Netwatch to an IP address on the other side of a IPSEC VPN

unbkbl · February 8, 2011, 4:22pm

Hi!

My question is simple, I don’t know how to make a netwatch rule that verifies an IP address on the other side of a IPSec VPN.

I have a LAN, 192.168.20.0/24 with a mikrotik 192.168.20.254 establishing a IPSec VPN with other mikrotik, 192.168.1.254 in the 192.168.1.0/24 LAN. I want to monitor a PBX in the 192.168.1.0/24 network from the 192.168.20.0/24 network.

How do I change the source address (like you can do in a normal ping “ping 192.168.1.2 src-address=192.168.20.254”) of a netwatch so it doesn’t appear down in its Status? if I can’t change that, there is another way to make a full time ping to that IP address?

Thanks beforehand for any replies.

Daniel.

unbkbl · February 10, 2011, 1:34pm

Is there at least a script to make a sustained ping through an IPSec tunnel? I just want to keep the tunnel stablished

psamsig · February 10, 2011, 8:33pm

Add a route to 192.168.1.0/24 on you LAN interface

e.g:

/ip route add disabled=no dst-address=192.168.1.0/24 gateway=Lan

that will make Netwatch work

unbkbl · February 11, 2011, 3:39pm

Thanks!!! It worked just fiiine!

v0latile · December 14, 2018, 10:36am

It works! but how?
anybody can explain?

luddite · March 21, 2019, 8:43am

I found this puzzling too, it works because your ipsec tunnel has a policy that applies to traffic destined for that address range, but traffic has to be on lan interrface to get picked up by the policy, that route gets traffic for that range onto lan where the policy can apply to it