Sorry if I am posting twice. I sent a post 3 days ago and didn’t get a confirmation and can’t see it listed on my posts so maybe it got lost.

I have configured IPsec VPN, site to site with a rb941 on either side.
The local side has lan of 192.168.2.0/24, the remote side has lan of 192.168.100.0/24.

The IPsec tunnel is established but I can’t seem to ping from either side to the other side.
I read somewhere that it is not hitting the Nat rule. I have the src Nat rule setup on both routers and at level 0 above the standard masquerade rule.
I can’t ping the remote router (192.168
100.1) from the local router (192.168.2
150) or any Machine on the remote lan.
I also can’t ping the local router ( 192.168.2.150) or any machine on the local lan from the remote lan.

Any ideas here? I had an issue on the local lan that the 192.168.100.0/24 was routing via the internet and I even changed the remote lan to a 172.16.16.0/24 but I still couldn’t route traffic over the tunnel.
Any ideas please? I have been stuck on this one for a while.

Not enough details. There might be just some some mistake in config, but it’s hard to tell when we don’t see it.

Please see both configs below, let me know if you require any further info

*ROUTER LOCAL*
[admin@MikroTik] > export compact hide-sensitive

apr/03/2018 02:20:46 by RouterOS 6.39.2

/interface bridge
add disabled=yes name=Capman protocol-mode=none
add admin-mac= auto-mac=no fast-forward=no mtu=1500 name=
bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=
security1
add configuration=cfg1 disabled=yes mac-address=64:D1:54:4D:84:D0
master-interface=none name=cap1 radio-mac=64:D1:54:4D:84:D0 security=
security1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=“”
mode=dynamic-keys
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” group-ciphers=
tkip,aes-ccm mode=dynamic-keys name=wpa2-profile unicast-ciphers=
tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] ampdu-priorities=0,1 band=2ghz-b/g/n
channel-width=20/40mhz-Ce country=“south africa” disabled=no
disconnect-timeout=15s distance=indoors mode=ap-bridge security-profile=
wpa2-profile ssid=kha-mk wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-nstreme=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.2.100-192.168.2.130
add name=dhcp_pool2 ranges=192.168.2.50-192.168.2.100
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay
interface=bridge-local lease-time=8h name=dhcp-wan
/ppp profile
/queue interface
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
add memory-lines=100 name=firewall target=memory
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge nat
add action=accept chain=srcnat disabled=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=Capman disabled=yes interface=cap1
/ip address
add address=192.168.2.150/24 comment=“default configuration” interface=
ether2-master-local network=192.168.2.0
add address=192.168.2.240/24 disabled=yes interface=ether1-gateway network=
192.168.2.0
add address=172.16.16.150/24 disabled=yes interface=ether2-master-local
network=172.16.16.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=no
interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=192.168.2.152 disabled=no interface=bridge-local name=relay1
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.100.2,192.168.100.3 domain=
gateway=192.168.2.150 netmask=24 wins-server=
192.168.100.11
/ip dns
set allow-remote-requests=yes servers=169.1.1.1,169.1.1.2
/ip dns static
/ip firewall address-list
add address=192.168.2.0/24 list=LAN
add list=Any
/ip firewall filter
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=
established,related
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add action=accept chain=forward comment=“default configuration”
connection-state=established
add action=accept chain=forward comment=“default configuration”
connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=
invalid disabled=yes
add action=drop chain=input comment=“default configuration” disabled=yes
protocol=icmp
add action=accept chain=output comment=“default configuration”
connection-state=established disabled=yes
add action=accept chain=input comment=“default configuration” connection-state=
related disabled=yes
add action=drop chain=input comment=“default configuration” disabled=yes
in-interface=ether1-gateway
add action=drop chain=forward disabled=yes
add action=accept chain=output
add action=accept chain=forward disabled=yes log=yes src-address-list=LAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 log=yes log-prefix=
WK src-address=192.168.2.0/24
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat disabled=yes protocol=tcp to-addresses=
192.168.2.20 to-ports=61331
add action=dst-nat chain=dstnat disabled=yes log=yes log-prefix=torrent-trans
protocol=tcp src-address=196.25.195.205 to-addresses=192.168.2.20 to-ports=
9091
add action=dst-nat chain=dstnat dst-port=61331 in-interface=ether1-gateway
protocol=tcp src-address=0.0.0.0 to-addresses=192.168.2.20 to-ports=61331
add action=masquerade chain=srcnat disabled=yes out-interface=*15
add action=dst-nat chain=dstnat dst-port=10127 protocol=tcp to-addresses=
192.168.2.101 to-ports=10127
add action=dst-nat chain=dstnat dst-port=10127 protocol=udp to-addresses=
192.168.2.101 to-ports=10127
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec peer
add address=xx.xx.xx.xx/32 dpd-interval=10s dpd-maximum-failures=2
hash-algorithm=md5 nat-traversal=no
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.100.0/24 sa-dst-address=xx.xx.xx.xx sa-src-address=
xx.xx.xx.xx src-address=192.168.2.0/24 tunnel=yes
/ip proxy
set cache-path=web-proxy1 parent-proxy=0.0.0.0
/ip route
add comment=www.wineofthemonth.co.za disabled=yes distance=1 dst-address=
xx.xx.xx.xx/32 gateway=MSpring-MK-VPN
add comment=“DISABLED FOR IPSEC” disabled=yes distance=1 dst-address=
192.168.100.0/24 gateway=MSpring-MK-VPN
/ip service
set telnet disabled=yes
set ftp address=192.168.0.0/24 disabled=yes
set www address=192.168.2.0/24,196.25.102.0/24 port=81
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24
set api-ssl address=192.168.2.0/24 certificate=cert_1 disabled=yes
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.2.250 version=5
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/ppp secret
add local-address=10.10.11.1 name=wkpptpd remote-address=10.10.11.2 service=
pptp
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg
/system leds
set 0 interface=wlan1
/system logging
set 3 action=memory
add action=disk topics=firewall
add disabled=yes prefix=IPSECWK topics=ipsec
/system ntp client
set enabled=yes primary-ntp=196.25.1.1 secondary-ntp=196.4.160.4
/system scheduler
add interval=15m name=DyndnsUpdate on-event=DynDNS policy=
reboot,read,write,policy,test,password,sniff,sensitive start-date=
sep/21/2014 start-time=00:00:00
/system script
add name=DynDNS owner=admin policy=
reboot,read,write,policy,test,password,sniff,sensitive source="# Set needed
variables
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool sniffer
set streaming-server=192.168.2.28


ROUTE REMOTE

[mindspring@MikroTik] > export compact hide-sensitive

apr/03/2018 02:39:48 by RouterOS 6.41.3

model = 2011iL

/interface l2tp-server
add name=“Dialup L2TP Pramod” user=pramod
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp comment=
“LAN Private IPs (192.168.100.0)” name=
“ether 2 -LAN” speed=1Gbps
set [ find default-name=ether5 ] comment=“ether5 - Comtel (xx.xx.xx.xx)”
mac-address= name=“ether 5 - WAN” rx-flow-control=auto
tx-flow-control=auto
set [ find default-name=ether1 ] disabled=yes mac-address=
set [ find default-name=ether3 ] disabled=yes mac-address=
set [ find default-name=ether4 ] disabled=yes full-duplex=no mac-address=
6 rx-flow-control=auto tx-flow-control=auto
/interface pptp-server
add name=“Dialup PPTP " user=
add name=HomeVPN user=
add disabled=yes name=HomeVPN2 user=
/interface ethernet switch port
set 5 !egress-rate !ingress-rate
set 6 !egress-rate !ingress-rate
set 7 !egress-rate !ingress-rate
set 8 !egress-rate !ingress-rate
set 9 !egress-rate !ingress-rate
set 11 !egress-rate !ingress-rate
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=torrentsites regexp=”"^.(get|GET).+(torrent|thepiratebay|isohunt|ente
rtane|demonoid|eztv|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|
bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganov
a|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).\$""
add name=“Deny Facebook” regexp=“^.+(facebook.com).$\r
\n^.+(eztv.ag).$\r
\n”
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=
aes-256-cbc,aes-128-cbc,3des
/ip pool
add name=PrivateIPLan ranges=192.168.100.149
add name=LAN_Pool ranges=192.168.100.129-192.168.100.179
add name=“PPTP IP Pool” ranges=10.10.20.2-10.10.20.254
add name=“PPTP Pool” ranges=192.168.100.210-192.168.100.219
/ip dhcp-server
add add-arp=yes address-pool=LAN_Pool authoritative=after-2sec-delay disabled=
no interface=“ether 2 -LAN” lease-time=30m name=“LAN Private IP”
/ppp profile
set *0 change-tcp-mss=default use-compression=yes
add local-address=“PPTP Pool” name=“PPTP IP Pool” remote-address=“PPTP Pool”
add dns-server=192.168.100.2,192.168.100.3 local-address=10.10.20.1 name=
“L2TP Profile” remote-address=“PPTP IP Pool” use-encryption=required
wins-server=192.168.100.11
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=“L2TP Profile” enabled=yes
use-ipsec=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.100.14/24 comment=“Private IP Block” interface=
“ether 2 -LAN” network=192.168.100.0
add address=10.10.10.1/30 disabled=yes interface=ether4 network=10.10.10.0
add address=publicip comment=“Comtel Public Ip Range 50Mb Fibre”
disabled=yes interface=“ether 5 - WAN” network=
add address=PublicIP interface=“ether 5 - WAN” network=
add address=PublicIP interface=“ether 5 - WAN” network=
add address=PublicIP disabled=yes interface=“ether 5 - WAN” network=
255.255.255.248
add address=41.xx.xx.54 disabled=yes interface=“ether 5 - WAN” network=
255.255.255.248
add address=xx.xx.xx.50/29 interface=“ether 5 - WAN” network=xx.xx.xx.48
add address=10.10.11.2 disabled=yes interface=WaleedHomeVPN network=10.10.11.1
add address=192.168.100.1/24 interface=“ether 2 -LAN” network=192.168.100.0
/ip dhcp-server lease
“LAN Private IP”
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.2,192.168.100.3 gateway=
192.168.100.1
/ip dns
set servers=192.168.100.2,192.168.100.3
/ip firewall address-list
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=accept chain=input comment=“Accept all packets from Local Network”
connection-nat-state=“” in-interface=“ether 2 -LAN”
add action=accept chain=input comment=
“Accept INPUT established and related packets” connection-state=
established,related
add action=accept chain=forward comment=
“Accept FORWARDED established and related packets” connection-state=
established,related
add action=accept chain=input comment=“Allow PPTP to Mikrotik” dst-port=1723
protocol=tcp src-address-list=“”
add action=accept chain=input comment=“Allow GRE for PPTP to Mikrotik”
protocol=gre
add action=accept chain=input comment=“Allow L2TP to Mikrotik (IKEv1)”
dst-port=500 protocol=udp src-port=“”
add action=accept chain=input comment=“Allow L2TP to Mikrotik (IKEv1)”
dst-port=4500 protocol=udp
add action=accept chain=input comment=“Allow ESP for IPSEC to Mikrotik”
protocol=ipsec-ah
add action=accept chain=input comment=“Allow ESP for IPSEC to Mikrotik”
protocol=ipsec-esp
add action=accept chain=input comment=“Allow Port 1701 for L2TP to Mikrotik”
dst-port=1701 protocol=udp
add action=accept chain=forward comment=
“Allow Packets to Pramod’s Home Network via VPN” dst-address=192.168.7.0/24
in-interface=“ether 2 -LAN” out-interface=PramodHomeVPN
add action=accept chain=input comment=“Accept NTP” dst-port=123 protocol=udp
add action=accept chain=input comment=“Accept NTP” dst-port=123 protocol=tcp
add action=drop chain=input comment=
“Drop all packets which are not destined to routes IP address”
dst-address-type=!local
add action=drop chain=input comment=
“Drop all packets which does not have unicast source IP address”
src-address-type=!unicast
add action=drop chain=input comment=“Drop invalid packets” connection-state=
invalid
add action=drop chain=input comment=“Drop all packets from public internet which
_should not exist in public network” in-interface=“ether 5 - WAN”
src-address-list=NotPublic
add action=drop chain=forward comment=“Drop invalid packets” connection-state=
invalid
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=
“ether 5 - WAN”
add action=drop chain=forward comment=“Drop all packets from public internet whi
ch should not exist in public network” in-interface=“ether 5 - WAN”
src-address-list=NotPublic
add action=drop chain=forward comment=“Drop all packets from local network to in
ternet which should not exist in public network” dst-address-list=NotPublic
in-interface=“ether 2 -LAN”
add action=drop chain=forward comment=“Drop all packets in local network which d
oes not have local network address” in-interface=“ether 2 -LAN”
src-address=!192.168.100.0/24
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=
“ether 5 - WAN”
add action=drop chain=input comment=“Drop any other packets from the Internet”
in-interface=“ether 5 - WAN”

p2p matcher is obsolete please use layer7 matcher instead

add action=drop chain=forward comment=“Torrent Sites: ALL P2P Traffic” p2p=
all-p2p src-address-list=“”
add action=drop chain=forward comment=“Torrent Sites: Block Websites”
layer7-protocol=torrentsites src-address=192.168.100.0/24 src-address-list=
“”
add action=drop chain=forward comment=“Torrent Sites: Drop DNS” dst-port=53
layer7-protocol=torrentsites protocol=udp src-address=192.168.100.0/24
add action=drop chain=forward comment=“Torrent Sites: Keyword_Drop” content=
torrent src-address=192.168.100.0/24
add action=drop chain=forward comment=“Torrent Sites: Keyword Tracker” content=
tracker src-address=192.168.100.0/24
add action=drop chain=forward comment=“Torrent Sites: Get Peers Drop” content=
getpeers src-address=192.168.100.0/24
add action=drop chain=forward comment=“Torrent Sites: info_hash_drop” content=
info_hash src-address=192.168.100.0/24
add action=drop chain=forward comment=“Torrent Sites:announce_peers_drop”
content=announce_peers src-address=192.168.100.0/24
add action=accept chain=forward comment=“Staff Waleed IPSEC: LAN to LAN 1”
dst-address=192.168.100.0/24 src-address=192.168.2.0/24
add action=accept chain=forward comment=“Staff Waleed IPSEC: LAN to LAN 2”
dst-address=192.168.2.0/24 src-address=192.168.100.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“Mark HTTP to redirect browsing via ADSL” disabled=yes dst-address=
!192.168.100.0/24 dst-port=80 new-routing-mark=HTTP passthrough=yes
protocol=tcp
add action=mark-routing chain=prerouting comment=
“Mark HTTPS to redirect browsing via ADSL” disabled=yes dst-address=
!192.168.100.0/24 dst-port=443 new-routing-mark=HTTPS passthrough=yes
protocol=tcp
add action=mark-routing chain=prerouting comment=“Standard Bank Mark” disabled=
yes dst-address=196.8.0.0/16 log=yes log-prefix=“SB Mark” new-routing-mark=
SBank passthrough=yes src-address=192.168.100.0/24
/ip firewall nat
add action=accept chain=srcnat comment=“Staff: IPSec VPN Waleed NAT”
dst-address=192.168.2.0/24 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment=“Elm Openvpn” disabled=yes dst-port=
1194 in-interface=“ether 5 - WAN” protocol=tcp to-addresses=192.168.100.51
to-ports=1194
add action=dst-nat chain=dstnat comment= Port 80"
dst-address=xx.xx.xx.xx dst-port=80 in-interface=“ether 5 - WAN” protocol=
tcp to-addresses=192.168.100.21 to-ports=80
add action=dst-nat chain=dstnat comment=" port 443"
dst-address=xx.xx.xx.xx dst-port=443 in-interface=“ether 5 - WAN” protocol=
tcp to-addresses=192.168.100.21 to-ports=443
add action=dst-nat chain=dstnat commentdst-port=
8181 in-interface=“ether 5 - WAN” protocol=tcp to-addresses=192.168.100.20
to-ports=8181
add action=dst-nat chain=dstnat comment=
" RSYNC TCP, Limited to Offshore Servers"
dst-port=873 in-interface=“ether 5 - WAN” protocol=tcp src-address-list=
OffshoreServer to-addresses=192.168.100.33 to-ports=873
add action=dst-nat chain=dstnat comment=“SMTP”
dst-address=pujblicip dst-port=25 in-interface=“ether 5 - WAN” protocol=
tcp to-addresses=192.168.100.33
add action=dst-nat chain=dstnat comment=" IMAP"
dst-port=143 in-interface=“ether 5 - WAN” protocol=tcp to-addresses=
192.168.100.33 to-ports=143
add action=dst-nat chain=dstnat comment=" IMAPS"
dst-port=993 in-interface=“ether 5 - WAN” protocol=tcp to-addresses=
192.168.100.33 to-ports=993
add action=dst-nat chain=dstnat comment=" SMTPAUTH"
dst-port=587 in-interface=“ether 5 - WAN” protocol=tcp to-addresses=
192.168.100.33 to-ports=587
add action=dst-nat chain=dstnat comment=“SMTPAUTH”
dst-port=465 in-interface=“ether 5 - WAN” protocol=tcp to-addresses=
192.168.100.33 to-ports=465
add action=dst-nat chain=dstnat comment=" RSYNC UDP In
coming, Limited to Offshore Servers" dst-port=873 in-interface=
“ether 5 - WAN” protocol=udp src-address-list=OffshoreServer to-addresses=
192.168.100.33 to-ports=873
add action=dst-nat chain=dstnat comment=
“Geode FTP Incoming, Limited to Offshore Servers” dst-address=publicip
dst-port=20 in-interface=“ether 5 - WAN” protocol=tcp src-address-list=
OffshoreServer to-addresses=192.168.100.23
add action=dst-nat chain=dstnat comment=" port forward"
dst-address=publicip dst-port=2910 in-interface=“ether 5 - WAN”
protocol=tcp to-addresses=192.168.100.19 to-ports=2910
add action=dst-nat chain=dstnat comment=
“Geode FTP Incoming, Limited to Offshore Servers” dst-address=publicip
dst-port=21 in-interface=“ether 5 - WAN” protocol=tcp src-address-list=
OffshoreServer to-addresses=192.168.100.23
add action=dst-nat chain=dstnat comment=
“Geode FTP Incoming, UDP 20, Limited to Offshore Servers” dst-address=
publicip dst-port=20 in-interface=“ether 5 - WAN” protocol=udp
src-address-list=OffshoreServer to-addresses=192.168.100.23
add action=dst-nat chain=dstnat comment=
“Geode Dst-nat Port 21 UDP Incoming, , Limited to Offshore Servers”
dst-address=publicip dst-port=21 in-interface=“ether 5 - WAN” protocol=
udp src-address-list=OffshoreServer to-addresses=192.168.100.23
add action=dst-nat chain=dstnat comment=“SSH/SFTP/Rsync over SSh to Geode”
dst-address=publicip dst-port=22 in-interface=“ether 5 - WAN” protocol=
tcp src-address-list=OffshoreServer to-addresses=192.168.100.23
add action=dst-nat chain=dstnat comment=
“Agate - Iincoming TCP DNS queries from Internet” dst-address-type=“”
dst-port=53 in-interface=“ether 5 - WAN” protocol=tcp to-addresses=
192.168.100.3
add action=dst-nat chain=dstnat comment=
“Agate - Iincoming UDP DNS queries from Internet” dst-port=53 in-interface=
“ether 5 - WAN” protocol=udp to-addresses=192.168.100.3
add action=masquerade chain=srcnat comment=
“Masquerade all private IP traffic from LAN, outgoing” src-address=
192.168.100.0/24
add action=dst-nat chain=dstnat comment=“Crystal: Incoming SMTP from Internet”
dst-address=publicip dst-port=25 in-interface=“ether 5 - WAN” protocol=
tcp to-addresses=192.168.100.17
add action=dst-nat chain=dstnat comment=“Crystal Web Interface” dst-address=
pub2 dst-port=80 in-interface=“ether 5 - WAN” protocol=tcp
to-addresses=192.168.100.17
add action=dst-nat chain=dstnat comment=“Silver Incoming port 80 "
dst-address=pub2 dst-port=80 protocol=tcp to-addresses=
192.168.100.32
add action=dst-nat chain=dstnat comment=“Silver Incoming Port 21 FTP”
dst-address=pub2 dst-port=21 log=yes protocol=tcp to-addresses=
192.168.100.32 to-ports=21
add action=dst-nat chain=dstnat comment=“Silver Incoming Port 20 FTP”
dst-address=pub2 dst-port=20 log=yes protocol=tcp to-addresses=
192.168.100.32 to-ports=20
add action=dst-nat chain=dstnat comment=
“NagiosXI Incoming Port 443 for Passive Monitoring” dst-address=pub2
dst-port=443 protocol=tcp to-addresses=192.168.100.78 to-ports=443
/ip firewall service-port
set sip disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 generate-policy=port-override
add address=165.0.10.96/32 dh-group=modp1024 dpd-interval=10s
dpd-maximum-failures=2 enc-algorithm=3des hash-algorithm=md5 nat-traversal=
no
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=locallan sa-src-address=
publicip src-address=192.168.100.0/24 tunnel=yes
/ip proxy
set cache-administrator=”" parent-proxy=0.0.0.0
/ip route
add check-gateway=ping comment=“Route HTTP Traffic for Comtel Link Failure”
disabled=yes distance=1 gateway=192.168.100.4 routing-mark=HTTP
add check-gateway=ping comment=“HTTPS Routting For Comtel link failure”
disabled=yes distance=1 gateway=192.168.100.4 routing-mark=HTTPS
add check-gateway=ping comment=Primary distance=1 gateway=8.8.8.8
add comment=Secondary distance=2 gateway=192.168.100.4
add check-gateway=ping comment=“Comtel Fibre Route” disabled=yes distance=1
gateway=xx.xx.xx.xx
add check-gateway=ping comment=“ADSL 2” disabled=yes distance=2 gateway=
192.168.100.4
add check-gateway=ping comment=“Validate if Primary Route (Fibre) is up”
distance=1 dst-address=8.8.8.8/32 gateway=x.xx.xx.xx scope=10
add check-gateway=ping comment=“Comtel /29 Subnet onto LAN” distance=1
dst-address=xx.xx.xx.xx gateway=“ether 2 -LAN”
add comment=“Staff: Waleed Home Mikrotik” disabled=yes distance=1 dst-address=
192.168.2.0/24 gateway=10.10.11.1 pref-src=10.10.11.2
add comment=“Staff: Pramod Home Mikrotik” distance=1 dst-address=192.168.7.0/24
gateway=10.10.10.1 pref-src=10.10.10.2
/ip service
set telnet address=192.168.0.0/16
set ftp address=192.168.0.0/16
set www address=192.168.0.0/16
set ssh address=192.168.0.0/16
set www-ssl address=192.168.0.0/16 disabled=no port=81
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16
/ip traffic-flow
set enabled=yes interfaces=“ether 2 -LAN”
/ip traffic-flow target
add dst-address=192.168.100.70 port=3000
add dst-address=192.168.100.129 version=1
/ppp l2tp-secret
add
/ppp secret
add local-address=10.10.10.2 name=pdpptp remote-address=10.10.10.1
add name=pramodPPTP profile=“PPTP IP Pool”
add local-address=10.10.11.2 name=wkpptpd remote-address=10.10.11.1
/snmp
set enabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system clock manual
set time-zone=+02:00
/system logging
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes mode=broadcast primary-ntp=196.21.187.2 secondary-ntp=
196.84.150.123
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/tool graphing interface
add interface=“ether 5 - WAN”
add interface=PramodHomeVPN
add interface=“ether 2 -LAN”
/tool graphing resource
add
/tool traffic-monitor
add interface=“ether 5 - WAN” name=tmon1 threshold=0

On remote router, you have this (and not just once, twice the same rule):

/ip firewall filter
add action=drop chain=forward comment= "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface= "ether 5 - WAN"

And it’s before (the order matters):

/ip firewall filter
add action=accept chain=forward comment="Staff Waleed IPSEC: LAN to LAN 1" dst-address=192.168.100.0/24 src-address=192.168.2.0/24
add action=accept chain=forward comment="Staff Waleed IPSEC: LAN to LAN 2" dst-address=192.168.2.0/24 src-address=192.168.100.0/24

So you can’t connect from .2 network to .100 network, because traffic from IPSec tunnel looks like it comes from WAN, and so the first rule will block it.

Also those two accept rules are currenly useless, because they are last, so anything they accept would be accepted by default anyway.

I don’t see anything clearly wrong for the other direction. Start by fixing the above. If you want to specifically allow traffic from IPSec tunnel, you can use “ipsec-policy” matcher (ipsec-policy=in,ipsec for incoming and ipsec-policy=out,ipsec for outgoing, and put it before that blocking rule). Also make sure that when testing directly from either router, you need to set local address as source, because router won’t pick it by default and then policy won’t match.

Edit: One more, when testing devices in LAN, also make sure that ping is not blocked by remote device’s firewall, some only allow requests from local subnet.

Many thanks Sob

I moved the Filter rules I had to the top of the rule set and I think that resolved the issue! I didn’t need to disable those forward DST NAT Drop rules you mentioned.

I can now connect from the LAN on one site to the LAN on the other site. A related question is how do I now route traffic from the local LAN (192.168.2.0/24) to a public IP which is only accessible from a public IP that is behind the remote LAN range (192.168.100.0/24)
I used to be able to use routes with the GW pointing to the VPN connection, which was PPTP in the past but now there is no gateway for the IPSec VPN.

I tried a gateway of 192.168.100.1 which is the remote router but that didn’t work. When I traceroute it goes through the default gateway instead of the VPN/remote gateway of 192.168.100.1

Thanks again

I didn’t say anything about disabling, just that order of rules matters. They are processed from first to last, until a match is found. When it happens, processing stops and further rules are not checked. So allowing something after you block it is pointless, because it will never happen. Changing rules order is the right solution.

Routing over IPSec is tricky. You can’t just add routes with remote gateway, because it’s not directly reachable. Pure IPSec tunnels are strange magic, where traffic looks like it’s coming from/to internet as everything else, but if it matches defined IPSec policy, router takes if before actually sending it out and encrypts it (and decrypts incoming). So everything that needs to use IPSec tunnel must have a policy defined for it. In this case it would be for 192.168.2.0/24 ↔ .

Alternative way is to abandon tunnel mode IPSec, and only use transport mode between routers to secure IPIP/GRE/EoIP tunnel. That would give you regular interfaces to work with and then you could set up standard routing as usual.

Thanks Sob.

I changed to GRE Tunnel with IPSEC. My connection has been established and I now have a route for the remote network to go via the GRE Tunnel. This method seems to not need the SRC NAT localnet/remotenet ACCEPT rule.

I seemed to be faced with the same issue in that I can’t seem to route to the public Ip via the tunnel.

My traceroute from a local workstation is as follows:

Tracing route to remote [197.xx.xx.xx]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.2.150
  2    24 ms    24 ms    24 ms  10.10.11.2
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.

So it gets as far as the remote side’s VPN Ip but not to the remote LAN IP and then on to the public IP.
My route is established on the local side to route via GRE for the public IP.
On the remote side I have a route to my local LAN.

Any ideas?

Check what happens with packets along the way. It can be some firewall filter, NAT (or lack of NAT), etc. If I understand it correctly, you want to route traffic to some address by tunneling it to another site and going through its WAN. Remote router might not allow routing from tunnel to WAN, or it can have srcnat only for its own LAN range, which would mean that target address would receive source address from your local LAN and wouldn’t know what to do with it, … there are many possibilities.

You’re very good at this.

Adding a source nat rule masquerade with src 10.10.11.0/24 did the trick.
Thank you, it’s working well now.