Hi,
wondering if anyone can spot what I’ve missed in the following; essentially I have a Dratek router in my home office and I’m setting up a connection to a colocation site, where my server sits behind a MikroTik router on it’s admin port.
Home net is 192.168.2.0/24
Remote admin net is 192.168.253.0/24
RB450, ether0 is WAN, ether1 is admin network.
I’ve configured the IPsec peer on the MikroTik as:
address=/32:500 auth-method=pre-shared-key secret=“<think I’m going to tell you?>”
generate-policy=yes exchange-mode=main send-initial-contact=no
nat-traversal=no proposal-check=obey hash-algorithm=md5
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=5
Policy is dynamic and it gets set up fine when the Draytek connects; at this point, the Draytek show an IPsec connection to the Mikrotik is alive.
From a system behind the Draytek @ home, I can ping the admin IP address of the MikroTik fine -
in this case from 192.168.2.2 → 192.168.253.1
If I try to ping my server from the box @home and dump the icmp packets on the interface, I see a ping packet from 192.168.2.2 and a response going back out.
Problem is, that from the MikroTik router, I can’t ping 192.168.2.2 (or 192.168.2.1 the Draytek) and the packets from the server never make it back to the home LAN.
My firewall NAT rules have:
0 chain=srcnat action=accept src-address=192.168.253.0/24
dst-address=192.168.2.0/24
to prevent srcnat being applied on the outgoing packets, but I suspect that there is something I’ve overlooked.
Before anyone asks, no, I can’t let you log into our production switches to have a look, or supply a full config dump; I am happy to provide a summary of how to set this up for others to use in future - I know there are a lot of Draytek users out there.
Cheers
m
