IPsec tunnel stablished but no traffic

RouterOS General
1

Hello everybody, I'm trying to test ipsec in gns3 but I cannot get traffic passing trough tunnel.
I've made this simple test enviroment

TestIpSec.jpg
TestIpSec.jpg441×197 8.98 KB

and set the two router as follow
but although the ipsec tunnel is up no traffic pass inside.

I've read a lot on varius forum but I cannont figure out what is wrong.
could someone please help me ?

thanks
IpSecStatus.jpg
IpSecStatus.jpg961×112 26.4 KB

for site A

interface bridge
add name=bridge1Lan
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no name=ether8Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=1.1.1.2/32 name=SiteB
/ip pool
add name=dhcp_pool0 ranges=192.168.18.1-192.168.18.253
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1Lan name=dhcp1
/interface bridge port
add bridge=bridge1Lan interface=ether4
add bridge=bridge1Lan interface=ether5
add bridge=bridge1Lan interface=ether6
add bridge=bridge1Lan interface=ether7
/ip address
add address=1.1.1.1/30 interface=ether8Wan network=1.1.1.0
add address=192.168.18.254/24 interface=bridge1Lan network=192.168.18.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.18.0/24 dns-server=8.8.8.8 gateway=192.168.18.254
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.2.0/24 log=yes
src-address=192.168.18.0/24
/ip ipsec identity
add peer=Castelvetro
/ip ipsec policy
add dst-address=192.168.2.0/24 peer=SiteB src-address=192.168.18.0/24
tunnel=yes
/system identity
set name=SiteA

For Site B

nov/29/2023 10:56:17 by RouterOS 6.49.6

software id =

/interface bridge
add name=bridge1Lan
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no name=ether8Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=1.1.1.1/32 name=SiteA
/ip pool
add name=dhcp_pool0 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1Lan name=dhcp1
/interface bridge port
add bridge=bridge1Lan interface=ether4
add bridge=bridge1Lan interface=ether5
add bridge=bridge1Lan interface=ether6
/ip address
add address=1.1.1.2/30 interface=ether8Wan network=1.1.1.0
add address=192.168.2.1/24 interface=bridge1Lan network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.18.0/24 log=yes
src-address=192.168.2.0/24
/ip ipsec identity
add peer=Messina
/ip ipsec policy
add dst-address=192.168.18.0/24 peer=SiteA src-address=192.168.2.0/24
tunnel=yes
/system identity
set name=SiteB

2

Hi,

What position is that src NAT rule in? Do you have fasttrack?

To help you, can you show us the following command?


/export hide-sensitive

As Sindy always indicates: between [ code ] and [ /code ] tags, after removing any additional sensitive information not suppressed by hide-sensitive (public addresses, serial numbers, usernames, secrets, private keys).

Regards,

3

first thanks for your answer.
In my previous post you can see all the complete configuration setted.
there are no ip firewall rule of any kind exclude this for one site
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.2.0/24 log=yes
src-address=192.168.18.0/24

and this for the other side
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.18.0/24 log=yes
src-address=192.168.2.0/24

4

Hello, I figured out what was wrong.
the issue wasn’t the configuration but how I setted the enviroment
here the correct set for enviromente
TestIpSec2.jpg
In the configuration I just change the remote ip

thanks to all for any help and sorry for my worst english