rb941 hap lite IPSEC site to site no connection between subnets

lubousa · April 23, 2017, 6:40am

Hi everybody,

I’m trying to set ipsec between two RB941. Version is 6.38.5 and using this - https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel
Two routers have load default configuration.
My scenario is office 1 subnet 1 - 192.168.1.0/24 → wan1 IP xxx.xxx.xxx.xxx - yyy.yyy.yyy.yyy wan2 IP ← 192.168.12.0/24 subnet2
I CAN’T ping host between subnets ! please help. Only have ping to routers (192.168.1.1 and 192.168.12.1) from subnets.
Ipsec is established
fasttrack is enable
If any have any idea please help me.

offie1 config:
/ip firewall filter
add action=accept chain=forward dst-address=192.168.12.0/24 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.12.0/24
add action=accept chain=input dst-address=xxx.xxx.xxx.xxx dst-port=500 protocol=udp
src-address=yyy.yyy.yyy.yyy
add action=accept chain=input dst-address=xxx.xxx.xxx.xxx protocol=ipsec-esp
src-address=yyy.yyy.yyy.yyy
add action=accept chain=input protocol=gre
add action=accept chain=forward in-interface=ether1 ipsec-policy=in,ipsec
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept establieshed,related”
connection-state=established,related
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=et
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=i
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.12.0/24 log=yes log-prefix=88
out-interface=bridge src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=e
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.12.0/24 src-address=
192.168.1.0/24
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=
192.168.12.0/2
/ip ipsec peer
add address=yyy.yyy.yyy.yyy/32 dpd-interval=disable-dpd enc-algorithm=3des
local-address=xxx.xxx.xxx.xxx nat-traversal=no secret=mypassword
/ip ipsec policy
add dst-address=192.168.12.0/24 sa-dst-address=yyy.yyy.yyy.yyy sa-src-address=
xxx.xxx.xxx.xxx src-address=192.168.1.0/24 tunnel=yes

offie 2
/ip firewall filter
add action=accept chain=forward dst-address=192.168.12.0/24 src-address=
192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=
192.168.12.0/24
add action=accept chain=input dst-address=yyy.yyy.yyy.yyy dst-port=500 protocol=
udp src-address=xxx.xxx.xxx.xxx
add action=accept chain=input dst-address=yyy.yyy.yyy.yyy protocol=ipsec-esp
src-address=xxx.xxx.xxx.xxx
add action=accept chain=forward in-interface=ether1 ipsec-policy=in,ipsec
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept establieshed,related”
connection-state=established,related
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=
ether1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 log=yes log-prefix=
8888 src-address=192.168.12.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=
ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=
192.168.12.0/24
add action=notrack chain=prerouting dst-address=192.168.12.0/24 src-address=
192.168.1.0/24
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 dpd-interval=disable-dpd enc-algorithm=3des
local-address=yyy.yyy.yyy.yyy nat-traversal=no secret=mypassword
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=
yyy.yyy.yyy.yyy src-address=192.168.12.0/24 tunnel=yes

Sob · April 23, 2017, 4:43pm

Check what you are pinging, there can be problems with both source and destination. If you’re pinging from router itself, use src-address=192.168.x.x to make sure that the right source address will be used. Also check that remote device accepts pings from different subnets (e.g. Windows devices by default do not).