IPsec VPN tunnel established but no communication

RouterOS General
1

Hi guys,

I’m having an issue with IPsec site to site with 2 Mikrotik with version 6.49.7 and 6.48.6.
Mikrotik-1 - does not have fixed public IP address
Mikrotik-2 - have pool of public ip addresses.

Mikrotik-1:
[admin@MikroTik] /ip ipsec active-peers> print
Flags: R - responder, N - natt-peer

ID STATE UPTIME PH2-TOTAL

0 established 3h22m52s 1
1

Mikrotik-2:
[admin@MikroTik] > ip ipsec active-peers print
Flags: R - responder, N - natt-peer

ID STATE UPTIME PH2-TOTAL

0 RN established 3h23m44s 1

Connection is established but I cannot ping the remote devices.

Below are my configurations.
Mikrotik-1:

[admin@MikroTik] > ip ipsec policy print detail 

 2   A  peer=Jupiter-Mikro tunnel=yes src-address=192.168.55.0/24 src-port=any 
        dst-address=172.29.20.0/24 dst-port=any protocol=all action=encrypt 
        level=unique ipsec-protocols=esp sa-src-address=192.168.100.10 
        sa-dst-address=92.92.92.92 proposal=default ph2-count=2 

[admin@MikroTik] > ip ipsec proposal print detail 

 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m 
      pfs-group=modp1024 


 [admin@MikroTik] > ip ipsec peer print detail 

 1     name="RemoteSite-Mikro" address=92.92.92.92/32 profile=default exchange-mode=main 
       send-initial-contact=yes 


[admin@MikroTik] > ip ipsec identity print detail 

 1    peer=RemoteSite-Mikro auth-method=pre-shared-key 
      secret="mysecretrsa" generate-policy=port-override 


[admin@MikroTik] > ip ipsec profile print detail 

 2   name="Profile-2" hash-algorithm=sha1 enc-algorithm=aes-128 
     dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=no 
     dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] > ip ipsec active-peers print detail 
Flags: R - responder, N - natt-peer 
 0    local-address=192.168.100.10 port=4500 remote-address=92.92.92.92 port=4500 
      state=established side=initiator uptime=4h6m49s last-seen=19s ph2-total=1 
      spii="71702b78fcf9b2e4" spir="c531e0454ac262f9" 

[admin@MikroTik] > ip ipsec installed-sa print detail 
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0xE7E8CF8 src-address=92.92.92.92:4500 dst-address=192.168.100.10:4500 
      state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="blabla" 
      enc-key="blabla" 
      add-lifetime=24m/30m replay=128 

 1  E spi=0xC24A900 src-address=192.168.100.10:4500 dst-address=92.92.92.92:4500 
      state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="blabla" 
      enc-key="blabla" 
      add-lifetime=24m/30m replay=128 

[admin@MikroTik] > ip address print 
                                        
 1   192.168.55.1/24    192.168.55.0    ether4-slave-local                               
 2   192.168.100.10/24  192.168.100.0   ether1-gateway                                   
 3 D 192.168.100.2/24   192.168.100.0   ether1-gateway   


[admin@MikroTik] > ip route print detail 


 1 ADS  dst-address=0.0.0.0/0 gateway=192.168.100.1 
        gateway-status=192.168.100.1 reachable via  ether1-gateway distance=1 scope=30 
        target-scope=10 vrf-interface=ether1-gateway 

 2   S  dst-address=0.0.0.0/0 gateway=192.168.100.1 
        gateway-status=192.168.100.1 reachable via  ether1-gateway distance=1 scope=30 
        target-scope=10 

 3 ADC  dst-address=192.168.55.0/24 pref-src=192.168.55.1 gateway=ether4-slave-local 
        gateway-status=ether4-slave-local reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.100.0/24 pref-src=192.168.100.10 gateway=ether1-gateway 
        gateway-status=ether1-gateway reachable distance=0 scope=10 

[admin@MikroTik] > ip firewall filter print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; vpn
      chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix="" 

 1    chain=input action=accept protocol=gre log=no log-prefix="" 

 2    chain=input action=accept protocol=udp in-interface=ether1-gateway dst-port=500 
      log=no log-prefix="" 

 3    chain=input action=accept protocol=udp in-interface=ether1-gateway dst-port=4500 
      log=no log-prefix="" 

 4    chain=forward action=accept src-address=172.29.20.0/24 dst-address=192.168.55.0/24 
      log=no log-prefix="" 

 5    chain=input action=accept src-address=192.168.55.0/24 dst-address=172.29.20.0/24 
      log=yes log-prefix="" 

 6    chain=forward action=drop layer7-protocol=Facebook&youtube protocol=tcp 
      in-interface=ether4-slave-local out-interface=ether1-gateway dst-port=80,443 
      log=no log-prefix="" 

 7    ;;; default configuration
      chain=input action=accept protocol=icmp log-prefix="" 

 8    ;;; default configuration
      chain=input action=accept connection-state=established log-prefix="" 

 9    ;;; default configuration
      chain=input action=accept connection-state=related log-prefix="" 

10    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

11    ;;; default configuration
      chain=forward action=accept connection-state=established log-prefix="" 

12    ;;; default configuration
      chain=forward action=accept connection-state=related log-prefix="" 

13    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 


[admin@MikroTik] > ip firewall nat print detail 

 1    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log-prefix="" 

 2    chain=srcnat action=accept src-address=192.168.55.0 dst-address=172.29.20.0/24 log=no log-prefix=""

Mikrotik-2:

[admin@MikroTik] > ip ipsec policy print detail 

 1  DA  peer=Office tunnel=yes src-address=172.29.20.0/24 src-port=any 
       dst-address=192.168.55.0/24 dst-port=any protocol=all action=encrypt 
       level=unique ipsec-protocols=esp sa-src-address=92.92.92.92 
       sa-dst-address=12.119.186.238 proposal=default ph2-count=1 

[admin@MikroTik] > ip ipsec proposal print detail  
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m 
      pfs-group=modp1024

[admin@MikroTik] > ip ipsec peer print detail    
Flags: X - disabled, D - dynamic, R - responder 
 0   R name="Office" passive=yes profile=default exchange-mode=main 
       send-initial-contact=no 


[admin@MikroTik] > ip ipsec identity print detail 
Flags: D - dynamic, X - disabled 
 0    peer=CEC auth-method=pre-shared-key secret="mysecretrsa" 
      generate-policy=port-override 


[admin@MikroTik] > ip ipsec profile print detail  
Flags: * - default 
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128 
     dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey 
     nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5  

[admin@MikroTik] > ip ipsec active-peers print detail 
Flags: R - responder, N - natt-peer 
 0 RN local-address=92.92.92.92 port=4500 remote-address=102.119.186.238 
      port=21278 state=established side=responder uptime=4h27m16s last-seen=43s 
      ph2-total=2 


[admin@MikroTik] > ip ipsec installed-sa print detail 
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0xC24A900 src-address=12.119.186.238:21278 dst-address=92.92.92.92:450>
      state=dying auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="blabla" 
      enc-key="blabla" 
      add-lifetime=24m/30m replay=128 

 1  E spi=0xE7E8CF8 src-address=92.92.92.92:4500 dst-address=12.119.186.238:2127>
      state=dying auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="blabla" 
      enc-key="blabla" 
      add-lifetime=24m/30m replay=128 

 2  E spi=0x772AC35 src-address=12.119.186.238:21278 dst-address=92.92.92.92:450>
      state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="blabla" 
      enc-key="blabla" 
      add-lifetime=24m/30m replay=128 

 3  E spi=0x9D2CADC src-address=92.92.92.92:4500 dst-address=12.119.186.238:2127>
      state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="blabla" 
      enc-key="blabla" 
      add-lifetime=24m/30m replay=128 


[admin@MikroTik] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   15.11.15.21/26 15.11.15.12 ether1                                   
 1   172.29.20.1/24     172.29.20.0     ether2                                   
 2   92.92.92.92/28      92.92.92.91      ether3                                   
 3   172.16.0.1/32      172.16.0.1      Loopback
                                        
[admin@MikroTik] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=135.181.165.193 
        gateway-status=15.11.15.13 reachable via  ether1 distance=1 
        scope=30 target-scope=10 

 1 ADC  dst-address=92.92.92.91/28 pref-src=92.92.92.92 gateway=ether3 
        gateway-status=ether3 reachable distance=0 scope=10 

 2 ADC  dst-address=15.11.15.12/26 pref-src=15.11.15.21 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 3 ADC  dst-address=172.16.0.1/32 pref-src=172.16.0.1 gateway=Loopback 
        gateway-status=Loopback reachable distance=0 scope=10 

 4 ADC  dst-address=172.29.20.0/24 pref-src=172.29.20.1 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10 


[admin@MikroTik] > ip firewall filter print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Mikrotik Access rule
      chain=input action=accept src-address-list=CountryIPBlocks log=no 
      log-prefix="" 

 3    chain=forward action=accept connection-state=established,related,untracked 
      log=no log-prefix=""  

18    ;;; Mikrotik
      chain=forward action=accept dst-address=92.92.92.92 in-interface=ether1 
      log=yes log-prefix="" 

19    ;;; Block-All-TCP
      chain=forward action=drop protocol=tcp dst-address=92.92.92.92/28 
      in-interface=ether1 log=yes log-prefix="" 
 

22    ;;; Deny ALL rule
      chain=input action=reject reject-with=icmp-host-prohibited log=yes 
      log-prefix="" 


[admin@MikroTik] > ip firewall nat print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade src-address=172.29.20.0/24 
      out-interface=ether1 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=172.16.0.1 out-interface=ether1 
      log=no log-prefix=""

Thanks to help.

2

Order of rules matters. On Mikrotik-1 swap your two srcnat rules. On Mikrotik-2 add something similar (the one with action=accept). Or you can get rid of them and add ipsec-policy=out,none to masquerade rules.

3

Hi Sob, thanks for the reply.

Mikrotik-1:

[admin@MikroTik] > ip firewall nat print detail 
Flags: X - disabled, I - invalid, D - dynamic 

 1    chain=srcnat action=accept src-address=192.168.55.0 dst-address=172.29.20.0/24 
      log=no log-prefix="" 

 2    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log-prefix="" 
[admin@MikroTik] >

Mikrotik-2:

[admin@MikroTik] > ip firewall nat print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=172.29.20.0/24 dst-address=192.168.55.0 
      log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=172.29.20.0/24 out-interface=ether1 
      log=no log-prefix="" 

 2    chain=srcnat action=masquerade src-address=172.16.0.1 out-interface=ether1 log=no 
      log-prefix=""

Not sure, if this what you are trying to say and it did not work. Can you explain better or if possible put the code.

I made a traceroute and it drops after my internet router.

4

This problem is well documenteds in the already available resources

5

You need to clear the contrack table after making this type of change.

6

It’s almost right, only I missed one important detail:

192.168.55.0 = 192.168.55.0/32 = single address (you have this now)
192.168.55.0/24 = whole subnet (you want to have this)

Or the other way, where those rules wouldn’t be needed at all, would be changing existing masquerade:

/ip firewall nat
chain=srcnat action=masquerade out-interface=ether1-gateway ipsec-policy=out,none

And similar on second router.

7

Hi Sob & Smyers. Thanks guys.

It worked. This is how it is incase someone face such problem.
Mikrotik-1:

0    chain=forward action=accept connection-state=established,related 
      src-address=172.29.20.0/24 dst-address=192.168.55.0/24 log=no log-prefix="" 

 1    chain=forward action=accept connection-state=established,related 
      src-address=192.168.55.0/24 dst-address=172.29.20.0/24 log=yes log-prefix=""




  0    chain=srcnat action=accept src-address=192.168.55.0/24 dst-address=172.29.20.0/24 
      log=no log-prefix=""

Mikrotik-2:

  1    chain=forward action=accept connection-state=established,related 
      src-address=172.29.20.0/24 dst-address=192.168.55.0/24 log=no log-prefix=""




0    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 
      ipsec-policy=out,none




 1    chain=srcnat action=accept src-address=172.29.20.0/24 dst-address=192.168.55.0/24 
      log=no log-prefix=""