IPSEC can't ping anything but router

LdB · August 29, 2022, 6:23am

I have an IPSEC tunnel running between sites with ip ranges 10.0.4.0/24 and 10.0.220.0/24
setup is as per the wiki with the standard src-nats in the top of rules

The site2 has an interface in VLAN220 carrying IP 10.0.220.166/24

From site1 I can ping that interface on site 2 with command and it works
ping 10.0.220.166 src-address=10.0.4.1
SEQ HOST SIZE TTL TIME STATUS
0 10.0.220.166 56 64 42ms
1 10.0.220.166 56 64 41ms
sent=2 received=2 packet-loss=0% min-rtt=41ms avg-rtt=41ms max-rtt=42ms

There is another device 10.0.200.21 which I can ping locally on site 2
ping 10.0.220.21
SEQ HOST SIZE TTL TIME STATUS
0 10.0.220.21 56 64 0ms
1 10.0.220.21 56 64 0ms
2 10.0.220.21 56 64 0ms
sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

However when I try from site 1 it fails
ping 10.0.220.21 src-address=10.0.4.1
SEQ HOST SIZE TTL TIME STATUS
0 10.0.220.21 timeout
1 10.0.220.21 timeout
2 10.0.220.21 timeout
sent=3 received=0 packet-loss=100%

Can anyone think of a reason I can’t ping the other device?

sindy · August 29, 2022, 4:26pm

This is not a useful way of describing the configuration, as you may have made mistakes during adaptation of the tutorial to your environment. Always post a complete export of the configuration and only remove the sensitive information, but in a way that doesn’t break the integrity of the configuration (like membership of addresses in subnets).

First thought is a firewall on that device itself - e.g. Windows firewall by default only accepts ping requests coming from the connected subnet (i.e. the one to which the own IP address assigned to the interface belongs). If it is not the case, firewall rules on one of the Mikrotiks can be the reason.

To check, run /tool sniffer quick ip-protocol=icmp ip-address=10.0.220.21 on Site 2 while pinging from Site 1 the way you did before. If you can see packets leaving towards the 10.0.220.21 via the interface to which that device is connected, the issue is the firewall on the device; if not but you can see them coming in from WAN, the issue is the firewall of the Mikrotik at Site 2; if you can see no packets at all, the issue is already at Site 1.

LdB · August 30, 2022, 4:17am

Cheers for help … the packets are arriving

brid… 96.142 57 → 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1
brid… 97.144 58 → 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1
brid… 98.146 59 → 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1
brid… 99.149 60 → 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1
brid… 100.151 61 → 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1
brid… 101.153 62 → 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1

So am I right in guessing the issue is the gateway
The mikrotik has been inserted into a network but isn’t the gateway
So the device doesn’t know to send 10.0.4.1 to the tik and is instead sending it to the gateway device.

So am I right that if I add a static route 10.0.4.0/24 to 10.0.220.166 on the gateway device is a solution?

LdB · August 30, 2022, 1:08pm

Yes all fixed with that … thanks Sindy