IPSec site to site - can ping but no other traffic flows

RouterOS Beginner Basics
1

Hello All -

I have followed Greg Sowell’s excellent tutorial and video, and have set up a site to site IPsec tunnel between two RB915G-2HnD routers. Each is running RouterOS 6.34.3.

I can ping routers and inside hosts on the other network from either side, but that is all I can do. For example…

Private Network 1
192.168.88.0/24
GW = .1
Laptop = .254

Private Network 2
192.168.253.0/24
GW = .1
Laptop = .122
Server = .2
.. etc.

From laptop at.253.122 I can ping 88.1 and 88.254. I can also open RDP connection to server at .253.2, so I know the server is listening OK on the RDP port. Can also open a web page on 253.2.

From laptop .88.254 I can ping 253.1, 253.2, 253.122, etc. I cannot open an RDP connection to .253.2 - I get a message back from RDP client saying “An internal error has occurred”. When I try to open the web page on .253.2 the browser reports a timeout. I haven’t tested RDP from the .253.0 network to the .88.0 network as there are no hosts set up to listen on RDP in the .88.0 network.

The fact that pings make it back and forth tells me that the connection is establishing itself and that IPv4 routing is set up correctly (I think …).

The fact that ICMP ping packets make it back & forth but RDP and HTTP do not tells me that I have a firewall configuration problem (I think ..).

Both routers have the “Home AP” default firewall rules in place, with the following additions

NAT bypass required for IPsec is in place on each router, as shown below from the .88.1 router
chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.253.0/24 log=no log-prefix=“”

IPsec specific rules are below
;;; IPSec AH
chain=input action=accept protocol=ipsec-ah log=no log-prefix=“”
;;; IPSec ESP 1
chain=input action=accept protocol=ipsec-esp log=no log-prefix=“”
;;; IP Sec ESP 2
chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=“”
;;; IPSec ESP 3
chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=“”

In order to route private lan traffic back and forth I have placed a rule the top of the filter list - on the .88.1 router it looks like this

chain=forward action=accept src-address=192.168.253.0/24 dst-address=192.168.88.0/24 log=no log-prefix=“”

There is a similar rule on the .253.1 router with the addresses reversed.

I’ve been banging my head against this for a while but am not making any progress - can anyone tell me what I am missing?

Thanks,
Dave

IPSec Tunnel - Ping Working, but other protocols fail
2

What if you try

Site1:

chain=forward action=accept src-address=192.168.253.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""

chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.253.0/24 log=no log-prefix=""

Site2:

chain=forward action=accept src-address=192.168.253.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""

chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.253.0/24 log=no log-prefix=""

If still no luck just for test disable all drop rules for forward chain and than add the proper accept rules

3

sigh

Yep, that did it. Now that you pointed it out it seems very obvious..

Thanks(!)