Mikrtik to Mikrotik IPSEC Multiple Subnets

brtsde · January 22, 2013, 4:44pm

Hey guys - We have something thats giving us fits and wanted to throw a question out there and see if its just something silly we’re missing..

We currently have 2 sites with 1 ipsec tunnel connecting them. We set it up with 2 policies and one peer. The data on the 172.20.20 traffic is passing fine, but we’re unable to get the traffic to pass on the 192.168.20 traffic to pass (phone system traffic)..

There’s 2 other tunnel’s on site one that are connected and working fine..

Here’s a quick rundown of each site
SITE1
0 src-address=192.168.10.0/24 src-port=any dst-address=192.168.20.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=75.144.xx.xx sa-dst-address=69.199.xx.xx
proposal=default priority=0

1 src-address=172.20.10.0/24 src-port=any dst-address=172.20.30.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=75.144.xx.xx sa-dst-address=74.95.xx.xx
proposal=default priority=0

2 src-address=172.20.10.0/24 src-port=any dst-address=172.20.20.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=75.144.xx.xx sa-dst-address=69.199.xx.xx
proposal=default priority=0

3 src-address=172.20.10.0/24 src-port=any dst-address=10.0.0.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=75.144.xx.xx sa-dst-address=70.89.xx.xx proposal=default
priority=0

NAT RULES
0 chain=srcnat action=accept src-address=172.20.10.0/24
dst-address=192.168.20.0/24

1 chain=srcnat action=accept src-address=192.168.10.0/24
dst-address=172.20.20.0/24

2 ;;; Phone Subnets
chain=srcnat action=accept src-address=192.168.10.0/24
dst-address=192.168.20.0/24

3 ;;; IPSEC
chain=srcnat action=accept src-address=172.20.10.0/24
dst-address=10.0.0.0/24

4 ;;; IPSEC
chain=srcnat action=accept src-address=172.20.10.0/24
dst-address=172.20.20.0/24

5 ;;; IPSEC
chain=srcnat action=accept src-address=172.20.10.0/24
dst-address=172.20.30.0/24

SITE 2
0 src-address=192.168.20.0/24 src-port=any dst-address=192.168.10.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=69.199.xx.xx sa-dst-address=75.144.xx.xx
proposal=default priority=0

1 src-address=172.20.20.0/24 src-port=any dst-address=172.20.10.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=69.199.xx.xx sa-dst-address=75.144.xx.xx
proposal=default priority=0

NAT RULES
0 chain=srcnat action=accept src-address=172.20.20.0/24
dst-address=192.168.10.0/24

1 chain=srcnat action=accept src-address=192.168.20.0/24
dst-address=172.20.10.0/24

2 chain=srcnat action=accept src-address=192.168.20.0/24
dst-address=192.168.10.0/24

3 chain=srcnat action=accept src-address=172.20.20.0/24
dst-address=172.20.10.0/24

4 chain=srcnat action=masquerade out-interface=ether1

Please ask all the questions you need! What are we missing! Do we add a static route since its technically a VLAN?

Thanks!