I am trying to connect our store with our head office through IPSec configured on Mikrotik hAP ac2 system 6.42.3. On the central side we use the addresses from 10.0.0.0/8, while in the stores we have networks like 10.0.x.0 / 24. Unfortunately, after the VPN set up, various problems arise:
- ftp connection from the computer in the store to the head office is being made, but attempt to transfer any data stops with the message “stalled”,
- ssh connection from the computer in the store to the central office will hang if you try to list large folders,
- on central UTM packets appear, which should circulate only in the store’s local network.
If I enter a shorter network in the IPSec settings - instead of the target 10.0.0./8 network e.g. 10.77.77.0/24 - then everything works correctly. However, this does not solve my problem, because the store must also have access to other networks on the central office and to other stores as well.
How to deal with this?
I would like to add that we generally use Draytek routers in our stores, with which we have no problems, and our UTM settings was not changed after we replaced damaged router in this one store. Below I paste the most important active rules on Mikrotik:
/ip firewall filter print
3 ;;; defconf: accept established,related, untracked
chain=input action=accept connection-state=established,related,untracked connection-mark=!ipsec log=no log-prefix=“”
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=“!invalid input:”
25 ;;; defconf: accept in ipsec policy
chain=forward action=accept connection-state=established,related in-interface-list=WAN log=no log-prefix=“” ipsec-policy=in,ipsec
26 ;;; defconf: accept out ipsec policy
chain=forward action=accept connection-state=established,related out-interface-list=WAN log=no log-prefix=“” ipsec-policy=out,ipsec
27 ;;; allow nat-forwarded packets
chain=forward action=accept connection-state=established,related connection-nat-state=dstnat in-interface=wan log=no log-prefix=“”
30 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec log=no log-prefix=“”
34 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=“”
36 ;;; defconf: drop all from WAN not DSTNATed and not ipsec
chain=forward action=drop connection-state=new connection-nat-state=!dstnat connection-mark=!ipsec in-interface-list=WAN log=yes
log-prefix=“!NAT”
37 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”
38 chain=input action=drop log=no log-prefix=“”
/ip firewall nat print
3 ;;; IPSEC no masquerade
chain=srcnat action=accept dst-address=!10.0.50.0/24 connection-mark=ipsec out-interface=wan log=no log-prefix=“”
9 ;;; defconf masquarade
chain=srcnat action=masquerade out-interface=wan log=no log-prefix=“”
/ip firewall mangle print
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 ;;; mark forwarded outgoing IPSec packets
chain=forward action=mark-connection new-connection-mark=ipsec passthrough=yes ipsec-policy=out,ipsec
4 ;;; mark forwarded incoming IPsec packets
chain=forward action=mark-connection new-connection-mark=ipsec passthrough=yes ipsec-policy=in,ipsec
/ip address print
0 ;;; defconf
10.0.50.1/24 10.0.50.0 bridge
1 192.168.88.1/24 192.168.88.0 bridge wireless
2 ...142/30 ...140 wan
/ip ipsec policy print
0 TX* group=default src-address=0.0.0.0/32 dst-address=0.0.0.0/32 protocol=all proposal=default template=yes
1 A src-address=10.0.50.0/24 src-port=any dst-address=10.0.0.0/8 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=0.0.0.0 sa-dst-address=46...202 proposal=sophos ph2-count=1