I’m trying to setup simplest Site to Site IPSEC (with shared key, without NAT).
Office 1 is Mikrotik 6.43.4 connected to the provider via PPPoE (public ip, default mtu/mss).
Office 2 is cisco 1841 connected to the provider via PPP (public ip, mtu 1400, ip tcp adjust-mss 1300).
IPSEC status is Established on both ends.
1500 packet size pings over IPSEC to private addresses are ok in both directions.
Outgoing TCP connections (from Mikrotik to cisco) to the same private addresses doesn’t work.
Incoming TCP connections (from cisco to Mikrotik’s private address 22 and 80 ports) are ok.
I have exactly the same situation with Cisco 881 and Mtik 752 ver 6.44.5. I checked more deeply situation when host A on MTik side is sending ssh packet to host B on Cisco side. Host B on cisco side received sync packet from mtik , syn ack is returned, cisco input acl see returned syn acl, but on the Mtik side, host A syn ack is not received.
Updating firmware on Mtik to 6.45.5 will not resolve this, but the situation is even worse, because after restarting Mtik or Cisco ipsec tunnel is not connecting anymore!
Testing other protocols (http, telnet ) shows that they all works correctly. What is the cause of ssh not even start ?
Detailed work with ssh shows that
syn ack packet goes through input acl but missed ipsec acl (acl that define which traffic to encrypt) on the remote
cisco router?