IPSEC setup issue

RouterOS Beginner Basics
1

I am rather new to Mikrotik but require any help I can get. I have 2 RB3011 with both on firmware 6.49.3.

I created the Site-to-site IPSEC and it is showing established however if I ping the opposite side router or network device I see no reply or traffic.
Below is all the information I have seen requested on other posts so I hope I've given enough to assist fault finding, if not let me know and I will update.

Does anyone know what could possibly be wrong with the setup?

The settings are as follows.

Router 1
LAN IP = 192.168.1.0
WAN IP = 41.164.159.176/29

Router 2
LAN IP = 192.168.2.0
WAN IP = 154.117.170.12/30

IPSEC

Router 1

/ip ipsec profile print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des
dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey
nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

1 name="profile1" hash-algorithm=sha1 enc-algorithm=aes-256,3des
dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5

/ip ipsec policy print
Flags: T - template, B - backup,
X - disabled, D - dynamic, I - invalid, A - active, * - default

P TUN SRC-ADDRESS

0 T * ::/0
1 A I yes 192.168.1.0/24

/ip ipsec proposal print
Flags: X - disabled, * - default
0 X* name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024

1 name="proposal1" auth-algorithms=sha1 enc-algorithms=aes-256-cbc
lifetime=12h pfs-group=modp1024

Router 2

/ip ipsec profile print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des
dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey
nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

1 name="profile1" hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024
lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m
dpd-maximum-failures=5

/ip ipsec policy print
Flags: T - template, B - backup,
X - disabled, D - dynamic, I - invalid, A - active, * - default

P TUN SRC-ADDRESS

0 T * ::/0
1 A A yes 192.168.2.0/24

/ip ipsec proposal print
Flags: X - disabled, * - default
0 X* name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024

1 name="proposal1" auth-algorithms=sha1 enc-algorithms=aes-256-cbc
lifetime=12h pfs-group=modp1024

FIREWALL - NAT

Router 1

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.1.0/24
dst-address=192.168.2.0/24 log=no log-prefix=""

1 chain=srcnat action=accept src-address=41.164.159.176/29
dst-address=154.117.170.12/30 log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=1194
protocol=tcp dst-port=1194

3 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no
log-prefix="" ipsec-policy=out,none

Router 2

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.2.0/24
dst-address=192.168.1.0/24 log=no log-prefix=""

1 chain=srcnat action=accept src-address=154.117.170.12/30
dst-address=41.164.159.176/29 log=no log-prefix=""

2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none

2

If you are in “established” state everything is just fine in terms of IPsec.
What you maybe have overseen ist the fact that using the Ping tool on the MT itself you mandatory need to provide a source ip address from your local network. Atherwise the MT is using its WAN port address and the ping over the VPN tunnel will of course fail !
So beiing in the Ping tool click on “Advanced” and set the source address to your local MT LAN addresse and as the destination type in the remote MT LAN address.
With that done your VPN should work like a charme ! :wink: