Ipsec not passing traffic

RouterOS General
1

i’m a little stumped by two routers in a lab not passing vpn traffic. the config is really simple with no firewall or nat policies; i’m just trying to get them to pass a ping between two pc’s. what’s also odd is the tunnel is able to get phase 2 established, but still no traffic is flowing. i am trying to send a ping from a pc on 10.1.3.0/24 to a pc on 10.0.30.0/24. here are the config of each:

 export show-sensitive
# 2025-11-22 14:21:46 by RouterOS 7.20.4
# software id = 
#
# model = L009UiGS
# serial number = 
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan3 vlan-id=3
add interface=bridge1 name=vlan4 vlan-id=4
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=verizonprofile1 nat-traversal=no prf-algorithm=sha256
/ip ipsec peer
add address=192.168.100.0/32 exchange-mode=ike2 name=hex profile=verizonprofile1
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm name=verizon pfs-group=ecp256
/ip pool
add name=vlan3-pool ranges=192.168.3.10-192.168.3.20
add name=vlan4-pool ranges=192.168.4.10-192.168.4.20
/ip dhcp-server
add address-pool=vlan3-pool interface=vlan3 lease-time=1m name=vlan3
add address-pool=vlan4-pool interface=vlan4 lease-time=1m name=vlan4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=3
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=4
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=3-4
/ip address
add address=192.168.100.1/31 interface=ether2 network=192.168.100.0
add address=192.168.3.1/24 interface=vlan3 network=192.168.3.0
add address=192.168.4.1/24 interface=vlan4 network=192.168.4.0
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=8.8.8.8 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1
/ip ipsec identity
add peer=hex secret=1234
/ip ipsec policy
add dst-address=192.168.30.0/24 peer=hex proposal=verizon src-address=192.168.3.0/24 tunnel=yes
/system routerboard settings
set enter-setup-on=delete-key


 export show-sensitive
# 2025-11-22 10:40:24 by RouterOS 7.20.4
# software id = 
#
# model = E60iUGS
# serial number = 
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan3 vlan-id=3
add interface=bridge1 name=vlan4 vlan-id=4
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=verizon1 nat-traversal=no prf-algorithm=\
    sha256
/ip ipsec peer
add address=192.168.100.1/32 exchange-mode=ike2 name=l009 profile=verizon1
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm name=verizon pfs-group=ecp256
/ip pool
add name=vlan3-pool ranges=192.168.30.10-192.168.30.20
add name=vlan4-pool ranges=192.168.40.10-192.168.40.20
/ip dhcp-server
add address-pool=vlan3-pool interface=vlan3 lease-time=1m name=vlan3
add address-pool=vlan4-pool interface=vlan4 lease-time=1m name=vlan4
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=3
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=4
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=3-4
/ip address
add address=192.168.100.0/31 interface=ether2 network=192.168.100.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan4 network=192.168.40.0
/ip dhcp-server network
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8 gateway=192.168.40.1
/ip ipsec identity
add peer=l009 secret=1234
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=l009 proposal=verizon src-address=192.168.30.0/24 tunnel=yes

i’m guessing it’s a really simple little issue. if someone drops by and helps me through it, i’d appreciate it.

2

Two things.

IPsec matches packet headers to traffic selectors configured in IPsec policies as the very last step before sending the packet out via the interface chosen by regular routing. Since there is no route to the destination that matches the dst-address of your IPsec policy, the packets cannot be routed, and therefore also cannot be matched against the policy.

The other thing is that when the router itself sends a packet that is not a response, it first routes it according to its destination address, and only then it chooses the source address for it - typically, it is the primary address assigned to the out-interface chosen by the routing, but it can be overridden by the pref-src parameter of the route used.

So you have to add a route to 192.168.30.0/24 to the L009 and a route to 192.168.3.0/24 to the hEX; no matter how weird it may seem at first glance, it is best to set vlan3 as agatewayof both these routes (on both routers), because that also makes the source address match the policy. There are other methods to achieve that that are more appropriate in more complex scenarios, this is just the simplest and fastest way for your test case.

The source address choice/setting/src-nat is only important for traffic sent by the router itself; transit (forwarded) traffic arrives with a source address already assigned.

3

well thanks for the detailed response, and for explaining the source address situation. indeed, the vlan3 gateway thing is one of the weirdest things i’ve ever gotten working in one shot :stuck_out_tongue:

1 Like
4

Phase 2 comes up but traffic does not flow because there is no route matching the IPsec policy destinations. IPsec policies are checked only after routing, so packets never hit the policy. Add a route to 192.168.30.0/24 on the L009 and a route to 192.168.3.0/24 on the hEX, using vlan3 as the gateway so the source address matches the policy. After that, pings will pass.