IPSec Site2Site VPN not NATting

Good morning from Wisconsin,

I have set up an IPSec site-to-site VPN between two RB750Gr2 units both behind static IP addresses where the Comcast SMCD3G modems are in bridge mode. The “Installed SA” tab shows both directions are fully established and the packet counters are incrementing with constant ping streams going from both sides to test. However, no response is actually received to those pings from any device on either side of the LAN. The devices in question are a copier, AP, and two workstations with all software firewalls disabled, and they all can be pinged successfully from inside their respective LANs.

Also, no static routing tables have been configured nor has proxy arp been configured on the interfaces, as this is IPSec, so they’re not needed.

I am convinced that the issue is with the firewall rules, but we have this same working config elsewhere, so I’m not sure where else to look.

I have literally spent hours scouring this forum for answers, and have found that at least one other individual with the same problem, and no response: http://forum.mikrotik.com/t/another-help-me-with-l2tp-ipsec-proxy-arp/87593/1 .

Here are the configs. Let me know if you need anything else, and thank you in advance!


Pier (50.249.107.XXX):
/ip firewall filter
add chain=input in-interface=ether1 protocol=ipsec-ah
add chain=input in-interface=ether1 protocol=ipsec-esp
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=forward dst-address=192.168.101.0/24 src-address=192.168.100.0/24
add chain=input protocol=icmp src-address=96.93.251.XXX
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward out-interface=!ether1

/ip firewall nat
add chain=srcnat dst-address=192.168.101.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether1

Monarch (96.93.251.XXX):

/ip firewall filter
add chain=input protocol=ipsec-esp
add chain=input protocol=ipsec-ah
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=forward dst-address=192.168.101.0/24 src-address=192.168.100.0/24
add chain=input port=500 protocol=udp
add chain=input protocol=icmp src-address=50.249.107.XXX
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward out-interface=!ether1

/ip firewall nat
add chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.101.0/24
add action=masquerade chain=srcnat out-interface=ether1

I have the same problem.

I copied Greg Sowell’s example from https://www.youtube.com/watch?v=oR4G6SZ3LcM
but can’t ping any addresses other than the routers.

I did see a youtube example that looked to be the same as Greg’s but the guy did ping PCs on each end of the tunnel from a PC at the other, so it can be done. Now I can’t find that video, going to start looking again.

https://www.youtube.com/watch?v=oR4G6SZ3LcM

This looks like it should work, have not tried it yet.

The beginner basics forum has posts about this too, you might find a solution there.

Often it is easier to understand IPsec (and get it working) when instead of setting a direct IPsec tunnel between the routers, you rather use an IP tunnel or GRE tunnel with IPsec protection and route the traffic over that.

I tried IPIP tunnel without any luck, will dive into EOIP and see what happens.