ipsec tunnel cant ping "out" can ping "in"

samuellsk · May 20, 2025, 12:30pm

hellou

we have a couple of pfsense routers with ipsec tunnels connecting to the concetrator (main pfsense router)
i wanted to switch the pfsense routers that are connecting to the concentrator for a mikrotik os (virtual router).

well i was able to setup a lot of things but i ve came to the ipsec and a problem.
the ipsec tunel is connected , p1 and p2 , i cant ping from the “client” (mikrotik os) to the concentrator - BUT
from ipsec concentrator (pfsense) i can ping the mikrotik

here is the config when it was connected , i used export hide-sensitive

there are basically no firewall rules as i wanted simply to rule out the fw issues,
BUT i think the routes should be there dynamically added when ipsec tunnel is formed ? or something ?

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=net0_101_WAN
set [ find default-name=ether2 ] disable-running-check=no name=net1_1_LAN
set [ find default-name=ether3 ] disable-running-check=no name=net2_2_AMR
set [ find default-name=ether4 ] disable-running-check=no name=net3_3_OPR
set [ find default-name=ether5 ] disable-running-check=no name=net4_4_CAM
set [ find default-name=ether6 ] disable-running-check=no name=net5_5_PIC
set [ find default-name=ether7 ] disable-running-check=no name=net6_6_DMZ
/interface vrrp
add authentication=simple interface=net2_2_AMR name=VRRP_AMR priority=1 version=2 vrid=2
add authentication=simple interface=net4_4_CAM name=VRRP_CAM priority=1 version=2 vrid=4
add authentication=simple interface=net6_6_DMZ name=VRRP_DMZ priority=1 version=2 vrid=6
add authentication=simple interface=net1_1_LAN name=VRRP_LAN priority=1 version=2
add authentication=simple interface=net3_3_OPR name=VRRP_OPR priority=1 version=2 vrid=3
add authentication=simple interface=net5_5_PIC name=VRRP_PIC priority=1 version=2 vrid=5
add authentication=simple interface=net0_101_WAN name=VRRP_WAN priority=1 version=2 vrid=101
/interface list
add name=WAN
add name=LAN
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 lifebytes=1 name=eu_us_profile
/ip ipsec peer
add address=X.X.X.X/32 exchange-mode=ike2 name=eu_primary profile=eu_us_profile
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=“” enc-algorithms=chacha20poly1305 name=eu_us_proposal pfs-group=modp2048
/ip pool
add name=LAN_POOL ranges=10.80.1.220-10.80.1.240
add name=AMR_POOL ranges=10.80.2.150-10.80.2.240
add name=OPR_POOL ranges=10.80.3.100-10.80.3.240
add name=CAM_POOL ranges=10.80.4.220-10.80.4.240
add name=PIC_POOL ranges=10.80.5.220-10.80.5.240
add name=DMZ_POOL ranges=10.80.6.220-10.80.6.240
/ipv6 settings
set disable-ipv6=yes disable-link-local-address=yes forward=no
/interface list member
add interface=net0_101_WAN list=WAN
add interface=net1_1_LAN list=LAN
add interface=net2_2_AMR list=LAN
add interface=net3_3_OPR list=LAN
add interface=net4_4_CAM list=LAN
add interface=net5_5_PIC list=LAN
add interface=net6_6_DMZ list=LAN
add interface=VRRP_WAN list=WAN
add interface=VRRP_LAN list=LAN
add interface=VRRP_AMR list=LAN
add interface=VRRP_OPR list=LAN
add interface=VRRP_CAM list=LAN
add interface=VRRP_PIC list=LAN
add interface=VRRP_DMZ list=LAN
/ip address
add address=10.90.1.251/24 interface=net0_101_WAN network=10.90.1.0
add address=10.80.1.251/24 interface=net1_1_LAN network=10.80.1.0
add address=10.80.2.251/24 interface=net2_2_AMR network=10.80.2.0
add address=10.80.3.251/24 interface=net3_3_OPR network=10.80.3.0
add address=10.80.4.251/24 interface=net4_4_CAM network=10.80.4.0
add address=10.80.5.251/24 interface=net5_5_PIC network=10.80.5.0
add address=10.80.6.251/24 interface=net6_6_DMZ network=10.80.6.0
add address=10.90.1.200/24 interface=VRRP_WAN network=10.90.1.0
add address=10.80.1.254/24 interface=VRRP_LAN network=10.80.1.0
add address=10.80.2.254/24 interface=VRRP_AMR network=10.80.2.0
add address=10.80.3.254/24 interface=VRRP_OPR network=10.80.3.0
add address=10.80.4.254/24 interface=VRRP_CAM network=10.80.4.0
add address=10.80.5.254/24 interface=VRRP_PIC network=10.80.5.0
add address=10.80.6.254/24 interface=VRRP_DMZ network=10.80.6.0
/ip dhcp-server
add address-pool=LAN_POOL interface=net1_1_LAN name=LAN
add address-pool=AMR_POOL interface=net2_2_AMR name=AMR
add address-pool=OPR_POOL interface=net3_3_OPR name=OPR
add address-pool=CAM_POOL interface=net4_4_CAM name=CAM
/ip dhcp-server network
add address=10.80.1.0/24 comment=LAN dns-server=10.80.1.254 gateway=10.80.1.254 netmask=24
add address=10.80.2.0/24 comment=AMR dns-server=10.80.2.254 gateway=10.80.2.254 netmask=24
add address=10.80.3.0/24 comment=OPR dns-server=10.80.3.254 gateway=10.80.3.254 netmask=24
add address=10.80.4.0/24 comment=CAM dns-server=10.80.4.254 gateway=10.80.4.254 netmask=24
/ip dns
set servers=8.8.8.8
/ip ipsec identity
add my-id=address:10.90.1.200 peer=eu_primary remote-id=address:10.156.0.15
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.88.65.0/24 peer=eu_primary proposal=eu_us_proposal src-address=10.80.1.0/24 tunnel=yes
/ip route
add dst-address=0.0.0.0/0 gateway=10.90.1.254
/system identity
set name=router01
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

[admin@router01] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

0 As+ 0.0.0.0/0 10.90.1.254 1
DAc+ 10.80.1.0/24 net1_1_LAN 0
DAc+ 10.80.1.0/24 VRRP_LAN 0
DAc+ 10.80.2.0/24 net2_2_AMR 0
DAc+ 10.80.2.0/24 VRRP_AMR 0
DAc+ 10.80.3.0/24 net3_3_OPR 0
DAc+ 10.80.3.0/24 VRRP_OPR 0
DAc+ 10.80.4.0/24 net4_4_CAM 0
DAc+ 10.80.4.0/24 VRRP_CAM 0
DAc+ 10.80.5.0/24 net5_5_PIC 0
DAc+ 10.80.5.0/24 VRRP_PIC 0
DAc+ 10.80.6.0/24 net6_6_DMZ 0
DAc+ 10.80.6.0/24 VRRP_DMZ 0
DAc+ 10.90.1.0/24 net0_101_WAN 0
DAc+ 10.90.1.0/24 VRRP_WAN 0
[admin@router01] >

[admin@router01] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
[admin@router01] >

robert3592 · May 20, 2025, 11:49pm

Hi,

I think I’d try something like (if your pfSense IP in 10.88.65.0/24 is .1): “/ip route add dst-address=10.88.65.1 gateway=net0_101_WAN pref-src=10.80.1.251” and then try again from the Mikrotik. Alternatively, you could use “ping src-address=10.80.1.251 10.88.65.1”. I belive the problem is that your Mikrotik device uses 10.90.1.251 which is not in your IPSec policy.

BR
Robert

samuellsk · May 21, 2025, 10:32am

i do not remember the last time (like a year or two back) , when we were connecting few ac2s for the trade shows)…needing to do this
oh well, it def did worked.

thank you,