IPsec tunnel is only established in one drirection.

RotaryKing · December 26, 2013, 7:20am

I’m having issues setting up an IPsec VPN between two mikrotik 6.7 devices. The tunnel only works when Router 2 initiates the connections. I’d like the opposite, so I set router 2 as passive and checked the tick box for “send initial contact” on router 1. Once this is done, router two becomes the responder and the tunnel is established, but no SAs are ever generated and no traffic flows in either direction.

If I set both routers to “passive=no” then router two is always the imitator and as long as router two generates interesting traffic first, both sides can communicate. Otherwise router one cannot reach router two.

I hope someone is able to help.

Thanks

Router 1

0 chain=srcnat action=accept src-address=172.20.24.0/24
dst-address=10.0.0.0/24
0 src-address=172.20.24.0/24 src-port=any dst-address=10.0.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1
sa-dst-address=2.2.2.2 proposal=default priority=0
Flags: X - disabled
0 ;;; Unsafe configuration, suggestion to use certificates
address=2.2.2.2/32 passive=no port=500
auth-method=pre-shared-key secret=“password” generate-policy=no
exchange-mode=aggressive send-initial-contact=yes nat-traversal=no
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5

Router 2

0 chain=srcnat action=accept src-address=172.20.24.0/24
dst-address=10.0.0.0/24
0 src-address=10.0.0.0/24 src-port=any dst-address=172.20.24.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2
sa-dst-address=1.1.1.1 proposal=default priority=0
Flags: X - disabled
0 ;;; Unsafe configuration, suggestion to use certificates
address=1.1.1.1/32 passive=yes port=500 auth-method=pre-shared-key
secret=“password” generate-policy=no exchange-mode=aggressive
send-initial-contact=no nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

RotaryKing · December 28, 2013, 6:35am

Anyone?

tomaskir · December 28, 2013, 9:36am

You have the same NAT bypass on both routers:
0 chain=srcnat action=accept src-address=172.20.24.0/24 dst-address=10.0.0.0/24

On router 2 it should be the other way around.

RotaryKing · December 29, 2013, 5:56am

Sorry, that was a typo. It’s programed correctly on router 2.

0 chain=srcnat action=accept src-address=10.0.0.0/24
dst-address=172.20.24.0/24

Any other ideas?

RotaryKing · January 2, 2014, 4:16am

bump

RotaryKing · January 5, 2014, 6:15pm

Anyone?

RotaryKing · January 8, 2014, 6:15pm

Still haven’t been able to resolve this. Any thoughts?

mleducxit · January 8, 2014, 8:51pm

I personally have more than one VPN connected to the same CCR and I’ve got this issue. The best way to solve it, it’s to place somes log action following the packet flow and found where is the missing rule.

sallen · February 24, 2014, 10:59pm

In firewall filter rules allow UDP on port 500 and protocol 50 (ipsec-esp).