IPSEC VPN Fails to ping to 2 assets out of 5

spr41178 · April 6, 2020, 9:10am

Good afternoon,

I have a working ipsec VPN with policies between two RB4011’s.

My problem is i fail to ping and have a web interface access to 2 out of 5 devices which is strange.

Headquarters IP 192.168.0.0/24
Branch IP 192.168.5.0/24

I can ping and have web access to the following 192.168.0.127, 192.168.0.142 and 192.168.0.223 but i fail to access 192.168.0.250 and 192.168.0.30 which are a PBX and an IP Printer.
192.168.0.127 is a CCTV system, 192.168.0.142 is an IP Phone and 192.168.0.223 a NAS device all accessible and working fine.

Saying that i feel like my routing is correct and my firewall is allowing all of the 0.0/24 range in.
The assets work fine on the local network if i Anydesk to a local machine there.

Also what i have noticed is that if i create a L2TP connection from my mobile phone to the headquarters via LTE everything is accessible from the phone as it should.

What a headache.

Any ideas?

Thanks in advance

sindy · April 6, 2020, 4:44pm

Without seeing your configuration, no ideas at all. See my automatic signature right below for anonymisation hints.

The only things which come to my mind without seeing the configuration are missing/wrong routes to 192.168.5.0/24 on the two devices (as the IP ranges for the L2TP clients and the IPSec tunnel clients are different), or firewall configuration on those devices themselves.

Zacharias · April 6, 2020, 4:48pm

Is it a L2TP/IPsec tunnel or just an IPsec site to site tunnel ?
In case it is a IPsec tunnel, under IP Firewall NAT, on the 192.168.5.0/24 side, have you created a src nat rule with dst address 192.168.0.0/24 action accept and placed at the very top?
Same must be done to the other side but for the 192.168.5.0/24 subnet…

spr41178 · April 6, 2020, 7:54pm

HEADQUARTERS

/interface bridge
add arp=proxy-arp name=bridge1
add name=bridge2
/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/ip hotspot profile
add hotspot-address=192.168.5.1 login-by=http-chap name=hsprof1 use-radius=yes
add hotspot-address=192.168.2.1 login-by=http-chap name=hsprof2
radius-interim-update=10m use-radius=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128
add dh-group=modp1024 dpd-interval=1m dpd-maximum-failures=3 enc-algorithm=
aes-128 name=profile1
/ip ipsec peer
add address=xx.xx.xxx.xx/32 comment=vpn01 exchange-mode=ike2 name=peer1
profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s
pfs-group=none
add auth-algorithms=sha1,md5 enc-algorithms=aes-128-cbc lifetime=1d name=
secure-proposal
/ip pool
add name=dhcp_pool0 ranges=192.168.0.1-192.168.0.253
add name=dhcp_pool1 ranges=192.168.2.1-192.168.2.254
add name=vpnpool ranges=192.168.0.210-192.168.0.215
add name=hs-pool-18 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1d name=
dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge2 lease-time=1d name=
dhcp2
/ip hotspot
add address-pool=hs-pool-18 interface=bridge2 name=hotspot1 profile=hsprof2
/ppp profile
add bridge=bridge1 dns-server=8.8.8.8 local-address=192.168.0.254 name=profile1
remote-address=vpnpool use-encryption=required
/queue simple
add name=VoIP1 packet-marks=VoIP14 priority=1/1 target=192.168.0.14/32
add name=VoIP2 packet-marks=VoIP15 priority=1/1 target=192.168.0.15/32
add name=“Internal Network” priority=3/3 target=bridge1
add max-limit=1M/10M name=“Internal Network Retail” target=bridge2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge2 interface=wlan3
add bridge=bridge2 interface=wlan4
add bridge=bridge2 interface=wlan5
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=profile1
keepalive-timeout=disabled max-mru=1460 max-mtu=1460 use-ipsec=required
/interface wireless access-list
add disabled=yes interface=all signal-range=-85..120 vlan-mode=no-tag
add authentication=no disabled=yes forwarding=no interface=all signal-range=
-120..86 vlan-mode=no-tag
/ip address
add address=192.168.1.235/24 interface=WAN network=192.168.1.0
add address=192.168.0.254/24 interface=bridge1 network=192.168.0.0
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=212.205.212.205,195.170.0.1,8.8.8.8
gateway=192.168.0.254 netmask=24
add address=192.168.2.0/24 dns-server=212.205.212.205,195.170.0.1,8.8.8.8
gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-udp-packet-size=8192
servers=212.205.212.205,195.170.0.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=ipsec-ike-natt dst-port=500,1701,4500
in-interface=WAN protocol=udp
add action=accept chain=forward comment=vpn01 dst-address=192.168.0.0/24
in-interface=WAN ipsec-policy=in,ipsec src-address=192.168.5.0/24
add action=accept chain=input comment=“Accept SIP and Voice Ports” dst-port=
5060-5065,10000-20000,6060-6065 protocol=udp
add action=accept chain=forward comment=“Accept SIP and Voice Ports” dst-port=
5060-5065,10000-20000,6060-6065 protocol=udp
add action=accept chain=forward comment=“CCTV Port Accept” dst-port=37777
protocol=tcp
add action=drop chain=forward comment=“Drop Retail - Guest To Offices”
dst-address=192.168.2.0/24 src-address=192.168.0.0/24
add action=drop chain=forward comment=“Drop Retail - Guest To Offices”
dst-address=192.168.0.0/24 src-address=192.168.2.0/24
/ip firewall mangle
add action=mark-packet chain=forward comment=“VoIP Packets Mark .14”
new-packet-mark=VoIP14 passthrough=yes src-address=192.168.0.14
add action=mark-packet chain=forward comment=“VoIP Packets Mark .14”
dst-address=192.168.0.14 new-packet-mark=VoIP14 passthrough=yes
add action=mark-packet chain=forward comment=“VoIP Packets Mark .15”
new-packet-mark=VoIP15 passthrough=yes src-address=192.168.0.15
add action=mark-packet chain=forward comment=“VoIP Packets Mark .15”
dst-address=192.168.0.15 new-packet-mark=VoIP15 passthrough=yes
add action=mark-connection chain=forward comment=“Mark IPsec” disabled=yes
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment=“Mark IPsec” disabled=yes
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=change-mss chain=forward comment=“Auto Change MSS” disabled=yes
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=192.168.5.0/24
src-address=192.168.0.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.0.0/24
src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment=“Masquerade VPN” out-interface=WAN
src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=“CCTV Port Forward” dst-port=37777
protocol=tcp to-addresses=192.168.0.127 to-ports=37777
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,5062,5063,5064,5065
/ip hotspot user
add name=admin
/ip ipsec identity
add generate-policy=port-override peer=peer1
/ip ipsec policy
add dst-address=192.168.5.0/24 peer=peer1 proposal=secure-proposal
sa-dst-address=xx.xx.xxx.xx sa-src-address=0.0.0.0 src-address=
192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.1.1
add comment=vpn01 distance=1 dst-address=192.168.5.0/24 gateway=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8085
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=admin profile=profile1 service=l2tp
/radius
add address=192.168.0.100 disabled=yes service=hotspot timeout=3s
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=xxxxxx
/system leds
add interface=wlan2 leds=“wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,
wlan2_signal4-led,wlan2_signal5-led” type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=193.239.214.226
/system ntp server
set enabled=yes manycast=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add disabled=yes interval=1m name=ipsec-peer-update-vpn01 on-event=
“/system script run ipsec-peer-update-vpn01” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=oct/29/2018 start-time=18:05:48
add disabled=yes interval=10m name=ip-cloud-forceupdate on-event=
“/ip cloud force-update” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=oct/29/2018 start-time=18:05:49
add interval=15m name=ping-vpn01 on-event=ping-vpn01 policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=
sep/27/2015 start-time=12:50:36
/system script
add dont-require-permissions=yes name=ipsec-peer-update-vpn01 owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=“:local peerid "vpn01"
\n:local peerhost "xxxxxxxxxxx.sn.mynetname.net"
\n:local peerip [:resolve $peerhost]
\n:local peeruid
\n:set peeruid [/ip ipsec peer find comment="$peerid" and address!=
"$peerip/32"]
\n:local policyuid
\n:set policyuid [/ip ipsec policy find comment="$peerid" and sa-dst-ad
dress!="$peerip"]
\n:if ($peeruid != "") do={
\n /ip ipsec peer set $peeruid address="$peerip/32"
\n :log info "Script ipsec-peer-update updated peer ‘$peerid’ with addres
s ‘$peerip’"
\n}
\n:if ($policyuid != "") do={
\n /ip ipsec policy set $policyuid sa-dst-address="$peerip"
\n :log info "Script ipsec-peer-update updated policy ‘$peerid’ with addr
ess ‘$peerip’"
\n}”
add dont-require-permissions=yes name=ping-vpn01 owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“{\r
\n:if ([/ping 192.168.5.1 src-address=192.168.0.254 count=5] = 0) do={ \r
\n:log warning "VPN DOWN";\r
\n/ip ipsec peer disable 0;\r
\n/ip ipsec active-peers kill-connections;\r
\n/ip ipsec installed-sa flush;\r
\n:delay 200;\r
\n/ip ipsec peer enable 0;\r
\n/ip cloud force-update;\r
\n:delay 15;\r
\n/ping 192.168.5.1 src-address=192.168.0.254 count=5;\r
\n} else={\r
\n:log warning "VPN UP";\r
\n/ip cloud force-update;\r
\n}\r
\n}\r
\n”
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool netwatch
add comment=ipsec-peer-update-vpn01 down-script=“/system scheduler enable ipsec-
peer-update-vpn01
\n/system scheduler enable ip-cloud-forceupdate” host=192.168.5.1
up-script=“/system scheduler disable ip-cloud-forceupdate
\n/system scheduler disable ipsec-peer-update-vpn01”

BRANCH

/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=192.168.5.1 login-by=http-chap name=hsprof1
radius-interim-update=10m use-radius=yes
/ip ipsec profile
add dh-group=modp1024 dpd-interval=1m dpd-maximum-failures=3 enc-algorithm=
aes-128 name=profile1
/ip ipsec peer
add address=xx.xx.xxx.xx/32 comment=vpn01 exchange-mode=ike2 name=peer1
profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s
pfs-group=none
add auth-algorithms=sha1,md5 enc-algorithms=aes-128-cbc lifetime=1d name=
secure-proposal
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1d name=
dhcp1
/ip hotspot
add address-pool=dhcp_pool0 interface=bridge1 name=hotspot1 profile=hsprof1
/interface bridge port
add bridge=bridge1 interface=ether2
/ip firewall connection tracking
set enabled=yes
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.5/24 interface=WAN network=192.168.1.0
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=212.205.212.205,195.170.0.1,8.8.8.8
gateway=192.168.5.1 netmask=24
/ip dns
set cache-size=8192KiB max-udp-packet-size=8192 servers=
212.205.212.205,195.170.0.1,8.8.8.8
/ip firewall address-list
add address=192.168.5.1-192.168.5.254 list=allowed_to_router
add address=192.168.0.1-192.168.0.254 list=allowed_to_router
add address=192.168.0.0/16 disabled=yes list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
/ip firewall filter
add action=accept chain=input comment=ipsec-ike-natt dst-port=500,1701,4500
in-interface=WAN protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward comment=vpn01 dst-address=192.168.5.0/24
in-interface=WAN ipsec-policy=in,ipsec src-address=192.168.0.0/24
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=WAN
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward in-interface=WAN new-mss=clamp-to-pmtu
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=192.168.0.0/24
src-address=192.168.5.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.5.0/24
src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.5.0/24
/ip firewall service-port
set sip disabled=yes
/ip hotspot user
add name=admin
/ip ipsec identity
add generate-policy=port-override peer=peer1
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=peer1 proposal=secure-proposal
sa-dst-address=xx.xx.xxx.xx sa-src-address=192.168.1.5 src-address=
192.168.5.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.1.1
add check-gateway=ping comment=vpn01 distance=1 dst-address=192.168.0.0/24
gateway=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8085
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.5.0/24,192.168.0.0/24
set api-ssl disabled=yes
/radius
add address=192.168.0.4 disabled=yes realm=00:10:00 service=hotspot timeout=5s
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=CHR_Home
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=162.159.200.1
/system ntp server
set enabled=yes manycast=no
/system scheduler
add disabled=yes interval=1m name=ipsec-peer-update-vpn01 on-event=
“/system script run ipsec-peer-update-vpn01” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=oct/29/2018 start-time=18:05:48
add disabled=yes interval=10m name=ip-cloud-forceupdate on-event=
“/ip cloud force-update” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=oct/29/2018 start-time=18:05:49
add interval=15m name=ping-vpn01 on-event=ping-vpn01 policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=
sep/27/2015 start-time=12:50:36
/system script
add dont-require-permissions=yes name=ipsec-peer-update-vpn01 owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=“:local peerid "vpn01"
\n:local peerhost "xxxxxxxxxxx.sn.mynetname.net"
\n:local peerip [:resolve $peerhost]
\n:local peeruid
\n:set peeruid [/ip ipsec peer find comment="$peerid" and address!=
"$peerip/32"]
\n:local policyuid
\n:set policyuid [/ip ipsec policy find comment="$peerid" and sa-dst-ad
dress!="$peerip"]
\n:if ($peeruid != "") do={
\n /ip ipsec peer set $peeruid address="$peerip/32"
\n :log info "Script ipsec-peer-update updated peer ‘$peerid’ with addres
s ‘$peerip’"
\n}
\n:if ($policyuid != "") do={
\n /ip ipsec policy set $policyuid sa-dst-address="$peerip"
\n :log info "Script ipsec-peer-update updated policy ‘$peerid’ with addr
ess ‘$peerip’"
\n}”
add dont-require-permissions=yes name=ping-vpn01 owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“{\r
\n:if ([/ping 192.168.0.254 src-address=192.168.5.1 count=5] = 0) do={ \r
\n:log warning "VPN DOWN";\r
\n/ip ipsec peer disable 0;\r
\n/ip ipsec active-peers kill-connections;\r
\n/ip ipsec installed-sa flush;\r
\n:delay 200;\r
\n/ip ipsec peer enable 0;\r
\n/ip cloud force-update;\r
\n:delay 15;\r
\n/ping 192.168.0.254 src-address=192.168.5.1 count=5;\r
\n} else={\r
\n:log warning "VPN UP";\r
\n/ip cloud force-update;\r
\n}\r
\n}\r
\n”
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool netwatch
add comment=ipsec-peer-update-vpn01 down-script=“/system scheduler enable ipsec-
peer-update-vpn01
\n/system scheduler enable ip-cloud-forceupdate” host=192.168.0.254
up-script=“/system scheduler disable ip-cloud-forceupdate
\n/system scheduler disable ipsec-peer-update-vpn01”

spr41178 · April 6, 2020, 8:01pm

Site to Site

I have the rules mentioned on both sites at the top.

Zacharias · April 7, 2020, 4:41pm

There are some improvents that you could make on your config, but besides that i cant really see a reason why you cant ping or access in particular your PBX and the Printer…
Are you sure those 2 devices have correctly configured as gateway the address 192.168.0.254 ?
Is you PBX accessible from outside your Network ?

spr41178 · April 7, 2020, 5:06pm

With the same config on my previous house i could access them…in the new house i am now i can’t…
It is really weird.
I have also tried with a different provider besides OTE just in case this is a firewall or nat issue still the same thing happens and i want the access to the VoIP PBX to put a SiP phone where
i live cos of the quarantine.
I will check the gateway properties on these two devices but can’t do it now as i have no access to a local pc there and it is 50Km away.
Will let you know the results.
Any chance you could point me out as to what you think can be improved on my config?

Thanks

Zacharias · April 7, 2020, 5:13pm

Do you have static IP on your ISPs Routers and then with DMZ or port forward you send the traffic to the Mikrotiks ?
As for the improvements, i will start with the most important ones, your Firewall is not good at all…

spr41178 · April 7, 2020, 5:19pm

Static IP on one side (HeadQuarters)
Dynamic IP on the other side that changes with a script (see my config above)
I didn’t do a DMZ - Maybe this is my mistake?

Zacharias · April 7, 2020, 5:23pm

Really?
Yes i would DMZ both my routers…

spr41178 · April 7, 2020, 5:26pm

DMZing the one i have here.

Will get back to you as to what i have at HQ as i am not sure.

Zacharias · April 7, 2020, 5:29pm

Waiting for your news…

sindy · April 7, 2020, 7:03pm

To overcome the suspected issue of a missing route to 192.168.5.0/24 (or the default route) on the two devices, you can use src-nat rules on the Mikrotik at the HQ:

/ip firewall nat
add chain=srcnat action=src-nat out-interface=bridge1 dst-address=192.168.0.250 src-address=192.168.5.0/24 to-addresses=192.168.0.254
add chain=srcnat action=src-nat out-interface=bridge1 dst-address=192.168.0.30 src-address=192.168.5.0/24 to-addresses=192.168.0.254

These rules will make the traffic from the BO look like a locally originating one to the two devices.
If this doesn’t help, the issue is not the missing route.

If it does help, you can use it for management access to the devices, but connecting a VoIP phone from the branch network to the PBX may have problems due to the NAT, so it’s just a tool, not a solution.

spr41178 · April 7, 2020, 7:28pm

To overcome the suspected issue of a missing route to 192.168.5.0/24 (or the default route) on the two devices, you can use src-nat rules on the Mikrotik at the HQ:
/ip firewall nat
add chain=srcnat action=src-nat out-interface=bridge1 dst-address=192.168.0.250 src-address=192.168.5.0/24 to-addresses=192.168.0.254
add chain=srcnat action=src-nat out-interface=bridge1 dst-address=192.168.0.30 src-address=192.168.5.0/24 to-addresses=192.168.0.254
These rules will make the traffic from the BO look like a locally originating one to the two devices.
If this doesn’t help, the issue is not the missing route.

If it does help, you can use it for management access to the devices, but connecting a VoIP phone from the branch network to the PBX may have problems due to the NAT, so it’s just a tool, not a solution.

This gave me access to both devices…thanks for the input.

But why are these two assets failing to come through like the rest without the need of these nat rules?

Zacharias · April 7, 2020, 7:35pm

Actually @sindy this is a workaround and not a solution since this problem occurs on specific devices…
Besides, the correct implementaion of an IPsec Tunnel does not need any routes at all!
I still believe it is a NAT problem…

sindy · April 7, 2020, 7:39pm

Because, as both @Zacharias and me have suggested, these devices either miss a default route (to 0.0.0.0/0), or a specific route to a subnet which includes 192.168.5.0/24 exists on them via some other gateway than 192.168.0.254, or because their firewall blocks traffic from 192.168.5.0/24 (or a superset of it).

Off topic, what’s the original Greek word you translate as “asset”? I have never seen anyone to use this word to describe network devices (or “hosts”).

sindy · April 7, 2020, 7:42pm

I fully agreed with you already before you wrote that, and here’s the proof:

But this tool (or workaround) gives the OP the chance to analyse the settings of the affected devices while in “corontine” and identify the root cause.

Zacharias · April 7, 2020, 7:51pm

Also i missed the routes earlier, they are not needed at all… It is Wrong…
In IPsec, all we need is a default route in our routing table so that the packet during the Routing Deicision does not get discarded…
All the rest will hapen because of the IPsec Policy!!!

spr41178 · April 7, 2020, 8:02pm

Wrong translation assets - Pay no attention to it…what i mean is network devices as you have guessed.

spr41178 · April 7, 2020, 8:07pm

My routes you mean are not needed in the ip /routes section regarding the vpn?