Hi,
I have greenfield where I am trying to establish site to site ipsec vpn tunnel.
I have tried use this “how to” http://gregsowell.com/?p=787 But it seems this doc is not fully complete, my tunnel have been created but I can not ping any device in LAN network behind routers. I wondering what else should be done to achieve my goal.
Hello,
Thank you for reply.
I guess firewall rules are defaults, nothing was added by me.
This what I did in my configuration is:
created IPSEC config
Added NAT translation srcnat.
I am wondering if something else must be configured. Tunnel is established, so most probably routing is wrong or firewall is blocking traffic.
This thread has been here for a bit, but this is my first time to read it.
I just wanted to throw one silly thing in for discussion…
Are your ping tests from the mikrotiks?
If so - your VPN may actually be up because when you ping from Mikrotik, by default the wan interface will be the source it uses, and the wan IP is not in your VPN selectors. Use source-address = 192.168.40.1 to ping 192.168.47.1
IPSec selectors are quite picky about what gets mapped and what doesn’t.
Hi,
Sorry for long reply.
Firewall disable didn’t help,
About routing, Indeed, I have no routing for LAN networs , Router most probably don’t know how to send packets. I am wondering what gateway should be set for routing like : 172.18.47.0/24 ether1-gateway ?
About ping source, I use tool ping with source ether2 (it’s my lan interface)
p.s
I got messaged from ping tool like “network not reachable, and IP address of my WAN interface” It must be definately something wrong with routing.
AS I asked above, what routing do we need ? What should be gateway for them ?
In general, the default GW route (0.0.0.0/0) is more than enough to make site-to-site IPSec work.
Setting the interface in the ping tool is not what I meant.
Leave that blank. (it means “send them out this interface”)
On the advanced tab, there is a source address field. Put the IP address of ether2 in that field in stead.
Firewall settings were ok, I disabled firewall but it wasn’t neccessary to achieve my goal.
Routing settings presented on last screen are sufficient to make it works, there is no need to add special routing entry(static) for every LAN networks.
When we test ping by “ping tool” we should to remember to add Src.Address in advancved tab with IP which belong to Lan interface of router from we send ping.
Want to hear something funny? It was always working - if you had tested from a PC on the LAN, then this ping would have worked right away…
The reason the src address ping fixed things is because the IPSec rules will only match local LAN <> remote LAN. local WAN → remote LAN is not one of these rules. Src address in ping test creates packets which will match the rules.
(Can you tell that I have already spent time trying to fix something when this was the problem?)
Yep, most probably my tunnel was up and running but I’ve tested it via wrong way.
Now I understand to avoid this mistake in future … Damm I spend couples of hours to find cause. Funny is that the cause was so simple
One more question, how we can be sure that tunnel is established properly and there is no problems like wrong encyprion, authentication and so on ?
I have another environment where my tunnels seems to be up and running. I have no control on opposite router, I just get IPsec config for tunnel establishment. Current situation looks like tunnel is up, all ping test which I’ve sent went into tunnel but nothing came back to me.
You should see it in “Installed SAs” if the tunnel is up and running properly.
The SAs are the actual list of packets which will get encrpyted and where they will be sent.
