Ipsec not traffic passing

RouterOS General
1

Hello, I’ve set an ipsec tunnel between a Miktrotik an a checkpoint firewall.
I managed to stablish phase 2, but I see no traffic on the tunnel. I went trough some existing posts here on the forum, but none of the solutions actually worked for me.
My PH2 Total shows 1, and the state shows “established”
The downside of this application is that I can’t debug the chekcpoint router, so I have only the Mikrotik to play with.

Can someone help me if I need to create additional firewall rules or NAT rules?

Thanks!!

Her is my code:
Ipsec.png

dec/04/2023 10:37:57 by RouterOS 6.49.8

/interface bridge
add comment=defconf name=bridge-LAN1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-Wan name=pppoe-out1
use-peer-dns=yes user=Wxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=xxxxxxx
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add dh-group=modp768 enc-algorithm=3des hash-algorithm=md5 name=Castelvetro
/ip ipsec peer
add address=88.xx.xx.xxx/32 name=Castelvetro profile=Castelvetro
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des lifetime=1h name=PhCastelvetro
pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.228.2-192.168.228.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-LAN1 name=dhcp1
/interface bridge port
add bridge=bridge-LAN1 comment=defconf interface=ether2
add bridge=bridge-LAN1 comment=defconf interface=ether3
add bridge=bridge-LAN1 comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-LAN1 list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
/ip address
add address=10.248.0.1/29 interface=ether5 network=10.248.0.0
add address=192.168.228.1/24 interface=bridge-LAN1 network=192.168.228.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-Wan
/ip dhcp-server network
add address=192.168.228.0/24 gateway=192.168.228.1
/ip firewall address-list
add address=83.xxx.xxx.74 list=DatabaseIpList
add address=192.168.1.0/24 list=DatabaseIpList
add address=10.30.146.128/25 list=DatabaseIpList
add address=83.xxx.xxx.64/27 list=SnmpIpList
add address=77.xxx.xxx.231 disabled=yes list=SnmpIpList
/ip firewall filter
add action=accept chain=input in-interface-list=WAN log=yes protocol=
ipsec-esp
add action=drop chain=input dst-port=161 protocol=udp src-address-list=
!SnmpIpList
add action=drop chain=input dst-port=50080,2222,18291 protocol=tcp
src-address-list=!DatabaseIpList
add action=drop chain=input dst-port=53 in-interface-list=WAN log-prefix=
DNS-WAN protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.55.0/24 src-address=
192.168.228.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=pppoe-out1
/ip ipsec identity
add peer=Castelvetro
/ip ipsec policy
add dst-address=192.168.55.0/24 peer=Castelvetro proposal=PhCastelvetro
src-address=192.168.228.0/24 tunnel=yes
/snmp
set contact=database enabled=yes location=Ixxxxxx
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Ixxxxx
/system note
set note=Ixxxxxx
/system ntp client
set enabled=yes primary-ntp=193.204.114.105
/system scheduler
add disabled=yes interval=1s name=reboot-mt-on-demand on-event=
“/system scheduler disable reboot-mt-on-demand;\r
\n/system reboot;” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=00:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

2

I would switch to the “installed SA” tab in the IPsec window and start pinging something in 192.168.55.0/24 specifying 192.168.228.1 as the source address for the ping. If the packet counter in the SA from your Mikrotik to the Checkpoint increases once per second, i.e. per each ping request, but the SA for the opposite direction doesn’t, the issue is most likely at the Checkpoint side (or the pinged device only responds to pings that come from the local subnet, which is the default setting of the Windows firewall). If the Mikrotik->Checkpoint SA counts packets even if you don’t run the ping, there is some “natural” traffic. And if it does not count even while you ping, there is an issue at Mikrotik side, but I cannot see anything in your configuration export that would explain that. Your firewall is basically nonexistent (the default handling is accept, so only the three drop rules have an effect), and you did properly exempt the connections from 192.168.228.0/24 to 192.168.55.0/24 from src-nating so the policy can match them.