

add action=accept chain=input comment="Allow SNMP 161-162" dst-port=161-162 protocol=udp src-address=\
[ManagementIP]

add action=accept chain=input comment="Allow WINBOX Port 8297" dst-port=8297 protocol=tcp \
src-address=[ManagementIP]

add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 log=yes \
log-prefix=fromWAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related

add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes

/ip firewall nat

add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=172.16.0.0/16

add action=accept chain=srcnat dst-address=172.16.0.0/16 src-address=192.168.2.0/24

add action=accept chain=srcnat dst-address=172.16.0.0/16 src-address=172.16.0.0/16

add action=dst-nat chain=dstnat dst-port=22 protocol=tcp to-addresses=172.16.10.18 to-ports=22

add action=dst-nat chain=dstnat dst-address-list="" dst-port=22 protocol=tcp to-addresses=\
172.16.0.0/16 to-ports=22

add action=masquerade chain=srcnat out-interface-list=WAN

/ip firewall raw
add action=notrack chain=prerouting comment="[MyCompany] Equipment to [OtherCompany]" dst-address=192.168.2.0/24 \
log=yes log-prefix=[MyCompany]-HW-RAW src-address=172.16.0.0/16

add action=notrack chain=prerouting comment="[OtherCompany] to [MyCompany] Equipment" dst-address=172.16.0.0/16 \
log=yes log-prefix=HW-[MyCompany]-RAW src-address=192.168.2.0/24

add action=notrack chain=prerouting comment="[MyCompany] to [MyCompany]" dst-address=172.16.0.0/16 src-address=\
172.16.0.0/16

Can't SSH through IPSEC Tunnels

Can't SSH through IPSEC Tunnels

Who is online