IPSec Site-to-Site works but can't ping after RouterOS upgrade

qwerty00 · February 10, 2026, 10:58am

Hello all,

I have an IPSec Site-to-Site VPN between two RB.

I upgraded them to 7.20.7. Now VPN is still working but i can’t ping from one router to the other.

Site A (was version 6.x, now 7.20.7):

/ip ipsec profile
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha256 name=
VPN-Phase1
/ip ipsec peer
add address=x.x.x.x/32 exchange-mode=ike2 local-address=y.y.y.y name=SITEB profile=
VPN-Phase1
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN-Phase2 pfs-group=
modp2048
/routing table
add fib name=VPN
/ip address
add address=y.y.y.y interface=ether1
add address=10.78.3.155/22 interface=ether2
/ip firewall address-list
add address=10.78.8.0/24 comment="Site B LAN" list=VPN-IPSEC
/ip firewall mangle
add action=mark-routing chain=prerouting comment="VPN Internet" new-routing-mark=VPN src-address-list=
VPN-IPSEC
/ip firewall nat
add action=accept chain=srcnat dst-address-list=VPN-IPSEC src-address=10.78.0.0/22
/ip ipsec identity
add peer=SITEB
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.78.8.0/24 peer=SITEB proposal=VPN-Phase2 src-address=0.0.0.0/0 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.78.0.7 routing-table=VPN scope=30
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.78.0.0/22 gateway=ether2 routing-table=VPN suppress-hw-offload=no

Site B (was 7.x, now 7.20.7):

/ip ipsec profile
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha256 name=
VPN-Phase1
/ip ipsec peer
add address=y.y.y.y exchange-mode=ike2 local-address=x.x.x.x name=SITEA profile=
VPN-Phase1
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN-Phase2 pfs-group=
modp2048
/ip address
add address=10.78.8.1/24 interface=bridge1-AP network=10.78.8.0
/ip firewall mangle
add action=change-mss chain=forward new-mss=1350 protocol=tcp src-address=10.78.8.0/24 tcp-flags=syn tcp-mss=
!0-1349
/ip firewall nat
add action=accept chain=srcnat src-address=10.78.8.0/24 src-address-list=!NOVPN
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=10.78.8.0/24
/ip ipsec identity
add peer=SITEA
/ip ipsec policy
set 0 disabled=yes
add action=none comment="Permit LAN Communication" dst-address=10.78.8.0/24 src-address=10.78.8.0/24
add comment="VPN Internet" dst-address=0.0.0.0/0 peer=SITEA proposal=VPN-Phase2
src-address=10.78.8.0/24 tunnel=yes

May it be something about routing-mark on site A? Do you have any suggestion? I can’t ping from 10.78.3.155 to 10.78.8.1 and vice-versa.

Thank you

ghostinthenet · February 10, 2026, 5:29pm

At first glance, it doesn't look like you have the NOVPN address list defined on the Site B router. That's potentially going to cause traffic from Site B to be subject to the masquerade rule.

rplant · February 11, 2026, 2:53am

Hi,
There were some routing changes early in V7.

Route tables with routing-table=VPN have first and top priority for packets route marked with VPN.
Packets marked that way, will in this case leave via ether2 always. (Even if destination address is the router itself)

A few options.

Be more careful in your route marking.
Maybe add some more routes with routing-table=VPN (eg. Routes to local interfaces)

You can force packets to go via routing rules first if you wish them to route to local subnets if the destination address is a local subnet. You would commonly do this by marking them with a mark, say RULE-VPN and have some routing rules that route local routes via main first, and then a RULE-VPN rule, that forces use of the VPN table.

Something like:

/routing rule
add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no
min-prefix=0 table=main
add action=lookup table=VPN routing-mark=RULE-VPN

(maybe action=lookup-only-in-table)

CGGXANNX · February 11, 2026, 3:55am

On the "Site A" router, you'll need to modify the mangle rule, and add to it the condition: dst-address-type=!local. You need this because of the default order of the routing rule processing.

Also, when pinging from the "Site B" router, from 10.78.8.1 to 10.78.3.155 you might need to specify src-address=10.78.8.1 on the :ping command.

qwerty00 · February 12, 2026, 2:16pm

Hello all,

thank you for your suggestions. Actually it was a problem of routing mark (mangle) with the new version.

I solved it by adding a specific rule for icmp (i just needed it).

/ip firewall mangle
add action=accept chain=prerouting comment="Temporary rule for ping vpn” dst-address=10.78.3.155 icmp-options=0:0 protocol=icmp src-address-list=VPN

Now that i upgraded all the sites i have a more problematic issue, IPSec are flapping even if public ips are correctly reachable.

2026-02-12 13:53:45 ipsec,error peer address change is not allowed at this moment
2026-02-12 13:53:45 ipsec,info killing ike2 SA: SITEA x.x.x.x[4500]-y.y.y.y[4500] cda68c1f5fe652f1:b6fb4b4b44cfc32b
2026-02-12 13:53:45 ipsec,info new ike2 SA (R): SITEA x.x.x.x[4500]-y.y.y.y[4500] 8b86a45e5fc349af:0cefbe54ac717401
2026-02-12 13:53:45 ipsec,info,account peer authorized: SITEA x.x.x.x[4500]-y.y.y.y[4500] 8b86a45e5fc349af:0cefbe54ac717401
2026-02-12 13:53:46 ipsec,info new ike2 SA (I): SITEA x.x.x.x[4500]-y.y.y.y[4500] bcfdb3aaefdabd03:fc00d90af641e420
2026-02-12 13:53:46 ipsec,info killing ike2 SA: SITEA x.x.x.x[4500]-y.y.y.y[4500] 8b86a45e5fc349af:0cefbe54ac717401
2026-02-12 13:53:46 ipsec,info,account peer authorized: SITEA x.x.x.x[4500]-y.y.y.y[4500] bcfdb3aaefdabd03:fc00d90af641e420

What does this error message mean? The addresses are static and does not change.

Thank you