Can't access Mikrotik Configuration over IPSEC tunnel.

mattsawatzky · February 16, 2012, 3:44am

I finally get my IPSEC tunnels working and everything works awesome and I can access and ping everything on both sides just fine. The only thing is I can’t access via Webfig or Winbox the routers. I can’t access site 1’s MK from site and vice versa, but I can access the local Mikrotik on the corresponding interface. Any ideas? Everything else works but this.

cbrown · February 16, 2012, 12:51pm

Could you share /ip service print detail and /ip firewall export

mattsawatzky · February 17, 2012, 5:14am

/ip service print detail

Flags: X - disabled, I - invalid 
 0   name="telnet" port=23 address="" 


 1   name="ftp" port=21 address="" 


 2   name="www" port=80 address="" 


 3   name="ssh" port=22 address="" 


 4 X name="www-ssl" port=443 address="" certificate=none 


 5 X name="api" port=8728 address="" 


 6   name="winbox" port=8291 address=""

/ip firewall export

# feb/16/2012 23:13:25 by RouterOS 5.13
# software id = AC6L-1CI9
#

/ip firewall connection tracking

set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter

add action=accept chain=input comment="Allow SSTP traffic" disabled=no \
    dst-port=444 in-interface=WAN protocol=tcp

add action=drop chain=input comment="Prevent Inter-Subnet Communication" \
    disabled=no dst-address=10.0.0.0/24 src-address=192.168.1.0/24

add action=drop chain=input comment="Prevent Inter-Subnet Communication" \
    disabled=no dst-address=192.168.1.0/24 src-address=10.0.0.0/24

add action=accept chain=input comment="Allow WAN ICMP" disabled=no protocol=\
    icmp

add action=accept chain=input comment="Allow Established Connections" \
    connection-state=established disabled=no

add action=accept chain=input comment="Allow Related Connections" \
    connection-state=related disabled=no

add action=drop chain=input comment="Drop Everything Else" disabled=no \
    in-interface=WAN
/ip firewall nat

add action=accept chain=srcnat disabled=no dst-address=192.168.2.0/24 \
    src-address=192.168.1.0/24

add action=masquerade chain=srcnat comment="Main NAT" disabled=no \
    out-interface=WAN

add action=dst-nat chain=dstnat comment="Allow HTTPS/SSL to Server" disabled=\
    no dst-port=443 in-interface=WAN protocol=tcp to-addresses=192.168.1.60 \
    to-ports=443

add action=dst-nat chain=dstnat comment="Allow HTTP to Server" disabled=no \
    dst-port=80 in-interface=WAN protocol=tcp to-addresses=192.168.1.60 \
    to-ports=80

/ip firewall service-port

set ftp disabled=no ports=21

set tftp disabled=no ports=69

set irc disabled=no ports=6667

set h323 disabled=no

set sip disabled=no ports=5060,5061 sip-direct-media=yes

set pptp disabled=no

/ip firewall filter export

# feb/16/2012 23:14:11 by RouterOS 5.13
# software id = AC6L-1CI9
#

/ip firewall filter

add action=accept chain=input comment="Allow SSTP traffic" disabled=no \
    dst-port=444 in-interface=WAN protocol=tcp

add action=drop chain=input comment="Prevent Inter-Subnet Communication" \
    disabled=no dst-address=10.0.0.0/24 src-address=192.168.1.0/24

add action=drop chain=input comment="Prevent Inter-Subnet Communication" \
    disabled=no dst-address=192.168.1.0/24 src-address=10.0.0.0/24

add action=accept chain=input comment="Allow WAN ICMP" disabled=no protocol=\
    icmp

add action=accept chain=input comment="Allow Established Connections" \
    connection-state=established disabled=no

add action=accept chain=input comment="Allow Related Connections" \
    connection-state=related disabled=no

add action=drop chain=input comment="Drop Everything Else" disabled=no \
    in-interface=WAN

mattsawatzky · February 17, 2012, 5:12pm

I resolved this here this morning. I added a rule to the filter to allow TCP port 80 from the 192.168.1.0/24 subnet to 192.168.2.1 and it seems to be working fine.

cbrown · February 18, 2012, 2:59pm

Correct. Your firewall was blocking you.

tobyrdc · May 22, 2014, 7:05am

Hello !

Im bumping this thread as i have exactly the same problem. I am using MIKROTIK RB951 Router. The tunnel works excellent. I can ping the remote mikrotik router in this case 10.100.9.1 but i can not access it. All other IPSEC traffic works fine and i can access to all other clients in the remote subnet.

I am new to MIkrotik so i am currently Learning. As proposed i have to create a new filter rule for this.
I am not sure exactly how to do this so i wonder if anyone could help me a Little bit with that.
I have tried to add filter rule with winbox and the following paramters

FORWARD:
src 192.168.1.0/24
dest 10.100.9.1
protocol tcp
accept.

No luck with this one. I suppose that this is normally a RTFM question but as i am in the Learning curve maybe someone could help me to solve this problem.

Thanks in advance and best regards
Toby