IPSec Site-to-Site VPN Established - No NAT

RouterOS General
1

Hi,

I’m trying setup an IPSec tunnel between two RB2011L-RM. The tunnel is established, I have a SRCNAT entry in /ip firewall nat (at position 0) but I can’t ping either way.

Unit A

/ip ipsec peer
add address=222.222.222.222/32 port=500 auth-method=pre-shared-key secret="test"

/ip ipsec policy
add src-address=10.13.0.0/24 src-port=any dst-address=192.168.254.0/24 dst-port=any sa-src-address=111.111.111.111 sa-dst-address=222.222.222.222 
tunnel=yes action=encrypt proposal=default

/ip firewall nat
add chain=srcnat action=accept  place-before=0  src-address=10.13.0.0/24 dst-address=192.168.254.0/24

Unit B

/ip ipsec peer
add address=111.111.111.111/32 port=500 auth-method=pre-shared-key secret="test"

/ip ipsec policy
add src-address=192.168.254.0/24 src-port=any dst-address=10.13.0.0/24 dst-port=any sa-src-address=222.222.222.222 sa-dst-address=111.111.111.111 tunnel=yes action=encrypt proposal=default

/ip firewall nat
add chain=srcnat action=accept  place-before=0 src-address=192.168.254.0/24 dst-address=10.13.0.0/24

Doing a traceroute from either unit to the subnet on the other side reveals it tries to go through the ISP’s gateway. Not sure if that’s what it should report but it obviously times out right away.

Any help would be greatly appreciated!

Thanks!

2

Have you tried pinging from clients?
On routers you need to specify the local lan interface to test the tunel. Tools - Ping - Interface..

From a quick glance of your setup the IPSECtunel should work..

3

Thanks for your reply huntah!

I was just about to reply and close this thread. I’ve wasted a whole day on this issue and it ended up being a routing issue at one of the ISP. I realized I couldn’t even ping the WAN IP from either side, even with all IPSEC disabled.

So they’re working on that. Hopefully everything will get back to normal once they figure it out the routing problem.

Thanks again!