ipsec fail

RouterOS General
1

Hello,

I have used the guide located here to create a mikrotik to mikrotik tunnel: http://wiki.mikrotik.com/wiki/IPsec#Site_to_Site_IpSec_Tunnel. The tunnel was up and working for a couple of days and then suddenly stopped working without any config change. Here’s my config. I’ve changed public IP and key to mask identity.

Site 1:
routerboard: yes
model: CCR1016-12G
serial-number: 3F68021E4032
current-firmware: 3.03
upgrade-firmware: 3.04

0 address=1.1.1.1/32 port=500 auth-method=pre-shared-key secret=“key”
generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=yes
my-id-user-fqdn=“” proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

0 src-address=10.33.33.0/24 src-port=any dst-address=192.168.15.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=default priority=0

0 * name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024Site 2:
routerboard: yes
model: 2011UAS-2HnD
serial-number: 402702E4E616
current-firmware: 3.04
upgrade-firmware: 3.08

0 address=2.2.2.2/32 port=500 auth-method=pre-shared-key secret=“key”
generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=yes
my-id-user-fqdn=“” proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

0 src-address=192.168.15.0/24 src-port=any dst-address=10.33.33.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=default priority=0

0 * name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024Also have NAT exemption on both sides. As noted, the tunnel worked for a period of time and then stopped working. Previously both LANs were able to ping each other. Phase 1 failing. Here’s the log from site 1 during a continuous ping from an inside host.

11:36:06 ipsec,debug suitable outbound SP found: 10.33.33.0/24[0] 192.168.15.0/24[0] proto=any dir=out
11:36:06 ipsec,debug suitable inbound SP found: 192.168.15.0/24[0] 10.33.33.0/24[0] proto=any dir=in
11:36:06 ipsec,debug new acquire 10.33.33.0/24[0] 192.168.15.0/24[0] proto=any dir=out
11:36:06 ipsec,debug,packet  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
11:36:06 ipsec,debug,packet   (trns_id=3DES encklen=0 authtype=hmac-sha)
11:36:06 ipsec,debug request for establishing IPsec-SA was queued due to no phase1 found.
11:36:07 ipsec,debug,packet 324 bytes from 2.2.2.2[500] to 1.1.1.1[500]
11:36:07 ipsec,debug,packet sockname 2.2.2.2[500]
11:36:07 ipsec,debug,packet send packet from 2.2.2.2[500]
11:36:07 ipsec,debug,packet send packet to 1.1.1.1[500]
11:36:07 ipsec,debug,packet src4 2.2.2.2[500]
11:36:07 ipsec,debug,packet dst4 1.1.1.1[500]
11:36:07 ipsec,debug,packet 1 times of 324 bytes message will be sent to 1.1.1.1[500]
11:36:07 ipsec,debug,packet 47ed3aae c9cdbf94 00000000 00000000 01100200 00000000 00000144 0d000038
11:36:07 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
11:36:07 ipsec,debug,packet 00015180 80010005 80030001 80020002 80040002 0d000014 4a131c81 07035845
11:36:07 ipsec,debug,packet 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
11:36:07 ipsec,debug,packet 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
11:36:07 ipsec,debug,packet 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
11:36:07 ipsec,debug,packet ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
11:36:07 ipsec,debug,packet 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
11:36:07 ipsec,debug,packet 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014
11:36:07 ipsec,debug,packet 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc
11:36:07 ipsec,debug,packet 77570100
11:36:07 ipsec,debug,packet resend phase1 packet 47ed3aaec9cdbf94:0000000000000000
11:36:17 ipsec,debug,packet 324 bytes from 2.2.2.2[500] to 1.1.1.1[500]
11:36:17 ipsec,debug,packet sockname 2.2.2.2[500]
11:36:17 ipsec,debug,packet send packet from 2.2.2.2[500]
11:36:17 ipsec,debug,packet send packet to 1.1.1.1[500]
11:36:17 ipsec,debug,packet src4 2.2.2.2[500]
11:36:17 ipsec,debug,packet dst4 1.1.1.1[500]
11:36:17 ipsec,debug,packet 1 times of 324 bytes message will be sent to 1.1.1.1[500]
11:36:17 ipsec,debug,packet 47ed3aae c9cdbf94 00000000 00000000 01100200 00000000 00000144 0d000038
11:36:17 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
11:36:17 ipsec,debug,packet 00015180 80010005 80030001 80020002 80040002 0d000014 4a131c81 07035845
11:36:17 ipsec,debug,packet 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
11:36:17 ipsec,debug,packet 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
11:36:17 ipsec,debug,packet 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
11:36:17 ipsec,debug,packet ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
11:36:17 ipsec,debug,packet 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
11:36:17 ipsec,debug,packet 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014
11:36:17 ipsec,debug,packet 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc
11:36:17 ipsec,debug,packet 77570100
11:36:17 ipsec,debug,packet resend phase1 packet 47ed3aaec9cdbf94:0000000000000000

Thanks.

2

What version of ROS and do you have other peers or policies in the config? Some of the ROS v6 versions had issues with peer matching.

3

There are no other peers/policies configured. Here are versions.

Site 1:

NAME VERSION SCHEDULED

0 routing 6.0rc11
1 X wireless 6.0rc11
2 system 6.0rc11
3 routeros-tile 6.0rc11
4 advanced-tools 6.0rc11
5 security 6.0rc11
6 hotspot 6.0rc11
7 mpls 6.0rc11
8 X ipv6 6.0rc11
9 dhcp 6.0rc11
10 ppp 6.0rc11Site 2:

NAME VERSION SCHEDULED

0 system 5.26
1 X ipv6 5.26
2 wireless 5.26
3 dhcp 5.26
4 hotspot 5.26
5 ppp 5.26
6 routerboard 5.26
7 routing 5.26
8 routeros-mipsbe 5.26
9 advanced-tools 5.26
10 mpls 5.26
11 security 5.26

4

I’d upgrade.

Sent from my SCH-I545 using Tapatalk

5

Seems like a good idea. I’ll do that and see how it goes.

6

Let me know. There were a bunch of IPSec issues in the early v6 versions…

7

There’s an improvement. I’m seeing installed SAs. However, still no ping. Was able to update to 6.6 in site 1. Site 2 is at the maximum version for the hardware I guess. It’s at 5.26 and reports no updates available. In the ipsec log I see successful phase 1 and phase 2, and subsequent DPD. I don’t see anything that looks like a problem, but I don’t know if my eye is sharp enough. Have a look:

15:25:16 ipsec,debug,packet ==========
15:25:16 ipsec,debug,packet 92 bytes message received from 1.1.1.1[500] to 2.2.2.2[500]
15:25:16 ipsec,debug,packet 49b09df1 9bb299b6 c2d3dc6f 69c6e2ab 08100501 d7a4367c 0000005c afed0c13
15:25:16 ipsec,debug,packet 9074f15d 7d0c0f8c a8780383 c97c33f1 4b88bbfc 1a3d6482 3ba31561 a71e7c81
15:25:16 ipsec,debug,packet 39fca5e7 82c9ef11 4406c0e7 5d23e670 8e0524a8 c6659458 2b2771bc
15:25:16 ipsec,debug,packet receive Information.
15:25:16 ipsec,debug,packet compute IV for phase2
15:25:16 ipsec,debug,packet phase1 last IV:
15:25:16 ipsec,debug,packet 03c0e067 429347e7 d7a4367c
15:25:16 ipsec,debug,packet hash(sha1)
15:25:16 ipsec,debug,packet encryption(3des)
15:25:16 ipsec,debug,packet phase2 IV computed:
15:25:16 ipsec,debug,packet a55b301a f3a157d1
15:25:16 ipsec,debug,packet encryption(3des)
15:25:16 ipsec,debug,packet IV was saved for next processing:
15:25:16 ipsec,debug,packet c6659458 2b2771bc
15:25:16 ipsec,debug,packet encryption(3des)
15:25:16 ipsec,debug,packet with key:
15:25:16 ipsec,debug,packet a817f7bd 3aefb56f b50afe22 80c44f19 11e50eaf 7abb1054
15:25:16 ipsec,debug,packet decrypted payload by IV:
15:25:16 ipsec,debug,packet a55b301a f3a157d1
15:25:16 ipsec,debug,packet decrypted payload, but not trimed.
15:25:16 ipsec,debug,packet 0b000018 6b0b1cdd 44139750 230c94c0 ec17bbef c538d173 00000020 00000001
15:25:16 ipsec,debug,packet 01108d29 49b09df1 9bb299b6 c2d3dc6f 69c6e2ab 000001b6 3dac2138 e8587c07
15:25:16 ipsec,debug,packet padding len=8
15:25:16 ipsec,debug,packet skip to trim padding.
15:25:16 ipsec,debug,packet decrypted.
15:25:16 ipsec,debug,packet 49b09df1 9bb299b6 c2d3dc6f 69c6e2ab 08100501 d7a4367c 0000005c 0b000018
15:25:16 ipsec,debug,packet 6b0b1cdd 44139750 230c94c0 ec17bbef c538d173 00000020 00000001 01108d29
15:25:16 ipsec,debug,packet 49b09df1 9bb299b6 c2d3dc6f 69c6e2ab 000001b6 3dac2138 e8587c07
15:25:16 ipsec,debug,packet HASH with:
15:25:16 ipsec,debug,packet d7a4367c 00000020 00000001 01108d29 49b09df1 9bb299b6 c2d3dc6f 69c6e2ab
15:25:16 ipsec,debug,packet 000001b6
15:25:16 ipsec,debug,packet hmac(hmac_sha1)
15:25:16 ipsec,debug,packet HASH computed:
15:25:16 ipsec,debug,packet 6b0b1cdd 44139750 230c94c0 ec17bbef c538d173
15:25:16 ipsec,debug,packet hash validated.
15:25:16 ipsec,debug,packet begin.
15:25:16 ipsec,debug,packet seen nptype=8(hash)
15:25:16 ipsec,debug,packet seen nptype=11(notify)
15:25:16 ipsec,debug,packet succeed.
15:25:16 ipsec,debug,packet DPD R-U-There-Ack received
15:25:16 ipsec,debug,packet received an R-U-THERE-ACK
8

Post the full export from ipsec on each and I’ll take a look tonight

Sent from my SCH-I545 using Tapatalk

9

There isn’t much more in the log buffer that I can see. Can I make the buffer larger? I don’t currently have syslog configured on either side.

10

Tunnel came up fully after sending a ping from Site 1. When sending from Site 2, it wouldn’t work. I don’t understand why. What setting determines which one is the initiator and which is the responder? Both have the same settings as you can see on both sides.

11

Both sides have this set:
send-initial-contact=yes

12

It checks only for new minor version, so if you have 5.xx then it checks for newer 5.xx (not 6.xx). If you want to upgrade to 6.xx you have to do it manualy:

  1. download upgrade package: http://www.mikrotik.com/download
  2. transfer it into /files on your router
  3. reboot router

Remember to do /system routerboard upgrade after RouterOS upgrade - this updates firmware.
It is always better to have identical RouterOS versions on both sites.

13

Not sure if it maters, but generally only one side has that set… the other is a “responder”.

14

I have upgraded to 6.6 in site 2 and upgraded firmware. Now both are v6.6 with 3.10 firmware. Result is the same. Cannot initiate tunnel from site 2. If I ping from site 1, the tunnel comes up. Both sites should be able to initiate the tunnel, but it would be more important to have site 2 initiate and site 2 respond. Any ideas?

15

This is making me crazy. My configuration is perfect or else I'm missing something. Recap ...

SITE 1
/system routerboard print
routerboard: yes
model: CCR1016-12G
serial-number: 3F68021E4032
current-firmware: 3.10
upgrade-firmware: 3.10

/system package print
Flags: X - disabled

NAME VERSION SCHEDULED

0 routeros-tile 6.6
1 system 6.6
2 X ipv6 6.6
3 X wireless 6.6
4 hotspot 6.6
5 dhcp 6.6
6 mpls 6.6
7 routing 6.6
8 ppp 6.6
9 security 6.6
10 advanced-tools 6.6

/ip ipsec peer print
Flags: X - disabled
0 address=1.1.1.1/32 passive=no port=500 auth-method=pre-shared-key
secret="key" generate-policy=no exchange-mode=main
send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 src-address=10.33.33.0/24 src-port=any dst-address=192.168.15.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=default priority=0

/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept to-addresses=0.0.0.0 src-address=10.33.33.0/24
dst-address=192.168.15.0/24SITE 2
/system routerboard print
routerboard: yes
model: 2011UAS-2HnD
serial-number: 402702E4E616
current-firmware: 3.10
upgrade-firmware: 3.10

/system package print
Flags: X - disabled

NAME VERSION SCHEDULED

0 routeros-mipsbe 6.6
1 wireless 6.6
2 ppp 6.6
3 system 6.6
4 security 6.6
5 dhcp 6.6
6 mpls 6.6
7 X ipv6 6.6
8 routing 6.6
9 hotspot 6.6
10 advanced-tools 6.6

/ip ipsec peer print
Flags: X - disabled
0 address=2.2.2.2/32 passive=no port=500 auth-method=pre-shared-key
secret="key" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 src-address=192.168.15.0/24 src-port=any dst-address=10.33.33.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=default priority=0

/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept to-addresses=0.0.0.0 src-address=192.168.15.0/24
dst-address=10.33.33.0/24Does anybody know where I can start looking next? Here's a recap of the behavior:

Two installed-sa appear in each site, with two unique SPI. At this point, traffic is not passing between LANs. Ping from site 2 to site 1 yields no result. No returned packets, no change in installed SA.

Site 1/ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x2E1900C src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="f05471bff7b6406f9c15e05a2dcadf3f3f54cc4d"
enc-key="1694ca79a4eed75614b705d86c1afcda3b25b0995a490d16" add-lifetime=24m/30m

1 E spi=0xA3157A5 src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="2936c666fdf8da95583d5e6a1b18665f5aedefcb"
enc-key="6bc87355fe1dcbfec29aac499d5a5dd1ae25d41c8e20ea67" add-lifetime=24m/30mSite 2/ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x2E1900C src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="f05471bff7b6406f9c15e05a2dcadf3f3f54cc4d"
enc-key="1694ca79a4eed75614b705d86c1afcda3b25b0995a490d16"
addtime=nov/19/2013 19:32:02 expires-in=17m24s add-lifetime=24m/30m
current-bytes=5156

1 E spi=0xA3157A5 src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="2936c666fdf8da95583d5e6a1b18665f5aedefcb"
enc-key="6bc87355fe1dcbfec29aac499d5a5dd1ae25d41c8e20ea67" add-lifetime=24m/30mAfter ping from site 1 to site 2, the installed SA change to this:

Site 1/ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x2E1900C src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="f05471bff7b6406f9c15e05a2dcadf3f3f54cc4d"
enc-key="1694ca79a4eed75614b705d86c1afcda3b25b0995a490d16"
addtime=nov/19/2013 14:32:02 expires-in=12m47s add-lifetime=24m/30m
current-bytes=828

1 E spi=0xA3157A5 src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="2936c666fdf8da95583d5e6a1b18665f5aedefcb"
enc-key="6bc87355fe1dcbfec29aac499d5a5dd1ae25d41c8e20ea67"
addtime=nov/19/2013 14:32:02 expires-in=12m47s add-lifetime=24m/30m
current-bytes=828Site 2/ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x2E1900C src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="f05471bff7b6406f9c15e05a2dcadf3f3f54cc4d"
enc-key="1694ca79a4eed75614b705d86c1afcda3b25b0995a490d16"
addtime=nov/19/2013 19:32:02 expires-in=12m42s add-lifetime=24m/30m
current-bytes=11948

1 E spi=0xA3157A5 src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=sha1
enc-algorithm=3des replay=4 state=mature
auth-key="2936c666fdf8da95583d5e6a1b18665f5aedefcb"
enc-key="6bc87355fe1dcbfec29aac499d5a5dd1ae25d41c8e20ea67"
addtime=nov/19/2013 19:32:02 expires-in=12m42s add-lifetime=24m/30m
current-bytes=1068You can see some bits changed in spi=0xA3157A5. Addtime was added to the SA. Not sure what that means, other than that it became active at that point. Again, I'm having a really hard time detecting any problem with the configuration. Does anybody know how to root out this problem? Is IPSEC actually working in RouterOS? Thanks for you time.

16

Do you have any routes or anything?.. post your full exports.

17

Masked first two octets for most IPs in the configs with 99.99.

SITE 1# nov/19/2013 15:19:02 by RouterOS 6.6

software id = CW6P-Y3YN

/interface ethernet
set [ find default-name=ether1 ] name=ether1-inside
set [ find default-name=ether2 ] name=ether2-outside
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=99.99.95.126/27 comment="Firewall Interface IP" interface=
ether2-outside network=99.99.95.96
add address=10.33.33.253/24 interface=ether1-inside network=10.33.33.0
add address=99.99.95.110/32 comment="AS-TERM" interface=
ether2-outside network=99.99.95.110
add address=99.99.95.104/32 comment="AS-WIKI"
interface=ether2-outside network=99.99.95.104
add address=99.99.95.109/32 comment="CFE-WEB "
interface=ether2-outside network=99.99.95.109
add address=99.99.95.108/32 comment="PSS-RDS "
interface=ether2-outside network=99.99.95.108
add address=99.99.95.107/32 comment="AS-GWME " interface=
ether2-outside network=99.99.95.107
add address=99.99.87.181/32 comment=AS-NYEXCH interface=ether2-outside
network=99.99.87.181
add address=99.99.87.183/32 comment=AS-NOCRDS interface=ether2-outside
network=99.99.87.183
add address=99.99.87.190/32 comment=AS-WWW1 interface=ether2-outside network=
99.99.87.190
add address=99.99.87.184/32 comment=DM-PROD03 interface=ether2-outside
network=99.99.87.184
add address=99.99.87.185/32 comment=DM-PROD01 interface=ether2-outside
network=99.99.87.185
add address=99.99.87.186/32 comment=DM-PROD02 interface=ether2-outside
network=99.99.87.186
add address=99.99.87.189/32 comment=DM-dev01 interface=ether2-outside
network=99.99.87.189
add address=99.99.87.187/32 comment=DM-dev02 interface=ether2-outside
network=99.99.87.187
add address=99.99.87.188/32 comment=DM-zimbra interface=ether2-outside
network=99.99.87.188
add address=99.99.95.105/32 comment=AS-MINTZ interface=ether2-outside
network=99.99.95.105
add address=99.99.95.103/32 comment=AS-NESSUS interface=ether2-outside
network=99.99.95.103
add address=99.99.95.111/32 comment=AS-MINTZ2 interface=ether2-outside
network=99.99.95.111
add address=99.99.95.102/32 comment=PSS-WWW interface=ether2-outside network=
99.99.95.102
/ip dns
set allow-remote-requests=yes servers=4.2.2.1,4.2.2.2
/ip firewall address-list
add address=72.89.243.211 list=tftp-allowed
add address=64.95.41.81 list=tftp-allowed
add address=38.96.176.2 list=tftp-allowed
add address=99.99.47.63 comment="Amoeba NY Office" list=tftp-allowed
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections"
connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=
established
add chain=input in-interface=!ether2-outside src-address=10.33.33.0/24
add chain=input src-address=192.168.15.0/24
add action=drop chain=input comment="Drop ICMP" protocol=icmp
add action=drop chain=input comment="Drop Everything Else"
add action=drop chain=forward comment="drop invalid connections"
connection-state=invalid protocol=tcp
add chain=forward comment="allow already established connections"
connection-state=established
add chain=forward comment="allow related connections" connection-state=
related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135
protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=
tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135
protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=
udp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="host unreachable fragmentation required"
icmp-options=3:4 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=jump chain=forward dst-address=10.33.33.246 jump-target=as-wiki
add chain=as-wiki comment="as-wiki allow port 80" dst-port=80 protocol=tcp
add chain=as-wiki comment="as-wiki allow port 9091 openfire" dst-port=9091
protocol=tcp
add chain=as-wiki comment="as-wiki allow port 5222 openfire" dst-port=5222
protocol=tcp
add chain=as-wiki comment="as-wiki allow port 2765 openfire" dst-port=2765
protocol=tcp
add chain=as-wiki comment="as-wiki allow port 5269 openfire" dst-port=5269
protocol=tcp
add chain=as-wiki comment="as-wiki allow port 7777 openfire" dst-port=7777
protocol=tcp
add action=jump chain=forward dst-address=10.33.33.21 jump-target=as-term
add chain=as-term comment="as-term allow RDP" dst-port=3389 protocol=tcp
add action=drop chain=as-term comment="as-term Drop other ports"
add action=jump chain=forward dst-address=10.33.33.22 jump-target=cfe-web
add chain=cfe-web comment="cfe-web allow HTTP" dst-port=80 protocol=tcp
add chain=cfe-web comment="cfe-web allow HTTPS" dst-port=443 protocol=tcp
add chain=cfe-web comment="cfe-web allow ssh" dst-port=22 protocol=tcp
add chain=cfe-web comment="cfe-web allow JSPWiki" dst-port=8080 protocol=tcp
add action=drop chain=cfe-web comment="cfe-web Drop other ports"
add action=jump chain=forward dst-address=10.33.33.125 jump-target=pss-rds
add chain=pss-rds comment="pss-rds allow RDP" dst-port=3389 protocol=tcp
add action=drop chain=pss-rds comment="pss-rds Drop other ports"
add action=jump chain=forward dst-address=10.33.33.112 jump-target=as-gwme
add chain=as-gwme comment="as-gwme allow 5667" dst-port=5667 protocol=tcp
add chain=as-gwme comment="as-gwme allow 4913" dst-port=4913 protocol=tcp
add chain=as-gwme comment="as-gwme allow HTTPS" dst-port=443 protocol=tcp
add chain=as-gwme comment="as-gwme allow HTTP" dst-port=80 protocol=tcp
add chain=as-gwme comment="as-gwme allow SSH" dst-port=22 protocol=tcp
add action=drop chain=as-gwme comment="as-gwme Drop other ports"
add chain=as-wiki comment="as-wiki allow 5223" dst-port=5223 protocol=tcp
add chain=as-wiki comment=TFTP dst-port=69 protocol=udp src-address-list=
tftp-allowed
add chain=as-wiki comment="Wiki HTTPS" dst-port=443 protocol=tcp
add action=drop chain=as-wiki comment="as-wiki Drop other ports"
add action=jump chain=forward dst-address=10.33.33.20 jump-target=as-nyexch
add chain=as-nyexch comment="as-nyexch allow smtp" dst-port=25 protocol=tcp
add chain=as-nyexch comment="as-nyexch allow http" dst-port=80 protocol=tcp
add chain=as-nyexch comment="as-nyexch allow https" dst-port=443 protocol=tcp
add action=drop chain=as-nyexch
add action=jump chain=forward dst-address=10.33.33.217 jump-target=as-nocrds
add chain=as-nocrds comment="as-nocrd allow RDP" dst-port=3389 protocol=tcp
add action=drop chain=as-nocrds
add action=jump chain=forward dst-address=10.33.33.101 jump-target=as-www1
add chain=as-www1 comment="as-nocrd allow HTTP" dst-port=80 protocol=tcp
add chain=as-www1 comment="as-nocrd allow HTTPS" dst-port=443 protocol=tcp
add chain=as-www1 comment="as-nocrd allow SSH" dst-port=22 protocol=tcp
add action=drop chain=as-www1
add action=jump chain=forward dst-address=10.33.33.13 jump-target=dm-prod03
add chain=dm-prod03 comment="dm-prod03 allow HTTP" dst-port=80 protocol=tcp
add chain=dm-prod03 comment="dm-prod03 allow SSH" dst-port=2222 protocol=tcp
add action=drop chain=dm-prod03
add action=jump chain=forward dst-address=10.33.33.14 jump-target=dm-prod01
add chain=dm-prod01 comment="dm-prod01 allow HTTP" dst-port=80 protocol=tcp
add chain=dm-prod01 comment="dm-prod01 allow SSH" dst-port=2222 protocol=tcp
add action=drop chain=dm-prod01
add action=jump chain=forward dst-address=10.33.33.15 jump-target=dm-prod02
add chain=dm-prod02 comment="dm-prod02 allow HTTP" dst-port=80 protocol=tcp
add chain=dm-prod02 comment="dm-prod02 allow SSH" dst-port=2222 protocol=tcp
add action=jump chain=forward dst-address=10.33.33.18 jump-target=dm-dev01
add chain=dm-dev01 comment="dm-dev01 allow HTTP" dst-port=80 protocol=tcp
add chain=dm-dev01 comment="dm-dev01 allow SSH" dst-port=2222 protocol=tcp
add action=drop chain=dm-dev01
add action=jump chain=forward dst-address=10.33.33.16 jump-target=dm-dev02
add chain=dm-dev02 comment="dm-dev02 allow HTTP" dst-port=80 protocol=tcp
add chain=dm-dev02 comment="dm-dev02 allow SSH" dst-port=2222 protocol=tcp
add action=drop chain=dm-dev02
add action=jump chain=forward dst-address=10.33.33.17 jump-target=dm-zimbra
add chain=dm-zimbra comment="dm-zimbra allow HTTPS" dst-port=443 protocol=tcp
add chain=dm-zimbra comment="dm-zimbra allow SSH" dst-port=2222 protocol=tcp
add chain=dm-zimbra comment="dm-zimbra allow IMAP4" dst-port=143 protocol=tcp
add chain=dm-zimbra comment="dm-zimbra allow SMTP" dst-port=25 protocol=tcp
add chain=dm-zimbra comment="dm-zimbra allow zimbra" dst-port=7071 protocol=
tcp
add chain=dm-zimbra comment="dm-zimbra allow IMAPS" dst-port=993 protocol=tcp
add action=drop chain=dm-zimbra
add action=jump chain=forward dst-address=10.33.33.225 jump-target=as-mintz
add chain=as-mintz comment="as-mintz allow HTTP" dst-port=80 protocol=tcp
add chain=as-mintz comment="as-mintz allow HTTPS" dst-port=443 protocol=tcp
add chain=as-mintz comment="as-mintz allow SSH" dst-port=22 protocol=tcp
add action=drop chain=as-mintz
add chain=dm-prod02 comment="allow inclusion port" dst-port=3000 protocol=tcp
add action=drop chain=dm-prod02
add action=jump chain=forward dst-address=10.33.33.24 jump-target=as-nessus
add chain=as-nessus comment="as-nessus allow HTTPS" dst-port=8834 protocol=
tcp
add action=drop chain=as-nessus
add action=jump chain=forward dst-address=10.33.33.226 jump-target=as-mintz2
add chain=as-mintz2 comment="as-mintz2 allow HTTP" dst-port=80 protocol=tcp
add chain=as-mintz2 comment="as-mintz2 allow HTTPS" dst-port=443 protocol=tcp
add chain=as-mintz2 comment="as-mintz2 allow SSH" dst-port=22 protocol=tcp
add action=drop chain=as-mintz2
add action=jump chain=forward dst-address=10.33.33.227 jump-target=pss-www
add chain=pss-www comment="pss-www allow HTTP" dst-port=80 protocol=tcp
add chain=pss-www comment="pss-www allow HTTPS" dst-port=443 protocol=tcp
add chain=pss-www comment="pss-www allow SSH" dst-port=22 protocol=tcp
add action=drop chain=pss-www
/ip firewall nat
add chain=srcnat dst-address=192.168.15.0/24 src-address=10.33.33.0/24
to-addresses=0.0.0.0
add action=src-nat chain=srcnat comment="WIKI Inside" src-address=
10.33.33.246 to-addresses=99.99.95.104
add action=dst-nat chain=dstnat comment="WIKI Outside" dst-address=
99.99.95.104 to-addresses=10.33.33.246
add action=src-nat chain=srcnat comment="ASTERM Inside" src-address=
10.33.33.21 to-addresses=99.99.95.110
add action=dst-nat chain=dstnat comment="ASTERM Outside" dst-address=
99.99.95.110 to-addresses=10.33.33.21
add action=src-nat chain=srcnat comment="CFE-WEB Inside" src-address=
10.33.33.22 to-addresses=99.99.95.109
add action=dst-nat chain=dstnat comment="CFE-WEB Outside" dst-address=
99.99.95.109 to-addresses=10.33.33.22
add action=src-nat chain=srcnat comment="PSSRDS Inside" src-address=
10.33.33.125 to-addresses=99.99.95.108
add action=dst-nat chain=dstnat comment="PSSRDS Outside" dst-address=
99.99.95.108 to-addresses=10.33.33.125
add action=src-nat chain=srcnat comment="GWME Inside" src-address=
10.33.33.112 to-addresses=99.99.95.107
add action=dst-nat chain=dstnat comment="GWME Outside" dst-address=
99.99.95.107 to-addresses=10.33.33.112
add action=src-nat chain=srcnat comment="NYEXCH Inside" src-address=
10.33.33.20 to-addresses=99.99.87.181
add action=dst-nat chain=dstnat comment="NYEXCH Outside" dst-address=
99.99.87.181 to-addresses=10.33.33.20
add action=src-nat chain=srcnat comment="NOCRDS Inside" src-address=
10.33.33.217 to-addresses=99.99.87.183
add action=dst-nat chain=dstnat comment="NOCRDS Outside" dst-address=
99.99.87.183 to-addresses=10.33.33.217
add action=src-nat chain=srcnat comment="WWW1 Inside" src-address=
10.33.33.101 to-addresses=99.99.87.190
add action=dst-nat chain=dstnat comment="WWW1 Outside" dst-address=
99.99.87.190 to-addresses=10.33.33.101
add action=src-nat chain=srcnat comment="DM-PROD03 Inside" src-address=
10.33.33.13 to-addresses=99.99.87.184
add action=dst-nat chain=dstnat comment="DM-PROD03 Outside" dst-address=
99.99.87.184 to-addresses=10.33.33.13
add action=src-nat chain=srcnat comment="DM-PROD01 Inside" src-address=
10.33.33.14 to-addresses=99.99.87.185
add action=dst-nat chain=dstnat comment="DM-PROD01 Outside" dst-address=
99.99.87.185 to-addresses=10.33.33.14
add action=src-nat chain=srcnat comment="DM-PROD02 Inside" src-address=
10.33.33.15 to-addresses=99.99.87.186
add action=dst-nat chain=dstnat comment="DM-PROD02 Outside" dst-address=
99.99.87.186 to-addresses=10.33.33.15
add action=src-nat chain=srcnat comment="DM-DEV01 Inside" src-address=
10.33.33.18 to-addresses=99.99.87.189
add action=dst-nat chain=dstnat comment="DM-DEV02 Outside" dst-address=
99.99.87.189 to-addresses=10.33.33.18
add action=src-nat chain=srcnat comment="DM-DEV02 Inside" src-address=
10.33.33.16 to-addresses=99.99.87.187
add action=dst-nat chain=dstnat comment="DM-DEV02 Outside" dst-address=
99.99.87.187 to-addresses=10.33.33.16
add action=src-nat chain=srcnat comment="DM-ZIMBRA Inside" src-address=
10.33.33.17 to-addresses=99.99.87.188
add action=dst-nat chain=dstnat comment="DM-ZIMBRA Outside" dst-address=
99.99.87.188 to-addresses=10.33.33.17
add action=src-nat chain=srcnat comment="Mintz Inside" src-address=
10.33.33.225 to-addresses=99.99.95.105
add action=dst-nat chain=dstnat comment="Mintz Outside" dst-address=
99.99.95.105 to-addresses=10.33.33.225
add action=src-nat chain=srcnat comment="AS-NESSUS Inside" src-address=
10.33.33.24 to-addresses=99.99.87.190
add action=dst-nat chain=dstnat comment="AS-NESSUS Outside" dst-address=
99.99.95.103 to-addresses=10.33.33.24
add action=src-nat chain=srcnat comment="Mintz Stage 2 Inside" src-address=
10.33.33.226 to-addresses=99.99.95.111
add action=dst-nat chain=dstnat comment="Mintz Stage 2 Outside" dst-address=
99.99.95.111 to-addresses=10.33.33.226
add action=src-nat chain=srcnat comment="PSS-WWW Inside" src-address=
10.33.33.227 to-addresses=99.99.95.102
add action=dst-nat chain=dstnat comment="PSS-WWW Outside" dst-address=
99.99.95.102 to-addresses=10.33.33.227
add action=masquerade chain=srcnat comment="DEFAULT DYNAMIC NAT RULE"
out-interface=ether2-outside
/ip ipsec peer
add address=99.99.47.63/32 hash-algorithm=sha1 secret=key
send-initial-contact=no
/ip ipsec policy
add dst-address=192.168.15.0/24 sa-dst-address=99.99.47.63 sa-src-address=
99.99.95.126 src-address=10.33.33.0/24 tunnel=yes
/ip proxy
set parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=99.99.95.97
/ip service
set api disabled=yes
/ip traffic-flow
set cache-entries=4k enabled=yes
/lcd
set time-interval=hour
/lcd interface
set ether1-inside interface=ether1-inside
set ether2-outside interface=ether2-outside
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
set ether11 interface=ether11
set ether12 interface=ether12
/system clock
set time-zone-name=America/New_York
/system identity
set name=AmoebaNetworks75Broad
/system logging
add topics=ipsec
/system ntp client
set enabled=yes mode=unicast primary-ntp=129.6.15.28 secondary-ntp=
129.6.15.29
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
/tool e-mail
set address=10.33.33.20 from=<noc@activsupport.com>
/tool graphing interface
add interface=ether2-outside
add interface=ether1-inside
/tool netwatch
add host=10.33.33.253SITE 2# nov/19/2013 20:18:14 by RouterOS 6.6

software id = AB47-JEP0

/interface bridge
add admin-mac=D4:CA:6D:99:19:E4 auto-mac=no l2mtu=1598 name=bridge-local
protocol-mode=rstp
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors
ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=AMOEBANET
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=
ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway speed=100Mbps
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=catrabbit
wpa2-pre-shared-key=catrabbit
/ip dhcp-server
add interface=sfp1-gateway name=dhcp1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.15.100-192.168.15.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.15.1/24 comment="default configuration" interface=wlan1
network=192.168.15.0
add address=99.99.47.63/24 interface=ether1-gateway network=99.99.47.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=
sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.15.0/24 comment="default configuration" dns-server=
4.2.2.1,4.2.2.2 gateway=192.168.15.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=4.2.2.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input dst-port=80 protocol=tcp
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
add chain=forward comment="default configuration" connection-state=
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration"
connection-state=invalid
/ip firewall nat
add chain=srcnat dst-address=10.33.33.0/24 src-address=192.168.15.0/24
to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration"
out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip ipsec peer
add address=99.99.95.126/32 hash-algorithm=sha1 secret=key
/ip ipsec policy
add dst-address=10.33.33.0/24 sa-dst-address=99.99.95.126 sa-src-address=
99.99.47.63 src-address=192.168.15.0/24 tunnel=yes
/ip route
add distance=1 gateway=99.99.47.1
/ip service
set api disabled=yes
/lcd interface
set sfp1-gateway interface=sfp1-gateway
set ether1-gateway interface=ether1-gateway
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
set wlan1 interface=wlan1
/lcd interface pages
set 0 interfaces="sfp1-gateway,ether1-gateway,ether2,ether3,ether4,ether5,ethe
r6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,e
ther10-slave-local"
/system identity
set name=AmoebaNetworks105S5th
/system logging
add topics=ipsec
add topics=debug
/system ntp client
set enabled=yes mode=unicast primary-ntp=129.6.15.28 secondary-ntp=
129.6.15.29
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local

18

Still reading but you should have your IP assigned to bridge-local… not wlan1.

19

Found your problem… you need to allow traffic from/to your private ranges on your external interfaces in the input chain… You have a default drop… In MikroTik land IPSec traffic appears to come from the private IP on the in-interface of the external interface…

Make sense?

Specifically here on site 2
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input dst-port=80 protocol=tcp
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
sfp1-gateway
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway

20

Ok. I just changed that from wlan1 to bridge-local, which actually makes more sense. I didn’t understand why the Quickset profile wanted to assign it to WLAN1. I flushed the SAs and after a minute the SA came up on its own. Could that have been the problem?

I have not changed anything with the input chain yet. Traffic is being passed through when the tunnel is up, so I’m not so sure that’s a problem.

I guess now that I’ve changed the internal IP in site 2 to use bridge-local, I’ll monitor the VPN for a bit and see if it stays up. Thanks so much for your help!