Hello
I’ve made an IPSec LAN to LAN VPN, following Greg Sowell’s guide here: http://gregsowell.com/?p=787
I found that I can’t reliably ping hosts from other hosts, or even router to router (LAN IPs) without creating a static route for the remote subnet to the local bridge on the router trying to ping the remote host.
What gives - is this expected?
I also seem to have two SAs installed, I don’t think this is normal either?
Cheers.
Jeremy
You only need the route if you want/need the router itself to send trafic through the tunnel (like Netwatch). To be honest it was a suprise to me too, and also to others if you search the forum, but it is just how RouterOS works.
You get a SA for each direction, so two is normal (with swaped src/dst).
OK, thanks for the explanation. I guess I’ll leave the route intact, as I do want to access the router.
Thanks for the tip. I added new routes with the dst. address field set to the subnet of the remote side, and the gateway set to bridge-local or ether2-master-local (if there is no bridge). Apparently no other fields in the route need to be set.
From what I can tell, the routes have to be added to both routers. I initially read the top post to mean a route needed to be added just to the local side if only going in one direction (accessing the remote LAN from the local router, but not the other way around).
EDIT: Thanks - I was editing my post when you replied.
add comment="IPSec tunnel" distance=1 dst-address=192.168.1.0/24 gateway=\
bridge-local
Where 192.168.1.0/24 is the subnet of the remote network.
I don’t know if this is correct, I didn’t find this solution online, I just tinkered around and this is what worked.
One router responds to remote ICMP pings, SSH login etc over the IPSec tunnel, but won’t respond on the webserver, this seems to be an unrelated issue though.
I see I have the same problem. I’d like to know a solution, though with SSH working I can port-redirect my way into Winbox or the webserver.
That’s weird. I can ping, SSH and Winbox into the remote router from both the IPSec tunnel or the internet, but can’t pull up its web interface from either. I can if PPTP VPN’d directly in. It’s probably some firewall rule I’ve forgotten about.
Sorry for replying on an old thread, but I have the same problem. Do you guys already found a solution for it? Can’t access webserver as well over remote VPN, but i can succesfully SSH that same webserver.
Do you have bridge enabled over the ethernet interfaces?. And if the answer is yes please post your configuration here and lets see if its something related with the Packet Flow.
Cheers.
The route fixed the problem on a pair of 5.x routers with IPSEC VPN (both now at the latest 5.26), but adding the route to a pair of 6.x routers (both on 6.11) does not allow pinging the remote side’s LAN IP. I do not have a solution. Both sets of routers are nearly identical in configuration except for the firmware.
I can’t say if other (lower) 6.x firmware versions do work because this is the first I’ve tried it, and I did the VPN programming after I upgraded both routers to 6.11. I can ping the remote side LAN IP if it’s a Cisco Linksys RV042.
Your firewall’s accept rules in srcnat chain are above any other rules?