IPSEC just cant make it work

Sko · December 19, 2018, 8:09pm

Hello in the few days i am traing to make a tunnel between Google cloud and my home mikrotik.
Router model is 2011UiAS-2HnD with RouterOS v6.43.4 (stable)
Here is what i have so far.

Local LAN network is 192.168.88.0/24
GCP network is 10.132.0.0/20
GCP Tunnel address xxx.xxx.xxx.xxx
Mikrotik local address 192.168.88.1
Mikrotik public address yyy.yyy.yyy.yyy

/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des \
    hash-algorithm=sha512
/ip ipsec proposal
add lifetime=3h name=google
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 exchange-mode=ike2 secret=\
    supersecret
/ip ipsec policy
add dst-address=10.132.0.0/20 proposal=google sa-dst-address=xxx.xxx.xxx.xxx \
    sa-src-address=yyy.yyy.yyy.yyy src-address=192.168.88.0/24 tunnel=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=10.132.0.0/20 src-address=\
    192.168.88.0/24
add action=masquerade chain=srcnat src-address=192.168.88.0/24

With that configuration the tunnel is up and running.
I can ping 10.132.0.0/20 addresses from Local LAN. But i cant reach local lan from google (10.132.0.0/20). On other side i can ping Mikrotik local address 192.168.88.1 from there . So i suspect that something is wrong with NAT.
I tried to to sniff the traffic and i can see ICMP packets from 10.132.0.0/20 reach the Mikrotik but are not forwarded inside local network.

Sko · December 19, 2018, 8:30pm

Ok i found the answer in another post here

The point is that in RouterOS, IPsec policies do their job after all routing and even firewalling has been done, just before the packet is about to be sent out via the physical interface. See this diagram and especially the Routing Diagram details (points IJKL) below.

So basically i had to add firewall rule for that and now everything works like a charm

/ip firewall filter
add action=accept chain=forward src-address=10.132.0.0/20