Hello everyone.
Im attempting to create ipsec tunnel between RB2011UiAS-2HnD-IN and Cisco ASA 5508.
Problem is, after I create tunnel, I can ping desired hosts, so ICMP messages go through tunnel just fine, but everything else (HTTPS, HTTPS, SSH etc ) doesn't.
Im quite new to mikrotik so I believe I have configuration issue on mikrotik. ASA config is fine, no error there.
Could you please kindly check my mikrotik config and tell me, what I am doing wrong ?
I'm connecting 172.30.14.0/24 (local subnet on mikrotik LAN ) with 172.18.0.0/16 , on ASA side.
Internet access is fine, and only traffic, which suppose go to tunnel is traffic with 172.18.0.0/16 as destination
Thank you in forward for checking this config lines.
With Regards
Miroslav Okrina
mar/28/2017 19:55:02 by RouterOS 6.29.1
software id = PMI2-4FC0
/interface bridge
add admin-mac=E4:8D:8C:33:AC:9E auto-mac=no mtu=1300 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] mtu=1300 name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290 mode=ap-bridge ssid=MikroTik-33ACA7 wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=172.30.14.30-172.30.14.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] name=default-encryption
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.1.111/24 interface=ether1-gateway network=192.168.1.0
add address=172.30.14.1/24 interface=bridge-local network=172.30.14.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=172.30.14.0/24 comment="default configuration" gateway=172.30.14.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input connection-state=established,related,new protocol=ipsec-esp src-address=194.228.247.234
add chain=forward connection-state=established,related dst-address=172.30.14.0/24 in-interface=ether1-gateway out-interface=bridge-local protocol=tcp src-address=172.18.0.0/16
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway log=yes
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid log=yes
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway log=yes
/ip firewall nat
add chain=srcnat dst-address=172.18.0.0/16 out-interface=ether1-gateway src-address=172.30.14.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
/ip ipsec peer
add address=194.228.247.234/32 enc-algorithm=3des hash-algorithm=md5 mode-config=request-only nat-traversal=no secret=warrior101
/ip ipsec policy
add dst-address=172.18.0.0/16 level=unique sa-dst-address=194.228.247.234 sa-src-address=192.168.1.111 src-address=172.30.14.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.1.1
/lcd interface pages
set 0 interfaces=sfp1,ether1-gateway,ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local
/system clock
set time-zone-name=Europe/Prague
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool romon port
add disabled=no