IPSEC site-to-site oworks only one direction

girribaldi · June 15, 2023, 10:45am

Hi,

I’ve recently set site-to-site connection IPSEC on mikrotik.
Peers are established and policies are ok.
From location A->B works ok. But from location B->A dosnt’t work.
Any idea what i’ve done wrong ? I don’t have any idea.
Also there is another site-2-ste ipsec to location C from A-> and B->C - it’s work.

Site A

/interface bridge
add admin-mac=xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=groupgolkowice
add name=groupkusocinski
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=faza-1-golkowice
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=faza-1-kusocinski
/ip ipsec peer
add address=xx.xx.xx exchange-mode=ike2 name=peer-kusocinski profile=faza-1-kusocinski
add address=xx.xx.xx exchange-mode=ike2 name=peer-golkowice profile=faza-1-golkowice
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=faza2-golkowice pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=faza2-kusocinski pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.59.10-192.168.59.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=l2tp-pool ranges=172.16.0.30-172.16.0.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge change-tcp-mss=yes dns-server=8.8.8.8 local-address=l2tp-pool name=profile-vpn-l2tp-turystyczna remote-address=dhcp use-encryption=yes
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.59.1 remote-address=l2tp-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=profile-vpn-l2tp-turystyczna enabled=yes ipsec-secret="*********" use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.59.1/24 comment=defconf interface=bridge network=192.168.59.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.59.252 client-id=xx:xx:xx comment=SERWER mac-address=xx:xx:xx server=defconf
add address=192.168.59.243 comment=RDP mac-address=xx:xx:xx
/ip dhcp-server network
add address=192.168.59.0/24 comment=defconf gateway=192.168.59.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.59.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.59.0/24 src-address=172.16.0.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input in-interface=bridge protocol=gre
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall nat
add action=accept chain=srcnat dst-address-list=192.168.55.0/24 src-address-list=192.168.59.0/24
add action=accept chain=srcnat dst-address-list=192.168.59.0/24 src-address-list=192.168.55.0/24
add action=accept chain=srcnat dst-address=192.168.59.0/24 src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.59.0/24
add action=accept chain=srcnat dst-address=192.168.59.0/24 src-address=192.168.55.0/24
add action=accept chain=srcnat dst-address=192.168.55.0/24 src-address=192.168.59.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip firewall raw
add action=accept chain=prerouting dst-address-list=192.168.59.0/24 src-address-list=192.168.55.0/24
add action=accept chain=prerouting dst-address-list=192.168.55.0/24 src-address-list=192.168.59.0/24
/ip ipsec identity
add peer=peer-golkowice policy-template-group=groupgolkowice secret="**************************"
add generate-policy=port-strict peer=peer-kusocinski policy-template-group=groupkusocinski secret=**********************
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=peer-golkowice proposal=faza2-golkowice src-address=192.168.59.0/24 tunnel=yes
add dst-address=192.168.55.0/24 peer=peer-kusocinski proposal=faza2-kusocinski src-address=192.168.59.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=172.16.0.0/24 gateway=bridge pref-src=172.16.0.1
/ppp secret
add name=vpn password=********************** profile=default-encryption
add name=turystyczna-l2tp password="*****************" profile=profile-vpn-l2tp-turystyczna service=l2tp
add disabled=yes name=turystyczna-renia password="**************" profile=profile-vpn-l2tp-turystyczna service=l2tp

Site B

/interface bridge
add admin-mac=xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=groupgolkowice
add name=groupmarusarzowny
add name=grouppomorska
add name=groupturystyczna
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=faza1-golkowice
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=faza1-marusarzowny
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=faza1-pomorska
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=faza1-turystyczna
/ip ipsec peer
add address=x.x.x.x. exchange-mode=ike2 name=peer-pomorska profile=faza1-pomorska
add address=x.x.x.x exchange-mode=ike2 name=peer-golkowice profile=faza1-golkowice
add address=x.x.x.x exchange-mode=ike2 name=peer-marusarzowny profile=faza1-marusarzowny
add address=x.x.x.x exchange-mode=ike2 name=peer-turystyczna profile=faza1-turystyczna
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=faza2-golkowice pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=faza2-marusarzowny pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=faza2-pomorka pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=faza2-turystyczna pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.55.10-192.168.55.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.55.1/24 comment=defconf interface=ether2 network=192.168.55.0
add address=192.168.3.150 disabled=yes interface=ether1 network=192.168.3.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.55.254 client-id=1:xx:xxx:xx mac-address=xx:xx:xx server=defconf
/ip dhcp-server network
add address=192.168.55.0/24 comment=defconf gateway=192.168.55.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.55.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,1701 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address-list=192.168.59.0/24 src-address-list=192.168.55.024
add action=accept chain=srcnat dst-address-list=192.168.55.0/24 src-address-list=192.168.59.0/24
add action=accept chain=srcnat dst-address=192.168.59.0/24 src-address=192.168.55.0/24
add action=accept chain=srcnat dst-address=192.168.55.0/24 src-address=192.168.59.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip firewall raw
add action=accept chain=prerouting dst-address-list=192.168.55.0/24 src-address-list=192.168.59.0/24
add action=accept chain=prerouting dst-address-list=192.168.59.0/24 src-address-list=192.168.55.0/24
/ip ipsec identity
add generate-policy=port-strict peer=peer-golkowice policy-template-group=groupgolkowice secret=*********************
add generate-policy=port-strict peer=peer-marusarzowny secret=************************
add generate-policy=port-strict peer=peer-pomorska secret=*********************
add generate-policy=port-strict peer=peer-turystyczna policy-template-group=groupturystyczna secret=***********************
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=peer-golkowice proposal=faza2-golkowice src-address=192.168.55.0/24 tunnel=yes
add dst-address=192.168.1.0/24 peer=peer-marusarzowny proposal=faza2-golkowice src-address=192.168.55.0/24 tunnel=yes
add dst-address=192.168.88.0/24 peer=peer-pomorska proposal=faza2-pomorka src-address=192.168.55.0/24 tunnel=yes
add dst-address=192.168.59.0/24 peer=peer-turystyczna proposal=faza2-turystyczna src-address=192.168.55.0/24 tunnel=yes