IPSec issues

BlindOracle · May 14, 2020, 6:49pm

Dear all,

I’m new to this forum but not new to RouterOS.

Currently I’m running out of ideas regarding an IPSec VPN issue, maybe somebody here will have an ability to assist…

I’m trying to establish a site-to-site IPSec VPN between a Zyxel NSG50 and a MikroTik CCR-1036.

I’ve already set up both devices, configured Peers, proposals, identities and policies, I’m able to see the connection on Active Peers tab as well as in Installed SAs.
Also I created a SRC-NAT rule on the CCR to make the traffic flow between both private subnets.
On top I configured a raw rule to keep cpu load down via notrack prerouting rules.
But no matter how, PINGs won’t get through… And I’m running out of ideas.
I even can see RX packets on torch but no TX ones???

I’d be really happy and thankful if someone here would enjoy helping me finding a solution.

Thanks very much in advance!

Blind

sindy · May 14, 2020, 8:34pm

Most of the people here lack the oracle skills, so cannot give any advice without seeing the actual configuration. Follow the hint in my automatic signature just below to post it without revealing critical information.

BlindOracle · May 16, 2020, 1:45am

Dear Sindy,

you’re absolutely right. Please find my anonymized config attached and thanks for your help…

# may/16/2020 02:18:43 by RouterOS 6.46.6
# software id = 595G-RQLS
#
# model = CCR1036-12G-4S
# serial number = 6AA9058B0BD7
/interface ethernet
set [ find default-name=ether1 ] comment="DTAG Company Connect UPLINK" speed=100Mbps
set [ find default-name=ether2 ] comment="Internet-Segment 192.168.150.0/24" speed=100Mbps
set [ find default-name=ether3 ] comment="DTAG VDSL UPLINK" speed=100Mbps
set [ find default-name=ether4 ] comment="Office LAN 192.168.254.0/24" speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] comment="Provider UPLINK" speed=100Mbps
set [ find default-name=ether12 ] comment="Internal Network 172.20.0.0/16" speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name="vpn Guests" split-include=192.168.150.0/24
/ip ipsec policy group
add name="VPN guests"
/ip ipsec profile
add dh-group=ec2n185,modp2048,modp1024 dpd-interval=2s enc-algorithm=aes-256,aes-192,3des name=profile_1
add dh-group=modp1024 enc-algorithm=3des name=profile_2
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=NSG50 nat-traversal=no
/ip ipsec peer
add address=p1nsg50.ddns.net comment=myIPSec exchange-mode=ike2 local-address=public.ip.2 name=NSG50 port=500 profile=NSG50
add disabled=yes local-address=80.154.102.83 name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=l2tp-proposal pfs-group=none
add auth-algorithms=sha256,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h name=NSG50 pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.150.75-192.168.150.95
add name=dchp_pool_254 ranges=192.168.254.200-192.168.254.250
add name=dhcp_pool_Management_location ranges=172.20.10.50-172.20.10.200
add name=dhcp_pool_external_Access_location ranges=172.20.11.50-172.20.11.200
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=ether2 name=dhcp1
add address-pool=dchp_pool_254 authoritative=after-2sec-delay disabled=no interface=ether4 lease-time=8h name=server_254
add address-pool=dhcp_pool_Management_location authoritative=after-2sec-delay disabled=no interface=ether12 lease-time=3h name=\
    Management_location_VLAN172
/ppp profile
add change-tcp-mss=yes dns-server=192.168.150.51,192.168.150.30 local-address=192.168.150.254 name=L2TP-Profile remote-address=dhcp_pool1 \
    use-encryption=required use-mpls=yes
add change-tcp-mss=yes dns-server=172.20.10.10 local-address=172.20.255.254 name=L2TP-profile2 remote-address=dhcp_pool_Management_location \
    use-encryption=required use-mpls=yes
add change-tcp-mss=yes dns-server=172.20.10.10 local-address=172.20.255.254 name=L2TP-profile-External remote-address=\
    dhcp_pool_external_Access_location use-encryption=required use-mpls=yes
/queue simple
add max-limit=5M/5M name=queue1Miner1 target=172.20.10.50/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip firewall connection tracking
set enabled=yes
/ip settings
set tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP-Profile enabled=yes max-mru=1460 max-mtu=1460 mrru=1600 use-ipsec=yes
/interface ovpn-server server
set auth=sha1 cipher=aes256 default-profile=OVPN-Server require-client-certificate=yes
/ip address
add address=192.168.150.254/24 interface=ether2 network=192.168.150.0
add address=192.168.254.254/24 interface=ether4 network=192.168.254.0
add address=172.20.255.254/16 interface=ether12 network=172.20.0.0
add address=public.ip.1/28 interface=ether11 network=public.subnet
add address=public.ip.2/28 interface=ether11 network=public.subnet
add address=public.ip.3/28 interface=ether11 network=public.subnet
add address=public.ip.4/28 interface=ether11 network=public.subnet
add address=public.ip.5/28 interface=ether11 network=public.subnet
add address=public.ip.6/28 interface=ether11 network=public.subnet
add address=public.ip.7/28 interface=ether11 network=public.subnet
add address=public.ip.8/28 interface=ether11 network=public.subnet
add address=public.ip.9/28 interface=ether11 network=public.subnet
add address=public.ip.10/28 interface=ether11 network=public.subnet
add address=public.ip.11/28 interface=ether11 network=public.subnet
add address=public.ip.12/28 interface=ether11 network=public.subnet
add address=public.ip.13/28 interface=ether11 network=public.subnet
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=172.20.10.53 mac-address=00:50:56:B5:03:E3 server=Management_location_VLAN172
add address=172.20.10.55 mac-address=00:50:56:B5:10:97 server=Management_location_VLAN172
add address=172.20.10.57 mac-address=00:50:56:B5:54:73 server=Management_location_VLAN172
add address=172.20.10.58 mac-address=00:50:56:B5:6D:CE server=Management_location_VLAN172
add address=172.20.10.59 mac-address=00:50:56:B5:C0:12 server=Management_location_VLAN172
add address=192.168.150.88 mac-address=00:50:56:BD:6F:21 server=dhcp1
add address=172.20.10.250 client-id=1:40:b0:34:72:a6:2c mac-address=40:B0:34:72:A6:2C server=Management_location_VLAN172
add address=172.20.10.86 mac-address=00:50:56:BD:7D:3D server=Management_location_VLAN172
add address=172.20.10.65 client-id=1:0:50:56:bd:2:4f mac-address=00:50:56:BD:02:4F server=Management_location_VLAN172
add address=172.20.10.67 mac-address=00:50:56:BD:52:38 server=Management_location_VLAN172
add address=172.20.10.70 client-id=1:0:50:56:bd:1c:42 mac-address=00:50:56:BD:1C:42 server=Management_location_VLAN172
add address=172.20.10.82 mac-address=00:50:56:BD:E3:63 server=Management_location_VLAN172
add address=172.20.10.87 mac-address=00:50:56:BD:29:CE server=Management_location_VLAN172
add address=172.20.10.50 client-id=ff:bc:9a:4a:2d:0:2:0:0:ab:11:7f:d8:65:bf:16:cc:5c:2d mac-address=00:50:56:BD:57:EE server=\
    Management_location_VLAN172
add address=172.20.10.54 client-id=1:0:50:56:bd:90:79 mac-address=00:50:56:BD:90:79 server=Management_location_VLAN172
add address=172.20.10.56 mac-address=00:50:56:BD:72:C7 server=Management_location_VLAN172
add address=192.168.150.86 client-id=1:0:50:56:bd:57:5c mac-address=00:50:56:BD:57:5C server=dhcp1
add address=192.168.150.85 mac-address=00:50:56:BD:83:36 server=dhcp1
add address=192.168.150.84 mac-address=00:50:56:BD:D3:BA server=dhcp1
add address=172.20.10.52 client-id=1:0:50:56:bd:19:56 mac-address=00:50:56:BD:19:56 server=Management_location_VLAN172
/ip dhcp-server network
add address=172.20.0.0/16 boot-file-name=pxelinux.0 dns-server=172.20.10.13,172.20.10.70 domain=company.corp gateway=172.20.255.254 netmask=16 \
    next-server=172.20.10.87 wins-server=172.20.10.13
add address=192.168.150.0/24 dns-server=172.20.10.13,194.25.0.60 domain=company.corp gateway=192.168.150.254
add address=192.168.254.0/24 dns-server=172.20.10.13,212.66.1.1 domain=company.corp gateway=192.168.254.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=212.82.225.7,212.66.1.1
/ip firewall address-list
add address=192.168.150.0/24 list=support
add address=172.20.0.0/16 list=internal-nets
add address=192.168.150.0/24 list=internal-nets
add address=192.168.178.0/24 list=internal-nets
add address=192.168.254.0/24 list=internal-nets
/ip firewall filter
add action=drop chain=input comment="Anti-Spoofing INPUT" in-interface=ether1 src-address-list=internal-nets
add action=drop chain=input comment="Anti-Spoofing INPUT Provider" in-interface=ether11 src-address-list=internal-nets
add action=accept chain=forward comment="TEST TEST TEST" disabled=yes log=yes protocol=icmp
add action=drop chain=forward comment="Anti-Spoofing FORWARD" in-interface=ether1 src-address-list=internal-nets
add action=drop chain=forward comment="Anti-Spoofing FORWARD Provider" in-interface=ether11 src-address-list=internal-nets
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment=\
    "Limit incoming TCP connections; 20170122 Drop-Rule fehlt" connection-limit=200,32 connection-state=new protocol=tcp
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment=\
    "adding DNS-DDoS attackers to blocklist" connection-state="" dst-port=53 in-interface=ether1 limit=200,5:packet protocol=udp
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment=\
    "adding DNS-DDoS attackers to blocklist Provider" connection-state="" dst-port=53 in-interface=ether11 limit=200,5:packet protocol=udp
add action=drop chain=input comment="Drop blocklist" dst-port=53 in-interface=ether1 protocol=udp src-address-list=blocked-addr
add action=drop chain=input comment="Drop blocklist Provider" dst-port=53 in-interface=ether11 protocol=udp src-address-list=blocked-addr
add action=accept chain=input comment="Stateful inspection Input" connection-state=established,related
add action=accept chain=forward comment="Stateful inspection Forward" connection-state=established,related
add action=accept chain=input comment="Ping from external Internet" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="Ping from external Internet Provider" in-interface=ether11 protocol=icmp
add action=accept chain=input comment="Accept all from I-Segment (192.168.150.0/24)" in-interface=ether2
add action=accept chain=forward comment="Accept Internet access from I-Segment (192.168.150.0/24)" in-interface=ether2
add action=accept chain=forward comment="Accept Internet access from OfficeMuc(192.168.150.0/24)" src-address=192.168.178.0/24
add action=accept chain=input comment="Accept all from Office-Net (192.168.254.0/24)" in-interface=ether4
add action=accept chain=forward in-interface=ether4
add action=accept chain=input comment="Accept all from Management-Net (172.20.0.0/16)" in-interface=ether12
add action=accept chain=input comment="Accept all from BranchOffice (172.20.0.0/16)" src-address=192.168.178.0/24
add action=accept chain=forward in-interface=ether12
add action=accept chain=forward src-address=192.168.178.0/24
add action=accept chain=input comment="Allow L2TP from external" connection-state=new dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow L2TP from external Provider" connection-state=new dst-port=500,1701,4500 in-interface=ether11 \
    protocol=udp
add action=accept chain=input comment="Allow IPSec from External" in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec from External Provider" in-interface=ether11 protocol=ipsec-esp
add action=accept chain=forward comment="Accept Network traffic" dst-address=192.168.150.0/24 src-address=172.20.0.0/16
add action=accept chain=forward comment="Accept Network traffic" dst-address=192.168.150.0/24 src-address=192.168.178.0/24
add action=accept chain=forward comment="Accept Network traffic" dst-address=192.168.254.0/24 src-address=192.168.178.0/24
add action=accept chain=forward comment="Accept Network traffic" dst-address=172.20.0.0/16 src-address=192.168.178.0/24
add action=accept chain=forward comment="Accept Network traffic" dst-address=192.168.150.0/24 src-address=172.40.0.0/20
add action=accept chain=forward comment="Accept Network traffic" disabled=yes dst-address=172.40.0.0/20 src-address=172.20.0.0/16
add action=accept chain=forward comment="Accept Network traffic" disabled=yes dst-address=172.40.0.0/20 src-address=192.168.150.0/24
add action=accept chain=forward comment="Accept Network traffic" disabled=yes dst-address=172.20.0.0/16 src-address=172.40.0.0/20
add action=accept chain=input comment="Accept Network traffic" disabled=yes dst-address=172.20.0.0/16 src-address=172.40.0.0/20
add action=accept chain=forward comment="Accept Network traffic" dst-address=192.168.150.0/24 src-address=172.40.0.0/20
add action=accept chain=forward dst-address=172.20.0.0/16 src-address=192.168.150.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.150.0/24 src-address=192.168.254.0/24
add action=accept chain=forward disabled=yes dst-address=172.20.0.0/16 src-address=192.168.254.0/24
add action=accept chain=input disabled=yes dst-address=192.168.150.0/24 src-address=192.168.254.0/24
add action=accept chain=input disabled=yes dst-address=172.20.0.0/16 src-address=192.168.254.0/24
add action=accept chain=forward comment="DNS from I-Segment (192.168.150.0/24)" dst-address=172.20.10.10 dst-port=53 protocol=udp src-address=\
    192.168.150.0/24
add action=accept chain=forward comment="Zone-Transfer from ns2.hans.hosteurope.de" dst-address=public.ip.2 dst-port=53 protocol=udp \
    src-address=80.237.128.10

add action=accept chain=forward comment="Zone-Transfer from ns2.hans.hosteurope.de" dst-address=public.ip.2 dst-port=53 protocol=tcp \
    src-address=80.237.128.10

add action=accept chain=input comment="Zone-Transfer from ns2.hans.hosteurope.de" dst-address=public.ip.2 dst-port=53 protocol=tcp \
    src-address=80.237.128.10

add action=accept chain=input comment="Zone-Transfer from ns2.hans.hosteurope.de" dst-address=public.ip.2 dst-port=53 protocol=udp \
    src-address=80.237.128.10
add action=accept chain=forward comment="Allow traffic to NSG50" dst-address=192.168.178.0/24 src-address=172.20.0.0/16
add action=accept chain=forward comment="Allow traffic from NSG50" dst-address=172.20.0.0/16 src-address=192.168.178.0/24
add action=accept chain=forward comment="Access Office-Net to Management-Net" in-interface=ether4 out-interface=ether12
add action=accept chain=forward comment="Access Office-Net to Management-Net" in-interface=ether4 out-interface=ether11
add action=accept chain=input comment=Printer disabled=yes dst-address=192.168.254.251 in-interface=ether2
add action=accept chain=forward comment="External VPN ALLOW internal DNS" dst-address=172.20.10.10 dst-port=53 protocol=udp src-address=\
    172.20.10.201
add action=accept chain=forward comment="External VPN ALLOW Atlassian.company.corp(Bitbucket)" dst-address=172.20.10.58 dst-port=7990 protocol=\
    tcp src-address=172.20.10.201
add action=drop chain=forward comment="Shevelev VPN DROP" dst-address=172.20.0.0/16 src-address=172.20.10.201
add action=accept chain=input comment=SNMP dst-port=123 protocol=udp
add action=accept chain=output dst-port=123 protocol=udp
add action=accept chain=forward dst-port=123 protocol=udp
add action=accept chain=input comment="DNS ns0" dst-port=53 protocol=udp
add action=accept chain=forward dst-port=53 protocol=udp
add action=drop chain=input comment="Drop all"
add action=log chain=forward
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=forward comment="Accept Network traffic" dst-address=172.20.0.0/16 src-address=192.168.178.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=CoCoRouting passthrough=yes src-address=192.168.150.0/24
add action=mark-routing chain=prerouting comment="TEST TEST TEST" disabled=yes dst-address=!172.20.0.0/16 new-routing-mark=DSLUplink \
    passthrough=yes src-address=192.168.254.207
add action=mark-routing chain=prerouting disabled=yes dst-address=!172.20.0.0/16 new-routing-mark=Provider passthrough=yes src-address=\
    192.168.254.0/24
add action=mark-routing chain=prerouting dst-address=80.154.102.80/29 new-routing-mark=CoCoRouting passthrough=yes
add action=mark-routing chain=prerouting dst-address=194.25.131.80/28 new-routing-mark=CoCoRouting passthrough=yes
add action=mark-routing chain=prerouting dst-address=public.subnet/28 new-routing-mark=Provider passthrough=yes
add action=mark-routing chain=prerouting dst-address=172.40.0.0/20 new-routing-mark=OpenVPN passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="NSG50 IpSec VPN" dst-address=192.168.178.0/24 src-address=172.20.0.0/16
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.150.0/24
add action=src-nat chain=srcnat src-address=192.168.150.44 to-addresses=public.ip.2
add action=src-nat chain=srcnat src-address=192.168.150.86 to-addresses=public.ip.12
add action=src-nat chain=srcnat src-address=172.20.10.37 to-addresses=public.ip.5
add action=src-nat chain=srcnat comment=PLESK src-address=192.168.150.84 to-addresses=public.ip.12
add action=src-nat chain=srcnat comment=ZenoBot src-address=192.168.150.96 to-addresses=public.ip.13
add action=src-nat chain=srcnat src-address=192.168.150.54 to-addresses=public.ip.4
add action=src-nat chain=srcnat src-address=192.168.150.84 to-addresses=public.ip.3
add action=src-nat chain=srcnat src-address=172.20.10.56 to-addresses=public.ip.9
add action=src-nat chain=srcnat src-address=172.20.10.50 to-addresses=public.ip.11
add action=src-nat chain=srcnat src-address=192.168.150.53 to-addresses=public.ip.6
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=25 in-interface=ether11 protocol=tcp to-addresses=192.168.150.44 to-ports=25
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=80 in-interface=ether11 protocol=tcp to-addresses=192.168.150.44 to-ports=80
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=465 protocol=tcp to-addresses=192.168.150.44 to-ports=465
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=113 protocol=tcp to-addresses=192.168.150.44 to-ports=113
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=563 protocol=tcp to-addresses=192.168.150.44 to-ports=563
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=32400 protocol=tcp to-addresses=192.168.150.44 to-ports=32400
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=443 protocol=tcp to-addresses=192.168.150.44 to-ports=443
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=993 protocol=tcp to-addresses=192.168.150.44 to-ports=993
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=53 protocol=udp to-addresses=192.168.150.52 to-ports=53
add action=dst-nat chain=dstnat dst-address=public.ip.4 dst-port=53 protocol=udp to-addresses=192.168.150.54 to-ports=53
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=53 protocol=tcp to-addresses=192.168.150.52 to-ports=53
add action=dst-nat chain=dstnat dst-address=public.ip.4 dst-port=53 protocol=tcp to-addresses=192.168.150.54 to-ports=53
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=465 protocol=tcp to-addresses=192.168.150.44 to-ports=465
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=5269 protocol=tcp to-addresses=192.168.150.44 to-ports=5269
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=5223 protocol=tcp to-addresses=192.168.150.44 to-ports=5223
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=5222 protocol=tcp to-addresses=192.168.150.44 to-ports=5222
add action=dst-nat chain=dstnat dst-address=public.ip.3 dst-port=5223 protocol=tcp to-addresses=192.168.150.84 to-ports=5223
add action=dst-nat chain=dstnat dst-address=public.ip.3 dst-port=80 protocol=tcp to-addresses=192.168.150.84 to-ports=80
add action=dst-nat chain=dstnat dst-address=public.ip.3 dst-port=443 protocol=tcp to-addresses=192.168.150.84 to-ports=443
add action=dst-nat chain=dstnat dst-address=public.ip.3 dst-port=5222 protocol=tcp to-addresses=192.168.150.84 to-ports=5222
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=993 protocol=tcp to-addresses=192.168.150.44 to-ports=993
add action=dst-nat chain=dstnat dst-address=public.ip.2 dst-port=995 protocol=tcp to-addresses=192.168.150.44 to-ports=995
add action=dst-nat chain=dstnat dst-address=public.ip.6 dst-port=53 protocol=udp to-addresses=192.168.150.53 to-ports=53
add action=dst-nat chain=dstnat dst-address=public.ip.6 dst-port=53 protocol=tcp to-addresses=192.168.150.53 to-ports=53
add action=dst-nat chain=dstnat dst-address=public.ip.5 dst-port=21 protocol=tcp src-address=81.169.212.61 to-addresses=172.20.10.37 \
    to-ports=21
add action=dst-nat chain=dstnat dst-address=public.ip.7 dst-port=443 protocol=tcp to-addresses=192.168.150.174 to-ports=443
add action=dst-nat chain=dstnat dst-address=public.ip.7 dst-port=80 protocol=tcp to-addresses=192.168.150.174 to-ports=80
add action=dst-nat chain=dstnat dst-address=public.ip.8 dst-port=443 protocol=tcp to-addresses=192.168.150.173 to-ports=443
add action=dst-nat chain=dstnat dst-address=public.ip.8 dst-port=80 protocol=tcp to-addresses=192.168.150.173 to-ports=80
add action=dst-nat chain=dstnat dst-address=public.ip.11 dst-port=1194 protocol=tcp to-addresses=172.20.10.50 to-ports=1194
add action=dst-nat chain=dstnat dst-address=public.ip.11 dst-port=1194 protocol=udp to-addresses=172.20.10.50 to-ports=1194
add action=dst-nat chain=dstnat dst-address=public.ip.11 dst-port=943 protocol=tcp to-addresses=172.20.10.50 to-ports=943
add action=dst-nat chain=dstnat dst-address=public.ip.9 dst-port=443 protocol=tcp to-addresses=172.20.10.56 to-ports=443
add action=dst-nat chain=dstnat dst-address=public.ip.9 dst-port=80 protocol=tcp to-addresses=172.20.10.56 to-ports=80
add action=dst-nat chain=dstnat dst-address=public.ip.11 dst-port=443 protocol=tcp to-addresses=172.20.10.50 to-ports=443
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=443 protocol=tcp to-addresses=192.168.150.84 to-ports=443
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=80 protocol=tcp to-addresses=192.168.150.84 to-ports=80
add action=dst-nat chain=dstnat comment=PLESKZenoBot dst-address=public.ip.13 dst-port=443 protocol=tcp to-addresses=192.168.150.96 to-ports=\
    443
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=53 protocol=udp to-addresses=192.168.150.84 to-ports=53
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=53 protocol=tcp to-addresses=192.168.150.84 to-ports=53
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=21 protocol=tcp to-addresses=192.168.150.84 to-ports=21
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=25 protocol=tcp to-addresses=192.168.150.84 to-ports=25
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=8443 protocol=tcp to-addresses=192.168.150.84 to-ports=8443
add action=dst-nat chain=dstnat dst-address=public.ip.10 dst-port=3000 protocol=tcp to-addresses=172.20.10.70 to-ports=3000
add action=dst-nat chain=dstnat dst-address=public.ip.10 dst-port=443 protocol=tcp to-addresses=172.20.10.70 to-ports=443
add action=src-nat chain=srcnat src-address=192.168.150.173 to-addresses=public.ip.8
add action=masquerade chain=srcnat dst-address=192.168.150.0/24 out-interface=ether2 src-address=192.168.150.0/24
add action=masquerade chain=srcnat dst-address=172.20.0.0/16 out-interface=ether2 src-address=192.168.150.0/24
add action=masquerade chain=srcnat dst-address=172.20.0.0/16 out-interface=ether12 src-address=172.20.0.0/16
add action=masquerade chain=srcnat out-interface=ether3 src-address=192.168.254.0/24
add action=masquerade chain=srcnat out-interface=ether11 src-address=192.168.254.0/24
add action=masquerade chain=srcnat src-address=172.20.0.0/16
add action=dst-nat chain=dstnat comment=PLESK dst-address=public.ip.12 dst-port=22 protocol=tcp to-addresses=192.168.150.84 to-ports=22
add action=masquerade chain=srcnat comment="Masquerade traffic" src-address=172.20.0.0/16
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.178.0/24 src-address=172.20.0.0/16
add action=notrack chain=prerouting dst-address=172.20.0.0/16 src-address=192.168.178.0/24
/ip ipsec identity
# address ID must be used in main mode or use my-id=auto!
add generate-policy=port-override my-id=user-fqdn peer=peer1 remote-id=ignore
add mode-config=request-only peer=NSG50 remote-id=fqdn:p1nsg50.ddns.net
/ip ipsec policy
add dst-address=0.0.0.0/0 src-address=0.0.0.0/0 template=yes
add dst-address=192.168.178.0/24 peer=NSG50 proposal=NSG50 sa-dst-address=192.168.1.20 sa-src-address=public.ip.2 src-address=172.20.0.0/16 \
    tunnel=yes
/ip route
add distance=1 dst-address=192.168.254.0/24 gateway=ether4 routing-mark=DSLUplink
add distance=1 dst-address=192.168.254.0/24 gateway=ether4 routing-mark=Provider
add distance=5 gateway=gateway.ip pref-src=public.ip.1
add distance=1 dst-address=172.27.224.0/20 gateway=172.20.10.50
add distance=1 dst-address=192.168.178.0/24 gateway=172.20.10.50
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set backlight-timeout=never default-screen=stats time-interval=hour
/ppp profile
add local-address=10.20.10.1 name=OVPN-Server remote-address=*4A
set *FFFFFFFE dns-server=192.168.150.30 local-address=10.200.10.254 remote-address=*44
/ppp secret
add name=user1 profile=L2TP-profile2 service=l2tp
add name=user1 profile=L2TP-profile2 routes="192.168.150.0/24 172.20.255.254 1" service=l2tp
add name=user1-ipad profile=L2TP-profile2 service=l2tp
add name=user2 profile=L2TP-profile2 service=l2tp
add name=user1-ovpn profile=OVPN-Server service=ovpn
/snmp
set enabled=yes location="location, Germany" trap-version=2
/system clock
set time-zone-name=Europe/London
/system leds
set 0 interface=sfp1
set 1 interface=sfp2
set 2 interface=sfp3
set 3 interface=sfp4
/system ntp client
set enabled=yes primary-ntp=129.70.132.36 secondary-ntp=62.116.162.126
/system ntp server
set broadcast=yes enabled=yes
/tool e-mail
set from=<router.cts.loc> user=noreply@cts-sc.net
/tool graphing interface
add allow-address=172.20.0.0/16 interface=ether1
add allow-address=172.20.0.0/16 interface=ether2
add allow-address=172.20.0.0/16 interface=ether4
add allow-address=172.20.0.0/16 interface=ether12
add allow-address=172.20.0.0/16 interface=ether3
/tool graphing resource
add allow-address=172.20.0.0/16

sindy · May 16, 2020, 7:41am

The action=notrack rule in chain=prerouting of ip firewall raw excludes the matching packets from being processed by the connection tracking module, which means that they are never assigned any of the connection-state labels (new, established, related, invalid); instead, their connection-state is untracked. But none of the rules in chains input or forward of your /ip firewall filter accepts connection-state=untracked packets. So unless you want to use the firewall to control the traffic between the two subnets in detail, it should be enough to add this state to the connection-state list of the rules currently saying action=accept connection-state=established,related.

As NAT handling depends on connection tracking, exclusion of packets running between the two subnets from connection tracking also means that they cannot be NATed, hence the action=accept rule in chain=srcnat of /ip firewall nat is redundant.

BlindOracle · May 16, 2020, 8:58am

Hi Sindy,

thanks for your answer.
If I did understand you right, disabling the raw rules for connection tracking should bring my configuration up to work.
But sadly it has no efect. I also tried adding the connection state checks (untracked) to the ip filter rules but that has no efect either.
I don’t even see any packets counting on the rules…

sindy · May 16, 2020, 1:16pm

/ip ipsec policy
add dst-address=192.168.178.0/24 … peer=NSG50 … src-address=172.20.0.0/16 …

So the remote network (on the ZyXEL end) is 192.168.178.0/24.

Among the first rules in both input and forward chains, there are the following ones:

action=drop chain=forward comment=“Anti-Spoofing FORWARD Provider” in-interface=ether11 src-address-list=internal-nets

And in /ip firewall address-list, there is
…
add address=192.168.178.0/24 list=internal-nets
…

The local-address of the /ip ipsec peer row representing the ZyXEL is attached to ether11. When using policy-based IPsec routing, no virtual interfaces are created, so the payload packets decrypted and decapsulated from the received IPsec transport ones are still seen by the IP firewall as coming in via the same interface through which the transport ones carrying them have arrived. So the rule above drops packets from the ZyXEL LAN side before they can reach the “accept established,related,untracked” one, as they come in via ether11.

Avoiding such hard to find issues is one of the reasons why the “accept established,related,untracked” should be the very first rule in each chain; the other one is that to spend as little CPU as possible on firewall processing, most packets should be checked by as few rules as possible. So if you place “accept established,related,untracked” at the beginning of each chain, all mid-connection packets are handled by that single rule, and only the initial packet of each connection makes it to the subsequent rules in that chain. If the initial packet of a connection is dropped, no mid-connection packets ever come (in case of UDP, they may keep coming but will be still considered initial ones so the “accept established” rule will ignore them.