S2S IPSEC VPN Established, not passing traffic

sswireless · January 22, 2018, 10:30pm

First time setting up VPN with MikroTik. session is established, phase 2 completes and states session established. I cannot pass traffic from either side.
Hardware: both sides hAp Mini
Default config is WISP AP
went through Mikrotik wiki on how to setup ipsec VPN. Session established on first try.

Here is configs from each side:
Router 1:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc pfs-group=modp4096
/ip ipsec peer
add address=1.1.1.1/32 comment="IPSec VPN " dh-group=modp1024
dpd-interval=disable-dpd enc-algorithm=3des nat-traversal=no secret=
mysecret
/ip ipsec policy
add comment=“IPSec VPN” dst-address=192.168.88.0/24 sa-dst-address=
1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.89.0/24
tunnel=yes
Router 2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc pfs-group=modp4096
/ip ipsec peer
add address=2.2.2.2 comment="IPSec VPN " dh-group=modp1024
dpd-interval=disable-dpd enc-algorithm=3des nat-traversal=no secret=
mysecret
/ip ipsec policy
add comment=“IPSec VPN ToLovington” dst-address=192.168.89.0/24 sa-dst-address=
2.2.2.2 sa-src-address=1.1.1.1 src-address=192.168.88.0/24
tunnel=yes

Routes:

Router 1:
/ip route
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.89.1

Router 2:
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.88.1

Firewall:
Router 1":

/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=forward dst-port=8291 protocol=tcp src-address=
3.3.3.3/27
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=
ether1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add action=fasttrack-connection chain=forward comment=FastTrack
connection-mark=!ipsec connection-state=established,related
/ip firewall mangle
add action=mark-connection chain=forward comment=“Mark IPsec connections”
ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec
new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat comment=“IPSec VPN ToLovington” dst-address=
192.168.89.0/24 dst-address-list=192.168.89.0/24 src-address=
192.168.88.0/24 src-address-list=192.168.88.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=
ether1

Router2:

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp src-address=
3.3.3.3/27
add action=accept chain=input src-address=2.2.2.2
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward comment=FastTrack
connection-mark=!ipsec connection-state=established,related
/ip firewall mangle
add action=mark-connection chain=forward comment=“Mark IPsec connections”
ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec
new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat comment=“IPSec VPN”
dst-address=192.168.88.0/24 src-address=192.168.89.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=443
protocol=tcp to-addresses=192.168.98.20 to-ports=443
add action=masquerade chain=srcnat dst-address=192.168.89.20 dst-port=443
out-interface=bridge protocol=tcp src-address=192.168.89.0/24

I have read many forum posts and have tried everything i can think of. I am not sure what i am missing on this. If someone can help point me in the right direction it would be greatly appreciated!!

emils · January 23, 2018, 7:04am

Try disabling the FastTrack forward rule, see if it resolves the issue. If it does, you need to accept tunnel traffic before the FastTrack rule.

Can you ping between the routers local addresses using src-address parameter? e.g. /ping 192.168.88.1 src-address=192.168.89.1

sswireless · January 24, 2018, 4:53am

So, yes i can ping by using src-address. does that mean its up and i’ve been beating my head against the wall for nothing?

emils · January 24, 2018, 9:07am

Not necessarily. It means, that the tunnel is up and running. You should in fact test the connectivity from a real local LAN to real remote LAN devices. The ping example above is ‘output’ traffic, if there is no connectivity between two real devices, you can definitely say that packets are dropped in ‘forward’ chain.

tippenring · January 24, 2018, 10:44pm

/ip route
add distance=1 dst-address=192.168.89.0/24 gateway=192.168.89.1

That (and its counterpart on the other router) doesn’t look right to me. Your router already knows how to get to 192.168.89.0/24. It is directly connected already. I’d be surprised if that route is active.

If you have a default route, then that will probably send your traffic down the appropriate path. Try disabling the above route (on each router).