Hello,
I’m trying to get an IPSec tunnel between a Mikrotik 1100AH (running 7.12.1) and a VMWare NSX host. I have the tunnel established, but I can’t ping between the two devices. The other end has a ping going towards me and I have one going towards them but I see on my end that it times out. Below is the config. Please let me know if you need anything else, or have suggestions. I have an address list that contains both the public and private IPs of Company B (the NSX side), among other IPs.
Thank you
# 2023-12-08 08:45:50 by RouterOS 7.12.1
/ip ipsec profile
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=CompanyB
/ip ipsec peer
add address=Company_B_Pub_IP/32 name=CompanyB passive=yes profile=CompanyB send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name="CompanyB Proposal" pfs-group=modp2048
/ip ipsec identity
add peer=CompanyB
/ip ipsec policy
add dst-address=192.168.2.0/24 peer=CompanyB proposal="CompanyB Proposal" src-address=172.16.0.0/16 tunnel=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow IPSec from CompanyB" dst-port=500 in-interface=ether1 log=yes protocol=udp \
src-address-list=AllowedAddresses src-port=500
add action=accept chain=forward dst-address=172.16.0.0/16 log=yes src-address=192.168.2.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=output dst-address=192.168.2.0/24 src-address=172.16.0.0/16
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 log=yes log-prefix=fromWAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=\
yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=172.16.0.0/16
add action=accept chain=srcnat dst-address=172.16.0.0/16 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting comment="CompanyA to CompanyB" dst-address=192.168.2.0/24 log=yes src-address=172.16.0.0/16
add action=notrack chain=prerouting comment="CompanyB to CompanyA" dst-address=172.16.0.0/16 log=yes src-address=192.168.2.0/24