I Can't ping the remote network from router RB450g over IPSE

crix75 · February 28, 2012, 2:23pm

Hi we have a tunnel IPSEC from Mikrotik to stonegate firewall, i can ping from my network to remote netwaork and vice versa, but i can’t ping from my mikrotik router to remote network, this is a problmem for DNS, the router can’t see the DNS in the remote network.
someone can help me ?

this is my configuration :

[admin@ROUTER RB450] /ip ipsec peer> print 
Flags: X - disabled 
 0   address=81.198.9.98/32 port=500 auth-method=pre-shared-key secret="*********" generate-policy=no 
     exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey 
     hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd 
     dpd-maximum-failures=1 
[admin@ROUTER RB450] /ip ipsec peer> ..
[admin@ROUTER RB450] /ip ipsec> policy
[admin@ROUTER RB450] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=192.168.255.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all 
     action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=18.114.2.111 
     sa-dst-address=81.198.9.98 proposal=default priority=0

I modified the public address .
Thanks
Cris

vik1988 · March 1, 2012, 4:38pm

have you added ip firewall accept rule…

crix75 · March 2, 2012, 1:53pm

No, can you explain me ?
I added a rule with SRC 0.0.0.0/0 chain=imput and action accept, but nothing chage.

Thanks.

vik1988 · March 3, 2012, 2:37am

in ur case you need a "IP FIREWALL NAT " rule like below

/ip firewall nat add chain=srcnat src-address=192.168.255.0/24 dst-address=192.168.1.0/24 action=accept

This rule should be on top of all nat rule.

Chk the example on this wiki link http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

crix75 · March 5, 2012, 10:15am

Thank for your reply, i have this rule, and i can ping the remote network from the local network, example: 192.168.255.30 to 192.168.1.51 but i can not ping the host 192.168.1.51 from terminal of router RB450.
the problem is that the 192.168.1.51 is a DNS, and the router can not reach it .

I don’t understand where is my error.
If i configure the 192.168.1.51 into the DNS configuration of my clients pc, they can reach the DNS and all work correctly, but if i insert the ip address into the DNS configuration of router the router can not reach the IP.

;;; VPN office 1
0   chain=srcnat action=accept src-address=192.168.255.0/24 dst-address=192.168.1.0/24 
;;;VPNoffice 2
1   chain=srcnat action=accept src-address=192.168.255.0/24 dst-address=192.168.0.0/24

Thanks
Cris

vik1988 · March 6, 2012, 4:05am

crix75:

Thank for your reply, i have this rule, and i can ping the remote network from the local network, example: 192.168.255.30 to 192.168.1.51 but i can not ping the host 192.168.1.51 from terminal of router RB450.
the problem is that the 192.168.1.51 is a DNS, and the router can not reach it .

I don’t understand where is my error.
If i configure the 192.168.1.51 into the DNS configuration of my clients pc, they can reach the DNS and all work correctly, but if i insert the ip address into the DNS configuration of router the router can not reach the IP.
;;; VPN office 1
0   chain=srcnat action=accept src-address=192.168.255.0/24 dst-address=192.168.1.0/24 
;;;VPNoffice 2
1   chain=srcnat action=accept src-address=192.168.255.0/24 dst-address=192.168.0.0/24
Thanks
Cris

nice to see that it works for you… did you check pinging 192.168.1.51 with SRC-address. What is the remote device make and model.

dmnc · November 18, 2013, 7:29pm

Sorry for necrobump, but same problem here. I still have no clue how to solve it.

flroute · December 12, 2013, 4:53pm

Late reply for you.

When trying to ping the remote network from the router, you need to change the interface to your local LAN interface in the ping utility. On my setup, it was defaulting to the 0.0.0.0/24 rule and trying to push it out the ether1 WAN interface. changing the interface to ether2 LAN, allowed the ping to go through the IPSEC tunnel.

GioMac · December 27, 2015, 5:31am

I guess, this is one of the most viewable Topics.

Here is the answer:

When you ping/connect to the remote network from IPSec Peer, which in this case is Mikrotik Router, then Mikrotik must have some routable (from the both sides) IP address to ping destination and this is where things go not the way we think, because router doesn’t have any ip addresses in that network and only route to that network will be through the interface of default route, because IPSec policies that we usually setup between two networks don’t apply to the router, so, to ping remote network you must have:

Correct Source IP address
Destination route

To correct this issue, there are two ways:

A. Add route (the better):

dst-address: [destination network]
Gateway: [interface with router’s source ip]

this will map routers ip address to one that is routed and then ipsec policies will be applied

B. Add netmap rule in firewall between “typical” IPsec “accept” rules and masquerading rule of gateway:

dst-address: [destination network]
out.interface: [default gateway interface]
action: netmap
to address: [source ip address of the router for destination network]

p.s. you’re welcome