Hello,
i have setup an ipsec between my mikrotik router and another device(which i don’t know even what kind of device is).
The fact is that the connection established but my internal network cannot reach the other lan on the other device.
actually i have seen that there is no route for that network. is this normal?
any suggestions how to troubleshoot this issue?
Thank you,
Ipsec doesn’t not automatically configure routes to nat rules. You will need to add a static route on each end with the LAN interface as the gateway. You will also need to add a NAT rules on each end to accept the the route subnet so that it is not processed by your masq rule.
When you say “on each end” i guess you mean on each of the two devices(my mikrotik and the router at the other side). Now, i dont have acces to the other router but i can ask to the owner to do that.
In the meantime i can configure my device. Could you please tell me what command should i use for the static route and the NAT assuming that my lan subnet is 192.168.217.0/24 and the remote subnet is 172.20.14.0/24?
Many thanks Dave
/ip firewall nat
add action=accept chain=srcnat comment=“VPN” dst-address=172.20.14.0/24 src-address=192.168.217.0/24
/ip route
add check-gateway=arp comment=“VPN” distance=2 dst-address=172.20.14.0/24 gateway=bridge (replace with your nomenclature)
If it’s configured correctly on the other end, it should work.
i added both settings but nothing changes.
can you post the output of-
/ip ipsec remote-peer print
/ip route check xxx.xxx.xxx.xxx (valid ip of a system on the the destination lan)
80.78.XX.XX = my public ip address
5.135.XX.XX=remote ip address
output is: [admin@MikroTik] /ip> ipsec remote-peer print
0 local-address=80.78.XX.XX remote-address=5.135.XX.XX state=established
side=responder established=3h57m
80.78.YY.Y=gateway of my router
[admin@MikroTik] > ip route check 172.20.14.1
status: ok
interface: ether1
nexthop: 80.78.YY.Y
nexthop should have been 172.20.14.1, not your gateway.
please post both sides of the vpn if possible.
I don’t have access to the other side. For sure the other side is not using mikrotik.
Any other idea?
Gateway of the route does not matter, it even does not matter if you have specific route, typically default route is enough. Ipsec doesn’t use that information to forward packet.
Ceck installed SAs if pase2 is establised correctly and also make sure that accept NAT rule is at the top.
I see that the connection is established. On the installed sa i see 2 installed sa, sometimes 4…
As i remember because now i cannot access the router, only in one sa i see bytes on the other is always zero.
I remember that accept nat rule is also on the top.
Can you please tell me what commands to run, what should be the results.
Many thanks
you can see attached the 2 screenshots
Installed SA are 4 and the nat rules
Since you have not posted at least you config, it makes it hard to help you.
it could be your issues are firewall related, try these and see if they help.
/ip firewall address-list
add address=172.20.14.0/24 list=ipsec
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related
add action=accept chain=input comment=ipsec" connection-state=new disabled=no src-address-list=ipsec
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec
source:
https://schemen.me/mikrotik-fast-track-that-excludes-ipsec/