IPSec site to site VPN problems

RouterOS General
1

Hi guys,

I’m having an odd problem. I’ve setup 2 site to site VPNs, my mtik to a draytek and another from my mtik to an edgerouter (if it were my choice I’d have mtik everywhere!) which are both working fine from both ends. If I try and ping either of the remote networks (router ips) from the Mtik directly, it times out, yet if I do it from my LAN network it works fine! I seem to be able to ping the mtik lan ip from the remote routers too. Everything is setup properly as I think it should be, including the NAT rule accepting traffic to the remote range. Likewise I’ve tried disabling all my drop rules in my firewall and it seems to make no difference. I’ve remotely PPTPd in to my mtik today and it seems it wont let me access either of the IPSec’d networks through the PPTP which is rather annoying. I’ve tried adding routes, but seeing as there is no interface for the ipsec, I’m a bit at a loss.

Does anyone have any suggestions for what I should add/change/check to make this work?

Thanks in advance :slight_smile:

Chris

2

If you have simple policy with local and remote LAN subnets, then when pinging from router itself, you need to specify src-address=<router’s LAN address>, otherwise it will choose wrong source address and IPSec won’t take it.

The same happens for VPN clients, if they use addresses other than from LAN range. You can either add more policies to cover all required address ranges. Or you can create IPIP/EoIP/GRE tunnel between routers and secure it with transport mode IPSec, instead of current tunnel mode. The tunnel will then be a normal interface able to transport any address.