IPSec tunel not passing traffic

RouterOS Forwarding Protocols
1

Hello all,
I have a trouble to pass traffic through IPSec tunnel between two sides.

Both sides running latest RouterOS 6.38.5

Site A:

  • RB333
    behind several NATs
    initiator of IPSec communication
    192.168.40.0/24 internal IP range

Site B:

  • RB2011UiAS-2HnD
    behind 1:1 NAT
    responder of IPSec communication
    192.168.89.0/24 internal IP range
    successfully running few (2) other IPSec tunnels

Tunnel was successfully established after a few configuration tuning.
In the configuration I can see that tunnel is established and I there are 2 SA on both sides.
Both sides are having srcnat and firewall rules allowing communication between subnets.

Unfortunately pings (or other communication) from Site A are not passing into Site B subnet and vice versa. Number of bytes on SA are increasing on the site running ping but the other SA or other side of IPSec tunel is staying at 0.

Could you please suggest what could be the problem?
Thank you!

2

I’d verify the firewall rules and NAT exclusions on the side that isn’t showing the bytes increasing.

3

In the firewall the are only accept rules, no drops.

NAT exclusion are following on one side and oposite on the other:

 /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.89.0/24 dst-address=192.168.40.0/24 log=no log-prefix="" 
 1    ;;; masquerade
      chain=srcnat action=masquerade out-interface=ether1-LBCFree log=no
4

You might try checking that “NAT Traversal” is enabled.

nat-traversal (yes | no; Default: no) Use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers inbetween IPsec peers. This can only be used with ESP protocol (AH is not supported by design, as it signs the complete packet, including IP header, which is changed by NAT, rendering AH signature invalid). The method encapsulates IPsec ESP traffic into UDP streams in order to overcome some minor issues that made ESP incompatible with NAT.

5

Tunnel was working well only without NAT-T, when it’s enabled the tunnel is not even established.

I was suspecting bad connectivity and packet drops.

Unfortunatelly after upgrade the line is solid stable and SSH or OpenVPN is running like a charm, and IPsec tunel stopped working.
It says “Established” on both ends but any traffic passed to the tunnel is lost and counter increased only on transmitting side.