Routing Not Working

andsmith · April 5, 2017, 2:36pm

I’ve setup an EoIP Tunnel with OSPF and IPSec, everything looks good but I can not ping past the MikroTik on either side. There has gotta be something simple I am missing.

Both sides are behind a Cisco ASA which is forwarding GRE, ESP and UDP 500 to the internal IP. Yes the default gateway on either side has a route pointing to the MikroTik and can ping the respective remote site MikroTik.

Any help would be greatly appreciated, thanks in advance.

Site A:
External IP: xxx.xxx.xxx.230
Internal IP: 192.168.10.10

/interface bridge add name=”Bridge Loopback”
/ip address add interface="Bridge Loopback" address=192.168.250.1/32

/interface eoip add name=”eoip to SITE B” mtu=1500 tunnel-id=1 remote-address=xxx.xxx.xxx.112
/ip address add interface=”eoip to SITE B” address=192.168.240.13/30

/routing ospf instance set [ find default=yes ] router-id=192.168.250.1 redistribute-connected=as-type-1 redistribute-static=as-type-1
/routing ospf network add network=192.168.240.12/30 area=backbone
/routing ospf interface add interface=”eoip to SITE B”

/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1 enc-algorithms=aes-256-cbc
/ip ipsec peer add address=xxx.xxx.xxx.112 secret=<PASSWORD> enc-algorithm=aes-256
/ip ipsec policy add src-address=192.168.10.10 dst-address=xxx.xxx.xxx.112

Here is Site A’s routing table, as you can see it looks like everything is functioning:

Site B:
External IP: xxx.xxx.xxx.112
Internal IP: 192.168.200.5

/interface bridge add name=”Bridge Loopback”
/ip address add interface="Bridge Loopback" address=192.168.250.5/32

/interface eoip add name=”eoip to SITE A” mtu=1500 tunnel-id=1 remote-address=xxx.xxx.xxx.230
/ip address add interface=”eoip to SITE A” address=192.168.240.14/30

/routing ospf instance set [ find default=yes ] router-id=192.168.250.5 redistribute-connected=as-type-1 redistribute-static=as-type-1
/routing ospf network add network=192.168.240.12/30 area=backbone
/routing ospf interface add interface=”eoip to SITE A”

/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1 enc-algorithms=aes-256-cbc
/ip ipsec peer add address=xxx.xxx.xxx.230 secret=<PASSWORD> enc-algorithm=aes-256
/ip ipsec policy add src-address=192.168.200.5 dst-address=xxx.xxx.xxx.230

Here is Site B’s routing table, as you can see it looks like everything is functioning:

andsmith · April 5, 2017, 2:44pm

Oh, Site A is a CCR1016-12G and Site B is a RB3011. Both are running 6.38.5

andsmith · April 5, 2017, 3:10pm

So I had been trying to ping via the MikroTik winbox interface. Connecting to a desktop at Site B, I can ping anything in the 192.168.10.0/24 network, great. However from a desktop located on the 192.168.10.0/24 network, I can only ping 191.168.200.5.

If I tracert a Site B IP, I can see it’s going to Site A (192.168.10.10) MikroTik then to Site B (192.168.240.14) MikroTik and then dying.