I have a client that needs an IPsec tunnel. My side is mikrotik router and the other side is pfsense device. The tunnel comes up, but he cannot ping my devices. I've created a nat exemption rule for our subnets. I'm at a loss, this is my first ipsec config on a mikrotik.
here is the sanitized config.
\
feb/23/2017 20:15:56 by RouterOS 6.37rc34
software id = PDLM-0JM1
/interface bridge
add admin-mac=E4:8D:8C:4F:8B:CB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=auto mode=
ap-bridge ssid="MD Medical Back" wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
supplicant-identity=MikroTik wpa-pre-shared-key=XXXXXX
wpa2-pre-shared-key=XXXXX
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des lifetime=8h
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf
add bridge=bridge interface=wlan1
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=
192.168.1.0
add address=12.218.118.X/29 interface=ether1 network=12.218.118.X
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=500 protocol=udp
add action=accept chain=input port=4500 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=accept chain=input comment="winbox remote" dst-port=8291 protocol=
tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=
ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=172.16.254.0/25 src-address=
192.168.1.0/25
add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1 protocol=tcp
to-addresses=192.168.1.2 to-ports=2222
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=68.187.14.X/32 enc-algorithm=3des hash-algorithm=md5
local-address=0.0.0.0 nat-traversal=no secret=mdmed2medtec!
/ip ipsec policy
add dst-address=172.16.254.0/25 sa-dst-address=68.187.14.X sa-src-address=
12.218.118.X src-address=192.168.1.0/25 tunnel=yes
/ip route
add distance=1 gateway=12.218.118.9
/system clock
set time-zone-name=America/New_York
/system identity
set name=MDMedical
/system logging
add topics=ipsec
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MDMedical] >