Hello!
Thank you in advance!!!
I have a problem with a VPN, I made all congigurations in this site https://blog.pessoft.com/2016/05/29/mikrotik-ipsec-tunnel-with-ddns-and-nat/
, but cant establish connection between routers (ping), I leave the routers configuration, in case you see something wrongly configured that I have not seen
****************************** Router Site: RB2011UiAS-2HnD ****************************************
/interface bridge
add comment=“Bridge Madero LAN - WLAN” fast-forward=no name=bridge_vlan10
/interface ethernet
set [ find default-name=ether2 ] comment=Ether2 name=LAN speed=100Mbps
set [ find default-name=ether1 ] comment=Ether1 name=WAN speed=100Mbps
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512
name=secure-profile
/ip ipsec peer
add address=200.XXX.XXX.XXX/32 comment=vpn01 exchange-mode=ike2 name=vpn01
profile=secure-profile
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal
pfs-group=modp4096
/ip pool
add comment=“Pool DHCP LAN” name=dhcp_pool_LAN ranges=10.10.1.20-10.10.1.253
/ip dhcp-server
add address-pool=dhcp_pool_LAN authoritative=after-2sec-delay disabled=no
interface=bridge_vlan10 name=dhcp_Server_LAN
/interface bridge port
add bridge=bridge_vlan10 comment=“BRIDGE LAN” hw=no interface=LAN
/ip address
add address=10.10.1.254/24 comment=“Listado de direcciones LAN” interface=LAN
network=10.10.1.0
/ip dhcp-client
add comment=“WAN ip por DHCP” dhcp-options=hostname,clientid disabled=no
interface=WAN
/ip dhcp-server network
add address=10.10.1.0/24 comment=“Direcciones DHCP LAN” gateway=10.10.1.254
/ip dns
set allow-remote-requests=yes cache-size=12288KiB servers=
176.103.130.130,176.103.130.131
/ip firewall filter
add chain=forward comment=vpn01 dst-address=10.10.1.0/24 in-interface=WAN
ipsec-policy=in,ipsec src-address=10.10.2.0/24
add action=accept chain=input comment=ipsec-ike-natt dst-port=4500
in-interface=WAN protocol=udp
add action=accept chain=input in-interface=WAN protocol=icmp
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=10.10.2.0/24
src-address=10.10.1.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=10.10.1.0/24
src-address=10.10.2.0/24
add action=dst-nat chain=dstnat dst-port=4500 in-interface=WAN protocol=udp
to-addresses=10.10.1.254 to-ports=4500
add action=masquerade chain=srcnat comment=“NAT Internet Clientes” fragment=
no out-interface=WAN
/ip ipsec identity
add comment=vpn01 peer=vpn01 secret=XXXXXXX
/ip ipsec policy
add comment=vpn01 dst-address=10.10.2.0/24 proposal=secure-proposal
sa-dst-address=200.XXX.XXX.XXX sa-src-address=187.XXX.XXX.XXX src-address=
10.10.1.0/24 tunnel=yes
****** This script if for dyndns service, in case to someone is heplful *************
/system script
add dont-require-permissions=no name=DYNDNS owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
global ddnsuser "DYNDNS USERNAME"\r
\n:global ddnspass "DYNDNS PASSWORD"\r
\n:global ddnshost "example.dyndns.org"\r
\n\r
\n:log info "DynDNS: Sending UPDATE!"\r
\n:local str "/nic/update?hostname=$ddnshost&wildcard=NOCHG&mx=NOCHG&ba
ckmx=NOCHG"\r
\n/tool fetch address=members.dyndns.org src-path=$str mode=http user=$d
dnsuser password=$ddnspass dst-path=("/DynDNS.".$ddnshost)”
********************** Router Remote: RB951G-2HnD *****************************
/interface bridge
add comment=“Bridge PS LAN - WLAN” fast-forward=no name=bridge_vlan20
/interface ethernet
set [ find default-name=ether2 ] comment=Ether2 name=LAN speed=100Mbps
set [ find default-name=ether1 ] comment=Ether1 name=WAN speed=100Mbps
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512
name=secure-profile
/ip ipsec peer
add address=187.XXX.XXX.XXX/32 comment=vpn01 exchange-mode=ike2 name=vpn01
profile=secure-profile
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=secure-proposal
pfs-group=modp4096
/ip pool
add comment=“Pool DHCP LAN” name=dhcp_pool_LAN ranges=10.10.2.20-10.10.2.253
/ip dhcp-server
add address-pool=dhcp_pool_LAN authoritative=after-2sec-delay disabled=no
interface=bridge_vlan20 name=dhcp_Server_LAN
/interface bridge port
add bridge=bridge_vlan20 comment=“BRIDGE LAN” hw=no interface=LAN
/ip address
add address=10.10.2.254/24 interface=LAN network=10.10.2.0
/ip dhcp-client
add comment=“WAN ip por DHCP” dhcp-options=hostname,clientid disabled=no
interface=WAN
/ip dhcp-server network
add address=10.10.2.0/24 comment=“Direcciones DHCP LAN” gateway=10.10.2.254
/ip dns
set allow-remote-requests=yes cache-size=2288KiB servers=
176.103.130.130,176.103.130.131
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input in-interface=WAN protocol=icmp
add chain=input comment=ipsec-ike-natt dst-port=4500 in-interface=WAN
protocol=udp
add chain=forward comment=vpn01 dst-address=10.10.2.0/24 in-interface=WAN
ipsec-policy=in,ipsec src-address=10.10.1.0/24
/ip firewall nat
add action=accept chain=srcnat comment=vpn01 dst-address=10.10.1.0/24
src-address=10.10.2.0/24
add action=accept chain=dstnat comment=vpn01 dst-address=10.10.2.0/24
src-address=10.10.1.0/24
add action=dst-nat chain=dstnat dst-port=4500 in-interface=WAN protocol=udp
to-addresses=10.10.2.254 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 in-interface=WAN protocol=udp
to-addresses=10.10.2.254 to-ports=500
add action=masquerade chain=srcnat comment=“NAT Internet Clientes”
out-interface=WAN
/ip ipsec identity
add comment=vpn01 peer=vpn01 secret=XXXXXX
/ip ipsec policy
add comment=vpn01 dst-address=10.10.1.0/24 proposal=secure-proposal
sa-dst-address=187.XXX.XXX.XXX sa-src-address=200.XXX.XXX.XXX src-address=
10.10.2.0/24 tunnel=yes