ipsec tunnel

rilliam · May 19, 2017, 11:51pm

I am trying to connect two sites so that I can access a VNC terminal on the lan of one of the sites from the other.

I have following the directions here: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel

I see that the tunnel is established, however I cannot ping across the tunnel.

Do I need to make a route?

Revelation · May 20, 2017, 2:38am

Without seeing your config, taking a guess…

Ensure you have FW permit statements for each of the networks. (if this applies in your case)
Ensure you have routes on both routers pointing to the distant network via the tunnel.
Ensure your “interesting” traffic is permitted via IPSEC policy.

rilliam · May 20, 2017, 4:08am

I followed all the stuff in that article. I thought it was routing as well but I am not sure what to set. Can you point me at an example of the routing for a site to site ipsec tunnel?

Revelation · May 20, 2017, 12:58pm

Open a terminal window and type: ip route print

Post the output of that command. (I recommend that you change the public IP address info)

rilliam · May 21, 2017, 6:15pm

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 xxx.xxx.xxx.70 1
1 ADC xxx.xxx.xxx.64/29 xxx.xxx.xxx.65 ether1-gateway 0
2 ADC 192.168.56.0/24 192.168.56.1 bridge-local 0

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 xxx.xxx.xxx.1 1
1 ADC xxx.xxx.xxx.0/24 xxx.xxx.xxx.23 ether1-gateway 0
2 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0

Revelation · May 21, 2017, 6:26pm

I don’t see any routing for networks / IPs through a tunnel.

rilliam · May 21, 2017, 7:10pm

I have done a little more research and my understanding is that ipsec isn’t routing. That its based on policy, it doesn’t create virtual interfaces that are added to a route table.

https://www.manitonetworks.com/mikrotik/2016/3/5/ipsec-tunnels

Revelation · May 22, 2017, 1:19am

Since you never posted configs as I asked, I have no clue how you have things setup. Enjoy…

rilliam · May 22, 2017, 4:09am

I fixed this by ensuring the gateway ip was set correctly on the trouble node inside the rb750. Without the gateway the packets have no way of knowing where to go.