IPSec: need to ping before send traffic

albantax · June 16, 2021, 2:25pm

Hello everyone, this is my first post, i have setup a IPSec site to site VPN with. The problem is that i have to ping from router RTR3 to RTR1 when tunnel is established, only then i can send traffic trougth tunnel.

I have setup “accept” rules before masq rules and by-pass fasttrack rules too on both sides…

I have 2 tunnels, the problem is with RTR3 (.19)

From RTR1

[admin@RTR1] /ip ipsec> active-peers print
Flags: R - responder, N - natt-peer
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS
 0                         established        18h40m43s               1 xxx.xxx.xxx.19
 1 R                       established        18h10m3s                2 xxx.xxx.xxx.35

I Can not ping to RTR3

[admin@RTR1] > ping 192.168.3.100 interface=ether2
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.3.100                                           timeout
    1 192.168.3.100                                           timeout
    sent=2 received=0 packet-loss=100%

Then i ping from RTR3 to RTR1

[admin@RTR3] > ping 192.168.1.100 interface=ether2
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.1.100                              56  64 2ms
    1 192.168.1.100                              56  64 1ms
    sent=2 received=2 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=2ms

Then RTR1 start receiving ping responses and tunnels works fine.

[admin@RTR1] > ping 192.168.3.100 interface=ether2
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.3.100                                           timeout
    1 192.168.3.100                                           timeout
    2 192.168.3.100                                           timeout
    3 192.168.3.100                                           timeout
    4 192.168.3.100                                           timeout
    5 192.168.3.100                                           timeout
    6 192.168.3.100                                           timeout
    7 192.168.3.100                                           timeout
    8 192.168.3.100                                           timeout
    9 192.168.3.100                                           timeout
   10 192.168.3.100                                           timeout
   11 192.168.3.100                                           timeout
   12 192.168.3.100                                           timeout
   13 192.168.3.100                                           timeout
   14 192.168.3.100                                           timeout
   15 192.168.3.100                              56  64 1ms
   16 192.168.3.100                              56  64 1ms
   17 192.168.3.100                              56  64 1ms
   18 192.168.3.100                              56  64 1ms
   19 192.168.3.100                              56  64 1ms
    sent=20 received=5 packet-loss=75% min-rtt=1ms avg-rtt=1ms max-rtt=1ms

Any suggestions? Thanks in advance!!

sindy · June 20, 2021, 6:40pm

Always post complete exports, anonymized as per my automatic signature below.

Without seeing the exports I can only speculate that both RTR1 and RTR3 have public IPs directly on themselves, and hence they use ESP as transport protocol. And if this is the case, you have to add an action=accept rule into chain input of /ip firewall filter of both RTR1 and RTR3, for protocol=ipsec-esp and possibly restricted by some src-address-list, otherwise the firewall drops the ESP packets carrying the ping requests. Once you ping from each router, a pinhole (tracked connection) is created in its firewall by the first ESP packet it sends, but until then, the ESP packets coming from the remote side are dropped.