Tunnel up and running. Packets from network behind cisco reach workstation behind mikrotik, but does not come back.
It dies in mikrotik. Where is problem?
Cisco conf
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key bla-bla address 178.yy.xx.21
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp nat keepalive 20
crypto ipsec transform-set AES.SHA.HMAC esp-aes 256 esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
crypto map TO.REMOTE.OFFICE 10 ipsec-isakmp
set peer 178.yy.xx.21
set transform-set AES.SHA.HMAC
set pfs group2
match address TO.MY.HOME
interface FastEthernet0/0
ip address PUBLIC_IP
crypto map TO.REMOTE.OFFICE
!
ip access-list extended TO.PETER.HOME
permit ip 172.30.0.0 0.0.255.255 172.17.0.0 0.0.0.255
!
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip access-list extended NAT
deny ip 172.30.0.0 0.0.255.255 172.17.0.0 0.0.0.255
permit ip 172.30.0.0 0.0.255.255 any
route-map ISP1 permit 10
match ip address NAT
!
MikroTik RouterOS 5.24
> system routerboard print
routerboard: yes
model: 2011UAS-2HnD
current-firmware: 3.04
upgrade-firmware: 3.04
> system license print
software-id: bla-bla
upgradable-to: v7.x
nlevel: 5
features:
> ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.198.173.97 1
1 ADC 10.198.173.96/27 10.198.173.99 eth1-gw 0
2 ADC 172.17.0.0/24 172.17.0.1 bridge-local 0
> ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 ;;; Tunnel to work
src-address=172.17.0.0/24 src-port=any dst-address=172.30.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=178.yy.xx.21 sa-dst-address=195.xx.yy.242 proposal=strong priority=0
> ip ipsec peer print
Flags: X - disabled
0 ;;; cisco 2811
address=195.xx.yy.242/32 port=500 auth-method=pre-shared-key secret="bla-bla" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
> ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
1 name="strong" auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=30m pfs-group=modp1024
FILTER
> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept src-address=172.17.0.0/24 dst-address=172.30.0.0/16
1 chain=forward action=accept src-address=172.30.0.0/16 dst-address=172.17.0.0/24
2 chain=forward action=accept src-address=172.17.0.0/24 dst-address=192.168.111.0/24
3 chain=forward action=accept src-address=192.168.111.0/24 dst-address=172.17.0.0/24
4 ;;; default configuration
chain=input action=accept protocol=icmp
5 ;;; Allow IPSec-esp
chain=input action=accept protocol=ipsec-esp in-interface=eth1-gw
6 ;;; Allow IPSec-esp
chain=output action=accept protocol=ipsec-esp out-interface=eth1-gw
7 ;;; Just for test
chain=output action=accept protocol=ipsec-esp
8 ;;; Allow IPSec-ah
chain=input action=accept protocol=ipsec-ah in-interface=eth1-gw
9 ;;; Allow IKE
chain=input action=accept protocol=udp in-interface=eth1-gw src-port=500 dst-port=500
10 ;;; Allow IKE
chain=output action=accept protocol=udp out-interface=eth1-gw src-port=500 dst-port=500
11 chain=input action=accept protocol=udp in-interface=eth1-gw dst-port=4500
12 chain=output action=accept protocol=udp out-interface=eth1-gw dst-port=4500
13 ;;; default configuration
chain=input action=accept in-interface=eth1-gw
14 ;;; default configuration
chain=input action=accept connection-state=established
FILTER STATS
> ip firewall filter print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 forward accept 0 0
1 forward accept 1 200 20
2 forward accept 0 0
3 forward accept 11 816 211
4 ;;; default configuration
input accept 223 001 1 471
5 ;;; Allow IPSec-esp
input accept 26 032 231
6 ;;; Allow IPSec-esp
output accept 0 0
7 ;;; Just for test
output accept 0 0
8 ;;; Allow IPSec-ah
input accept 0 0
9 ;;; Allow IKE
input accept 81 608 653
10 ;;; Allow IKE
output accept 79 632 637
11 ;;; NAT_T
input accept 0 0
12 ;;; NAT_T
output accept 0 0
13 ;;; default configuration
input accept 123 294 460 1 152 275
14 ;;; default configuration
input accept 77 019 498 1 133 129
NAT
> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=srcnat action=log src-address=172.30.0.0/16 log-prefix=""
1 chain=srcnat action=log dst-address=172.30.0.0/16 log-prefix=""
2 chain=srcnat action=accept src-address=172.17.0.0/24 dst-address=172.30.0.0/16
3 chain=dstnat action=accept src-address=172.30.0.0/16 dst-address=172.17.0.0/24
4 chain=srcnat action=accept src-address=172.17.0.0/24 dst-address=192.168.111.0/24
5 chain=dstnat action=accept src-address=192.168.111.0/24 dst-address=172.17.0.0/24
6 X chain=srcnat action=log out-interface=eth1-gw log-prefix=""
7 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=eth1-gw
NAT STATS
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 X srcnat log 0 0
1 srcnat log 0 0
2 srcnat accept 0 0
3 dstnat accept 120 2
4 srcnat accept 0 0
5 dstnat accept 784 14
6 X srcnat log 0 0
7 ;;; default configuration
srcnat masquerade 4 712 039 47 697
8 ;;; www
dstnat dst-nat 128 3
9 ;;; ssh
dstnat dst-nat 241 480 4 020
10 dstnat dst-nat 0 0
11 ;;; ftp
dstnat dst-nat 120 2
12 dstnat dst-nat 0 0
13 ;;; ftp-data
dstnat dst-nat 0 0
14 dstnat dst-nat 800 20