You’re silent regarding the tunnel between the Cisco and the Mikrotik 1, and also regarding the exact type of tunnel between the two Mikrotiks (i.e. bare IPsec with policies or some IPsec-encrypted tunnel like GRE or IPIP).
So if you are using IPsec policies, you have to add 192.168.1.0/24<->192.168.3.0/24 policies to both tunnels (i.e. M1-M2 and M1-C). If you are using some IPsec-encrypted tunnel, you have to add routes.
Or, if all three routers have a public IP, you can create a direct tunnel M2-C.
Thank you for the response. Everything is unfortunately more complicated and I want to simplify it to get the logic.
Mikrotik1 is virtual CHR on the host with 2 interfaces. It’s not the only gateway in its network and it has the connection with Cisco1 via fiber trunk via another Cisco2.
Mikrotik2 is hardware and distant. All the routers have their own public static IP-addresses. Technically in the future, Mikrotik1 might be an IPSec gateway for many other Mikrotik routers: Mikrotik2, Mikrotik3 .. Mikrotikn. All I want to get how to make the proper routing between Cisco1 network and Mikrotik2 network where Mikrotik1 is the gateway.
I got from the logs that Mikrotik1 if forwarding packets from Cisco1 to Mikrotik2, but there is no ping because Mikrotik2 doesn’t respond.
OK, so there is no kind of tunnel between Cisco 1 and Mikrotik. But you still haven’t explicitly stated whether the tunnel betewen Mikrotik 2 and Mikrotik 1 is a bare IPsec one, using traffic selectors of policies to elect packets for tunneling, or whether it is the “some-other-tunnel-over-IPsec” case.
In any case - what you describe may be an issue of
firewall rules at Mikrotik 2 - if so, it receives the traffic from the Cisco subnets but drops it
missing IPsec policies or routes at Mikrotik 2 - if so, Mikrotik 2 receives the traffic and would like to respond it, but there is either no route towards the source of that traffic, so it cannot send the response at all, or there is a route (the default one) but a policy that should intercept it and redirect it to the bare IPsec tunnel is missing, so the response goes to the internet rather than back to Mikrotik 1.
missing routes/policies at Mikrotik 1 - you say the log shows it forwards the traffic towards Mikrotik 2 but I cannot remember any log to indicate that a packet has been sent via an IPsec SA
If the above tips still don’t help resolve it, post the exports of both Mikrotik 1’s and Mikrotik 2’s configurations, following my automatic signature below.
Yes, it’s bare IPSec-tunnel between Mikrotik1 and Mikrotik2. I think I’ve already tried everything in the last four days and found no problem in routes, firewall or policies, but it still doesn’t work as it should be. I’d rather try another solution from another manufacturer.
This kind of network is very difficult to get right using bare IPsec tunnels. A mixed manufacturer situation potentially makes it even more difficult.
When you would use GRE/IPsec or IPIP/IPsec it would be easy, also with even more sites.
However, there appear to be lots of masochistic people in the IPsec tunnel world… (there is another thread running at this time with the same topic)
Since there is no IPsec interworking between manufacturers, it must be something easy yet hard to spot. Post the actual configurations of both Mikrotiks and the actual subnets of the two Ciscos for a review. See my automatic signature below regarding obfuscation that doesn’t break consistency. And as @pe1chl says, bare IPsec may hit you many ways, so since the idea is to connect routers, not end devices, to Mikrotik 1, you should also consider IPIP or GRE over IPsec.
