IPSEC tunnel established, but no traffic flowing

Wyz4k · August 29, 2017, 3:30am

Hi there,

I have successfully setup an ipsec tunnel over the Internet, and the PH2 State is established, but no traffic is flowing over the tunnel.

If I ping one of the IPs that should be reachable over the tunnel I get a timeout.

myIP = my Internet IP.
theirIP = their Internet IP.
myLocalNet = my LAN network
myTargetNet = the network I gain access to over the tunnel

/ip ipsec peer
add address=theirIP enc-algorithm=aes-256 exchange-mode=aggressive \
    generate-policy=port-override local-address=myIP my-id=\
    address:myIP secret=redacted
/ip ipsec policy
add dst-address=myTargetNet proposal=isp sa-dst-address=\
    theirIP sa-src-address=myIP src-address=myLocalNet tunnel=\
    yes
    /ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-256-ctr lifetime=1h name=isp \
    pfs-group=none

Under installed SAs the current bytes remain at 0.

I’ve tried adding a route to myTargetNet using the gateway theirIP but it immediately says unreachable.

Any help would be appreciated!

kevintitus81 · August 29, 2017, 5:20am

Hi there,

Try adding a src nat allow rule to allow your local lan subnet to the dst network address.

/ip > firewall > nat > src addr /local subnet/ dst */remote network allow

Hope that helps.

Wyz4k · August 29, 2017, 5:30am

Thanks for the advice. I already have that, but I failed to quote it

add action=masquerade chain=srcnat comment=\
    "Masquerade traffic going over the Internet" dst-address=!myLocalNet

and then I’ve tried with the following enabled and disabled (sourced from several examples):

add action=accept chain=srcnat comment=\
    "bypass ipsec nat" dst-address=myTargetNet