Hi,
I have created a site-to-site vpn and the PH2 Phase is Estabilished and I also see the two installed SA, my final target is to connect one pc of Router 1’s LAN to Router 2’s LAN via RDP, but it dosn’t work, i can’t even ping no one in LAN 2.
Here’s my network:
Can someone help me?
Sorry for my bad English.
Thanks in advance.
That’s what you think you have, but the question is what you really have. Since nobody here knows that, let’s try one guess. Did you add exception from main srcnat/masquerade for traffic going from local LAN to remote LAN? Because if not and srcnat rule applies to this traffic too, the source gets changed and IPSec policy no longer matches.
I guess also: probably your firewall masquerades and/or drops packets to/from tunnel.
Depending from router model - default configuration usually contains properly configured firewall rules for ipsec traffic.
Following rules was taken from default config: two accepts should happen before last drops in forward chain.
Marked in bold important parts.
/ip firewall filter
add action=accept chain=forward comment=“accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy”
ipsec-policy=out,ipsec
And replace your masquerade rule with this one, make sure out-interface is correct or use Out. Interface List=WAN if such exists.
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
ipsec-policy=out,none out-interface=ether1
If this topic is still active, i would add my solution.
I added accept NAT rule before masquerade rule, with src of local subnet and dst remote local subnet.
I updated both of my routers to newest ROS and in ipsec profiles, de-checked NAT traversal option.
Rebooted both routers.
I was able to ping and access resources on the other side of the tunnel.
Hope i helped. Cheers!
Something similar happens to me, only I do have communication between the computers of the local networks. But it is the mikrotik that from the terminal when pinging there is no response from the teams on the other side.
Doing a tracertroute I observe that the ping from the terminal does not use the tunnel
(I used translate)