Greetings everybody.
My task to set up site-to-site ipsec tunnel between RouterBoard RB2011 UAS-2HnD-IN and Kerio Control 8.0.1.
Schema:
192.168.4.0/24 → (192.168.4.200-Mikrotik-89.184.8.149) == (85.233.85.158-Kerio-192.168.3.200) <— 192.168.3.0/24
Mikrotik config:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128 pfs-group=none
/ip address
add address=192.168.4.200/24 interface=bridge1 network=192.168.4.0
/ip firewall nat
add chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.4.0/24
add action=masquerade chain=srcnat src-address=192.168.4.0/24
/ip ipsec peer
add address=85.233.85.158/32 dh-group=modp1536 exchange-mode=main-l2tp
hash-algorithm=sha1 secret=test
/ip ipsec policy
add dst-address=172.23.216.0/24 priority=2 sa-dst-address=85.233.85.158
sa-src-address=89.184.8.149 src-address=192.168.4.0/24 tunnel=yes
add dst-address=192.168.3.0/24 priority=2 sa-dst-address=85.233.85.158
sa-src-address=89.184.8.149 src-address=192.168.4.0/24 tunnel=yes
With this configuration tunnel establishes successfully, but but i cannot ping anyone from anyone.
But when I ping 192.168.4.200 (mikrotik) from 192.168.3.200 (kerio), i see at mikrotik router an incoming connection “src:192.168.3.200 dst:192.168.4.200”, although kerio does not recieve any answer.
“traceroute 192.168.3.200” from mikrotik goes to default route (to ISP’s gateway), not in tunnel.
Thereby, kerio can find route to mikrotik, but mikrotik to kerio can not.
I have searched forum, so familiar with “ipsec interface” problem, and i know that it is impossible to create a route to remote subnet manually in this configuration. Kerio supports only IPSec VPN (and its own kerio vpn).
So what is a solution in my case, anyone have experience?