Hello there,
I’ve established an IPSec tunnel between 2 Mikrotik Routers[ A and B] running 6.44.1 versions.
Clients on both sides are able to ping each others on the other site and I’m able to access resources on other site : OK.
But Mikrotik Routers themselves can’t ping each others. Also, routers themselves can’t access to resources on the other site. But “theirs” clients can…
For example, if I try to ping a server on the site 1 using a client on the site 2, the ping will be OK.
But if I try to ping the same server with the site 2 router, the ping will not pass…
What am i missing here. I am sure its some configuration or firewall. But i can’t find it.
If it’s pure IPSec tunnel, it’s most likely problem with policy and used addresses. If you’d have e.g. 192.168.0.0/24 on one side and 10.0.0.0/24 on the other (and policy for these two networks), there’s no problem when any machine other than router tries to connect to another subnet (192.168.0.x to 10.0.0.y or the other way around), because addresses match defined policy. But if you try to connect to remote subnet from the router itself, it will not choose own 10.0.0.x (or 192.168.0.x) as source address. And packets from e.g. 1.2.3.4 to 10.0.0.x won’t match the policy.
For ping, you can set source address manually. For other stuff, you can either add additional policies covering addresses used by routers as source, or srcnat rule to force connections from router to have source address from local subnet for which the policy exists, e.g.:
/ip firewall nat
add chain=srcnat src-address-type=local dst-address=<remote subnet> action=src-nat to-address=<router's address from local subnet>