Help with Site to Site VPN Tunnel.

RouterOS Beginner Basics
1

I am trying to connect a RB951G-2HnD to a CCR1009. It’s a tunnel to my home, that I am going to be replicating NAS data.
Here are the steps I took.

Layout
HQ - WAN IP: 18.7.1.10
HQ - LAN Addresses: 10.10.7.0/24
HQ - LAN Addresses: 10.10.8.0/24
HQ - LAN Addresses: 10.10.9.0/24
HQ - LAN Addresses: 10.10.10.0/24

Home - WAN IP: 7.7.5.130
Home - LAN Addresses: 192.168.4.0/24

Home > Open Terminal. Ping 18.7.1.10

[admin@MikroTik] > ping 18.7.1.10
SEQ HOST SIZE TTL TIME STATUS
0 18.7.1.10 56 61 23ms
1 18.7.1.10 56 61 23ms
2 18.7.1.10 56 61 19ms
sent=3 received=3 packet-loss=0% min-rtt=19ms avg-rtt=21ms max-rtt=23ms

@Home Open Terminal >

/ip ipsec peer
add address=18.7.1.10 port=500 auth-method=pre-shared-key secret=“test”

/ip ipsec policy
add src-address=192.168.4.0/24 src-port=any dst-address=10.10.7.0/24 dst-port=any
sa-src-address=7.7.5.130 sa-dst-address=18.7.1.10
tunnel=yes action=encrypt proposal=default

/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=192.168.4.0/24 dst-address=10.10.7.0/24

@HQ Open Terminal >
/ip ipsec peer
add address=7.7.5.130 port=500 auth-method=pre-shared-key secret=“test”

/ip ipsec policy
add src-address=10.10.7.0/24 src-port=any dst-address=192.168.4.0/24 dst-port=any
sa-src-address=18.7.1.10 sa-dst-address=7.7.5.130
tunnel=yes action=encrypt proposal=default

/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=10.10.7.0/24 dst-address=192.168.4.0/24

What happens is, i can see the tunnel connect, it appears to work, however, I can not seem to get any traffic to flow over the connection. I am brand new to mikrotik products, I am sure I’m just missing something small. It totally appears to be working, i can see the IPSEC traffic in the Log, and the hashing/handshaking ect… but when i ping, from either side, same thing, time out! :frowning:

FROM HOME to HQ
[admin@MikroTik] > ping 10.10.7.1
SEQ HOST SIZE TTL TIME STATUS
0 10.10.7.1 timeout
1 10.10.7.1 timeout
2 10.10.7.1 timeout
3 10.10.7.1 timeout
sent=4 received=0 packet-loss=100%

[This is all on MikroTik RouterOS 6.27 ]

Any help, would be awesome
Thanks!

2

Heh… I have this same :confused:
…enybody?

3

Is NAT Traversal turned off in Peer?

Afaik it should be turned off.

4

When you do that ping test - set the source IP to be the local LAN.
The default behavior is going to be to choose the IP of the interface that points towards the destination, so the pings’ source is going to be the WAN interface, which is not one of the addresses permitted in the policy selectors.

(or try to ping from a host in the LAN)

5

Are your routes ok?
Does your Home device know how to reach the 10.10.7.0/24 segment?

Also take care of your firewall filter rules.
If you have any, also make sure you have an allowance for pinging from the tunnel interface.

6

ok maybe it is good question :slight_smile:
how to that?

On the example http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel is not explanations.

and second question - when NAT traversal must by on when off - i try both and no results.

7

ok maybe it is good question :slight_smile:
how to that?

On the example http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel is not explanations.

and second question - when NAT traversal must by on when off - i try both and no results.

8

Your HQ router must know how to reach the 192.168.4.0/24 network and vice versa.
As your two WAN IPs are not in the same network, I think you have to create some L2TP tunnel between HQ and home, and route your IPSEC traffic through that tunnel.

9

ok - L2TP working well..