Hello!
I need some help with IPSEC tunnel beetween two RB951G-2HND devices.
Routeros mipsbe 6.40.4

Schematics:
(PC1)192.168.44.10 ----- 192.168.44.1 (Mikrotik) 10.1.1.20-----10.1.1.10 (Mikrotik) 192.168.22.1 ----- 192.168.22.10 (PC2)

Problem:
Tunnel succesfuly established, but no traffic comming throught it. Counters=0

What did i missed ?

10.1.1.10 CFG

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=md5 enc-algorithms=des name=proposal1 pfs-group=none

/ip address
add address=10.1.1.10/24 interface=ether1 network=10.1.1.0
add address=192.168.22.1/24 interface=ether2 network=192.168.22.0

/ip firewall filter
add action=accept chain=input comment=“Allow IKE” dst-address=192.168.44.0/24
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment=“Allow IPSec-esp” dst-address=
192.168.44.0/24 in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=“Allow IPSec-ah” dst-address=
192.168.44.0/24 in-interface=ether1 protocol=ipsec-ah

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.44.0/24 src-address=
192.168.22.0/24
add action=masquerade chain=srcnat disabled=yes

/ip ipsec peer
add address=10.1.1.20/32 dh-group=modp1024 dpd-interval=5s enc-algorithm=
aes-256 hash-algorithm=md5 lifetime=8h nat-traversal=no secret=mega2015

/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.44.0/24 proposal=proposal1 protocol=ipsec-esp
sa-dst-address=10.1.1.20 sa-src-address=10.1.1.10 src-address=
192.168.22.0/24 tunnel=yes

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow

/system logging
add topics=ipsec

10.1.1.20 CFG

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=md5 enc-algorithms=des name=proposal1 pfs-group=none

/ip address
add address=10.1.1.20/24 interface=ether1 network=10.1.1.0
add address=192.168.44.1/24 interface=ether2 network=192.168.44.0

/ip firewall filter
add action=accept chain=input comment=“Allow IKE” dst-address=192.168.22.0/24
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment=“Allow IPSec-esp” dst-address=
192.168.22.0/24 in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=“Allow IPSec-ah” dst-address=
192.168.22.0/24 in-interface=ether1 protocol=ipsec-ah

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.22.0/24 src-address=
192.168.44.0/24
add action=masquerade chain=srcnat disabled=yes

/ip ipsec peer
add address=10.1.1.10/32 dh-group=modp1024 dpd-interval=5s enc-algorithm=
aes-256,aes-128 hash-algorithm=md5 lifetime=8h nat-traversal=no secret=
mega2015

/ip ipsec policy
add dst-address=192.168.22.0/24 proposal=proposal1 protocol=ipsec-esp
sa-dst-address=10.1.1.10 sa-src-address=10.1.1.20 src-address=
192.168.44.0/24 tunnel=yes
set 1 disabled=yes

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow

/system logging
add topics=ipsec

On Router1
Here must be dst-address 10.1.1.20:

/ip firewall filter
add action=accept chain=input comment=“Allow IKE” dst-address=192.168.44.0/24
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment=“Allow IPSec-esp” dst-address=
192.168.44.0/24 in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=“Allow IPSec-ah” dst-address=
192.168.44.0/24 in-interface=ether1 protocol=ipsec-ah

and you forgot udp 4500

Here make addresses vice versa:

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.44.0/24 src-address=
192.168.22.0/24

Here src and dst addresses vice versa:

/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.44.0/24 proposal=proposal1 protocol=ipsec-esp
sa-dst-address=10.1.1.20 sa-src-address=10.1.1.10 src-address=
192.168.22.0/24 tunnel=yes

On router2 similarly.

Thank you, but i’ve screwed the schematics in first post (now corrected).

In filter and nat rules you need outer address of Tik, 10.1.1.20 and 10.1.1.10. Router itself trying to establish IPsec, not LAN.

Ok, changed ip in filter rules&nat, reestablished tunnel still nothing.

Enable masquerade on outbound interface of routers, but lower rule than accepting srcnat for LAN networks. And print here export of config both routers.

When all else fails on a vpn. I add a route.
Try this and see.

10.1.1.20
/ip route
add check-gateway=arp comment=“VPN to ?” distance=2 dst-address=192.168.22.0/24 gateway=ether2

10.1.1.10
/ip route
add check-gateway=arp comment=“VPN to ?” distance=2 dst-address=192.168.44.0/24 gateway=ether2

There is no other private network behind ether2 interface. How would this work?

Aboiles, i don’t understand this route in my setup, but i 've tried it. No result.

under ip route in winfig is the route flagged green?
and you still can’t ping the other routers lan ip address from your local router?

this is my normal setting if I need to work router to router on a site to site vpn.

Did you enable masq? Print your export of config of both routers.

I looked at your firewall and did not see 2 important rules

/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec

These rules must be the first 2 rules in your forward chain.

Good day, let’s continue. Added recomended by Mozerd&Aboiles routes.
Tunnel established but no data going through
pc1 pings pc2 & vice versa
for example traceroute to 44.10 from 22.10
22.10 - 22.1 - 44.10

Adding config output

10.1.1.10

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=md5 enc-algorithms=des name=proposal1
/ip address
add address=10.1.1.10/24 interface=ether1 network=10.1.1.0
add address=192.168.22.1/24 interface=ether2 network=192.168.22.0
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=input comment=“Allow IKE” dst-address=10.1.1.20
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment=“Allow IPSec-esp” dst-address=10.1.1.20
in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=“Allow IPSec-ah” dst-address=10.1.1.20
in-interface=ether1 protocol=ipsec-ah
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.44.0/24 src-address=
192.168.22.0/24
add action=masquerade chain=srcnat
/ip ipsec peer
add address=10.1.1.20/32 dh-group=modp1024 dpd-interval=5s enc-algorithm=
aes-256 hash-algorithm=md5 lifetime=8h local-address=10.1.1.10 secret=
mega2015
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.44.0/24 dst-port=500 proposal=proposal1 protocol=
ipsec-esp sa-dst-address=10.1.1.20 sa-src-address=10.1.1.10 src-address=
192.168.22.0/24 src-port=500 tunnel=yes
/ip route
add check-gateway=arp comment="VPN to " distance=2 dst-address=
192.168.44.0/24 gateway=ether2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system logging
add topics=ipsec

10.1.1.20

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=md5 enc-algorithms=des name=proposal1
/ip address
add address=10.1.1.20/24 interface=ether1 network=10.1.1.0
add address=192.168.44.1/24 interface=ether2 network=192.168.44.0
/ip firewall filter
add action=accept chain=forward comment=“Accept in IPSEC policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“Accept out IPSEC policy”
ipsec-policy=out,ipsec
add action=accept chain=input comment=“Allow IKE” dst-address=192.168.22.0/24
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment=“Allow IPSec-esp” dst-address=
192.168.22.0/24 in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=“Allow IPSec-ah” dst-address=
192.168.22.0/24 in-interface=ether1 protocol=ipsec-ah
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.22.0/24 src-address=
192.168.44.0/24
add action=masquerade chain=srcnat disabled=yes
/ip ipsec peer
add address=10.1.1.10/32 dh-group=modp1024 dpd-interval=5s enc-algorithm=
aes-256,aes-128 hash-algorithm=md5 lifetime=8h local-address=10.1.1.20
secret=mega2015
/ip ipsec policy
add dst-address=192.168.22.0/24 dst-port=500 proposal=proposal1 protocol=
ipsec-esp sa-dst-address=10.1.1.10 sa-src-address=10.1.1.20 src-address=
192.168.44.0/24 src-port=500 tunnel=yes
set 1 disabled=yes
/ip route
add check-gateway=arp comment="VPN to " distance=2 dst-address=
192.168.22.0/24 gateway=ether2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system logging
add topics=ipsec

add action=masquerade chain=srcnat
point the outer interface, like out-interface=ether1

In firewall you need point not dst-address, but src-address. Fix it like:
ip fire fil
add action=accept chain=input comment="Allow IKE" src-address=10.1.1.20
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" src-address=10.1.1.20
in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah" src-address=10.1.1.20
in-interface=ether1 protocol=ipsec-ah

on 10.1.1.20:
enable masq with pointing outer interface
fix fire filter
add action=accept chain=input comment="Allow IKE" src-address=10.1.1.10
dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" src-address=
10.1.1.10 in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah" src-address=
10.1.1.10 in-interface=ether1 protocol=ipsec-ah

And delete the routes, they are useless.

Well, still no effect.

1.10

/ip address
add address=10.1.1.10/24 interface=ether1 network=10.1.1.0
add address=192.168.22.1/24 interface=ether2 network=192.168.22.0

/ip dns static
add address=192.168.88.1 name=router.lan

/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
disabled=yes ipsec-policy=out,ipsec
add action=accept chain=input comment=“Allow IKE” dst-port=500 in-interface=
ether1 protocol=udp src-address=10.1.1.20
add action=accept chain=input comment=“Allow IPSec-esp” in-interface=ether1
protocol=ipsec-esp src-address=10.1.1.20
add action=accept chain=input comment=“Allow IPSec-ah” in-interface=ether1
protocol=ipsec-ah src-address=10.1.1.20

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.44.0/24 out-interface=
ether1 src-address=192.168.22.0/24
add action=masquerade chain=srcnat out-interface=ether1

/ip ipsec peer
add address=10.1.1.20/32 dh-group=modp1024 dpd-interval=5s enc-algorithm=
aes-256 hash-algorithm=md5 lifetime=8h local-address=10.1.1.10
nat-traversal=no secret=mega2015

/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.44.0/24 dst-port=500 proposal=proposal1
sa-dst-address=10.1.1.20 sa-src-address=10.1.1.10 src-address=
192.168.22.0/24 src-port=500 tunnel=yes

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow

/system logging
add topics=ipsec

1.20

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=md5 enc-algorithms=des name=proposal1

/ip address
add address=10.1.1.20/24 interface=ether1 network=10.1.1.0
add address=192.168.44.1/24 interface=ether2 network=192.168.44.0

/ip firewall filter
add action=accept chain=forward comment=“Accept in IPSEC policy” disabled=
yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“Accept out IPSEC policy” disabled=
yes ipsec-policy=out,ipsec
add action=accept chain=input comment=“Allow IKE” dst-port=500 in-interface=
ether1 protocol=udp src-address=10.1.1.10
add action=accept chain=input comment=“Allow IPSec-esp” in-interface=ether1
protocol=ipsec-esp src-address=10.1.1.10
add action=accept chain=input comment=“Allow IPSec-ah” in-interface=ether1
protocol=ipsec-ah src-address=10.1.1.10

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.22.0/24 out-interface=
ether1 src-address=192.168.44.0/24
add action=masquerade chain=srcnat out-interface=ether1

/ip ipsec peer
add address=10.1.1.10/32 dh-group=modp1024 dpd-interval=5s enc-algorithm=
aes-256,aes-128 hash-algorithm=md5 lifetime=8h local-address=10.1.1.20
nat-traversal=no secret=mega2015

/ip ipsec policy
add dst-address=192.168.22.0/24 dst-port=500 proposal=proposal1
sa-dst-address=10.1.1.10 sa-src-address=10.1.1.20 src-address=
192.168.44.0/24 src-port=500 tunnel=yes
set 1 disabled=yes

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow

/system logging
add topics=ipsec

From what you have posted, this configuration should work.
But please verify the info is correct for your 10.1.1.10 router.
Reverse the info for the other router.
Though it looks like you have your wireless enabled, are you running in master/slave or bridge mode on your ports?
If you are running in bridge mode, change all ether2 to whatever you have named your bridge.


/ip firewall address-list
add address=192.168.44.0/24 list=IpSec
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=des name=proposal1
add enc-algorithms=3des lifetime=8h name=Ontario
/ip ipsec peer
add address=10.1.1.20/32 dh-group=modp1024 dpd-interval=5s enc-algorithm=
aes-256 hash-algorithm=md5 lifetime=8h local-address=10.1.1.10 secret=
mega2015
/ip ipsec policy
add dst-address=192.168.44.0/24 proposal=proposal1 protocol=
ipsec-esp sa-dst-address=10.1.1.20 sa-src-address=10.1.1.10 src-address=
192.168.22.0/24 tunnel=yes
/ip route
add check-gateway=arp comment="VPN to " distance=2 dst-address=
192.168.44.0/24 gateway=ether2
/ip firewall filter
add action=accept chain=input comment=
"Allow any packets from our trusted "IPSec" partners" src-address-list=
ipSec
add action=accept chain=input comment=
"Allow access to LAN from our trusted "IPSec" partners" dst-address=
192.168.22.0/24 src-address-list=ipSec
/ip firewall mangle
not required - only mss change for performance

add action=change-mss chain=forward comment=mss_change dst-address=\

192.168.44.0/24 log-prefix=mss_change new-mss=clamp-to-pmtu passthrough=
yes protocol=tcp src-address=192.168.22.0/24 tcp-flags=syn

add action=mark-connection chain=forward comment="Mark IPsec connections"
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec connections"
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="VPN to " dst-address=
192.168.44.0/24 src-address=192.168.22.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.22.0/24 src-address=
192.168.44.0/24
add action=notrack chain=prerouting dst-address=192.168.44.0/24 src-address=
192.168.22.0/24

I’ll try this config, thank you.
I didn’t use wireless,bridges and master port.

No result.
Btw, why ether2 ? it’s internal lan.
/ip route
add check-gateway=arp comment="VPN to " distance=2 dst-address=
192.168.44.0/24 gateway=ether2

so traffic is missing tunnel completely

Check out post http://forum.mikrotik.com/t/ipsec-site-to-site-again/113559/1
near the bottom.

I didn’t use wireless,bridges and master port.
You said a vpn between two RB951G-2HND.
How are interfaces 2-5 configured and is there anything plugged in to those ports.
And can you please use winbox and let us know if the route is flagged green or not.