Hi guys,
I have set up IPSec site-to-site tunnel between a Mikrotik RB951G-2HnD and Ubiquiti EdgeRouter Lite at two sites:
Site 1: EdgeRouter Lite
WAN: 1.1.1.1
LAN: 172.16.1.0/24
Site 2: RB951G
WAN: 2.2.2.2
LAN: 172.17.1.0/24
On the RB951G, I followed the guide on Mikrotik wiki:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel
Basically, on the EdgeRouter Lite, I then mirrored the settings on the RB951G and was able to establish tunnel connectivity between the two sites. NAT Bypass and Firewall rules have been setup to allow this connectivity.
However, there is a strange behaviour. From Site 1 (EdgeRouter Lite) 172.16.1.0/24, I am unable to ping/connect to the RB951G at 172.17.1.1. But connecting from the same site (Site 1) to any other computer on the 172.17.1.0/24 network (Site 2) works fine.
From Site 2 (RB951G), I can ping/connect to any devices in Site 1 including the EdgeRouter Lite at 172.16.1.1, except from the RB951G itself 172.17.1.1.
I keep seeing this lines on the log of the RB951G:
DROP input: in: pppoe-1 out:(none) proto TCP (SYN), 172.16.1.101:58629->172.17.1.1:80, len 48
On the RB951G, I have a firewall rule to permit such communications, but somehow it’s not working:
/ip firewall filter
add chain=input comment=IPSec dst-port=500 in-interface=pppoe-1 protocol=udp
add chain=input in-interface=pppoe-1 protocol=ipsec-esp
add chain=input in-interface=pppoe-1 protocol=ipsec-ah
add chain=forward comment="IPSec - UK" dst-address=172.17.0.0/16 in-interface=pppoe-1 src-address=172.16.0.0/16
add chain=input dst-address=172.17.1.1 in-interface=pppoe-1 src-address=172.16.0.0/24
NAT Rules on the RB951G:
/ip firewall nat
add chain=srcnat comment="NAT Bypass - UK" dst-address=172.16.0.0/16 src-address=172.17.0.0/16
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-1
Any help would be greatly appreciated. Many thanks in advance.