Help! Problems with IPSec VPN between Mikrotik and ASA

Hi,

My company just purchased another company that had used Mikrotik routers at their smaller sites, and we are now trying to link them up using an ASA at the central site. The central site uses 10.23.0.0/16, and the remote site uses 192.168.2.0/24. The old central site was 192.168.0.0/24. The Remote site device sits behind PPPoE client. I configured the tunnel on both sides, and the tunnel comes up, but I'm only getting one way traffic from ASA -> Mikrotik router. I can ping the inside LAN interface on the mikrotik router, but nothing past it.

I've been using Torch to try and sniff the packets, and it appears that the remote server (behind the mikrotik) is responding, but the Mikrotik isn't grabbing that traffic and putting it back in the tunnel. I'm totally stumped on this one. Any help you could offer would be greatly appreciated!!!

Here's some relevant info from the Mikrotik:

[admmy@myRB002] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="ether1-WAN1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=4074 mac-address=D4:CA:6D:65:FF:BD
fast-path=yes last-link-up-time=jul/21/2016 17:15:47 link-downs=0

1 name="ether2-WAN2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=4074 mac-address=D4:CA:6D:65:FF:BE
fast-path=yes link-downs=0

2 R name="ether3-master-local" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=4074 mac-address=D4:CA:6D:65:FF:BF
fast-path=yes last-link-up-time=jul/21/2016 17:15:47 link-downs=0

3 S name="ether4-slave-local" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=4074 mac-address=D4:CA:6D:65:FF:C0
fast-path=yes link-downs=0

4 S name="ether5-slave-local" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=4074 mac-address=D4:CA:6D:65:FF:C1
fast-path=yes link-downs=0

5 name="pptp-in1" type="pptp-in" link-downs=0

[admmy@myRB002] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.2.1/24 network=192.168.2.0 interface=ether3-master-local actual-interface=ether3-ma

1 address=192.168.1.2/24 network=192.168.1.0 interface=ether1-WAN1 actual-interface=ether1-WAN1

/ip firewall nat
add chain=srcnat comment="NAT LAN to BCN ASA" dst-address=10.23.0.0/16 src-address=192.168.2.0/24
add chain=srcnat comment="NAT LAN BCN" disabled=yes dst-address=192.168.0.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NAT LAN1" out-interface=ether1-WAN1
add action=dst-nat chain=dstnat comment=LotusNotesServer dst-port=1352 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.16
add action=dst-nat chain=dstnat comment=FTPServer dst-port=5021 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.2.2 t
add action=dst-nat chain=dstnat comment=IMAP dst-port=143 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.2.2 to-port
add action=dst-nat chain=dstnat comment=SSH dst-port=5022 in-interface=ether1-WAN1 log=yes protocol=tcp to-addresses=192.168.2.2
add action=dst-nat chain=dstnat comment=SMTP dst-port=25 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.2.2 to-ports
add action=dst-nat chain=dstnat comment="Notes HTTP Traveler" dst-port=5090 in-interface=ether1-WAN1 log=yes protocol=tcp to-add
to-ports=5081

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-256-cbc
add auth-algorithms=md5,sha1 enc-algorithms=3des,aes-256-cbc name=my_proposal
add auth-algorithms=md5,sha1,sha256,sha512 enc-algorithms=aes-256-cbc,aes-256-ctr name=mynew_Proposals pfs-group=modp1536
/ip ipsec peer
add address=80.28.45.139/32 comment="Pre-Migration Peer for Mikrotik router" dh-group=modp768 disabled=yes enc-algorithm=aes-256 local-address=0.0.0.0
secret=******** send-initial-contact=no
add address=80.28.45.139/32 comment="Barcelona ASA" dh-group=modp1536 enc-algorithm=aes-256 secret=***********
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=192.168.0.0/24 proposal=my_proposal sa-dst-address=80.28.45.139 sa-src-address=0.0.0.0 src-address=192.168.2.0/24 tunnel=yes
add dst-address=10.23.0.0/16 proposal=mynew_Proposals sa-dst-address=80.28.45.139 sa-src-address=0.0.0.0 src-address=192.168.2.0/24 tunnel=yes

\

[admmy@myRB002] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP
0 E spi=0x6C59767 src-address=80.28.45.139:4500 dst-address=192.168.1.2:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
auth-key="3f13a98e65f986c7a312f3dc2c1700c6c0301ac9" enc-key="ba0cadf52acc82f4f099ce00272ed18e0a5f319d210756f5c972697e0e0acd16"
addtime=sep/03/2016 22:48:58 expires-in=7h22m36s add-lifetime=6h24m/8h current-bytes=1478222 replay=128

1 E spi=0x294B77D2 src-address=192.168.1.2:4500 dst-address=80.28.45.139:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc
auth-key="77d5483722b699f94c44076e621fc005088eb35d" enc-key="69337b6ff8e1da2dcdce12f7da4d2bdfdbcd5564719d9ad71a7798edbcb77cef"
addtime=sep/03/2016 22:48:58 expires-in=7h22m36s add-lifetime=6h24m/8h current-bytes=2557579 replay=128

[admmy@myRB002] > /ip ipsec remote-peers print detail
0 local-address=192.168.1.2 port=4500 remote-address=80.28.45.139 port=4500 state=established side=responder established=37m52s

From first sight it looks like you’re missing a NAT accept rule for the other direction of the tunnel traffic:

/ip firewall nat
add chain=srcnat comment="NAT LAN to BCN ASA" dst-address=10.23.0.0/16 src-address=192.168.2.0/24
## add this line:
add chain=srcnat comment="NAT BCN ASA to LAN" dst-address=192.168.2.0/24 src-address=10.23.0.0/16

-Chris

Thanks, Chris. As it turns out, we were given incomplete information from the person at the remote site. Computers at the site were using a different default gateway and were configured with a static route for the VPN subnets that pointed to the VPN device. Once we added in routes for the new subnet, we were able to reach the machines.

So at this moment, things appear to be working. Can you clarify, however, why there needs to be an additional NAT accept rule for the reverse traffic? Shouldn’t that traffic already be presented in it’s original form once it comes out of the tunnel?