Hi all.
I don’t know wich right subject use for this topic, because the problem is a little bit strange.
I configure an IPSEC tunnel from my mikrotik RB1100 and one Fortinet firewall (not know the right model).
Local=Mikrotik
Remote=Fortinet
The IPSEC communication go up and stay always up, so ipsec works good between 2 device.
In the first configuration time, we had some communication problem from the remote subnet to the local one, search for problem … all is right (i think) .. but not works.
For testing i try PING from a local subnet machine to a remote subnet machine and my ping works good … after this action works the communication from remote to local too.
Ok, i think all was resolve and that “the remote parts” do something that i not know, and mark the problem like solved and close the case.
But … the day after remote to local not works .. IPSEC tunnel is up, but remote machines not reach local machines. I try make a ping from local to remote … ping response good … after this remote reach local too.
This happens always .. is sistemical.
Simplify: after some times (not sure how many but in past day i can say after about 15 minutes) if local network not try reach remote network … the remote network not reach the local network. Is like my parts need to start the communication … but the IPSEC tunnel is always UP.
Anyone run into this experience?
The only that i can add is that for testing purpose in one occasion i not start the communication making a ping from local to remote, but i try disabled ALL my firewall rules in my RB1100 … and in this way remote network reach local network … after enable all rule, all works good .. and after some times stop again.
Think about the “accept forward established traffic” rule … but why … i just put the “accept forward remote network address” rule, on top of this.
/ip ipsec policy
add dst-address=yyy.yyy.yyy.yyy/23 peer=yyyy proposal=yyyy-ph2 sa-dst-address=zz.zz.zz.zz sa-src-address=qq.qq.qq.qq src-address=xxx.xxx.xxx.xxx/23 tunnel=yes
/ip firewall filter
add action=accept chain=forward comment=“forward allow traffic from LAN to ALL” in-interface=ether2
add action=accept chain=forward comment=“forward Accept From yyyy VPN” src-address=yyy.yyy.yyy.yyy/23
add action=accept chain=forward comment=“forward accept established connection packets” connection-state=established
add action=log chain=forward comment=“log rule” log-prefix=Forward:
add action=drop chain=forward comment=“forward drop invalid packets” connection-state=invalid
add action=drop chain=forward comment=“forward drop everything else”
/ip firewall nat
add action=accept chain=srcnat dst-address=yyy.yyy.yyy.yyy/23 src-address=xxx.xxx.xxx.xxx/23
Thank all for support.