Site to Site.. Established but no traffic?

tomsanders · July 8, 2019, 1:39pm

Currently have a Site to Site VPN setup between a Cloud Core 1016 and RB2011iL. The site to site is live and established and NAT rule to allow the subnet has been inserted. Please see config below;

Remote Site

IPSEC
set [ find default=yes ] dh-group=modp1024 dpd-interval=10s enc-algorithm=3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip ipsec peer
add address=217...10/32 secret=**********
/ip ipsec policy
add dst-address=172.16.11.0/24 sa-dst-address=...10 sa-src-address=213..***.234 src-address=192.168.240.0/24 tunnel=yes

Firewall

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=1701 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
/ip firewall nat
add action=accept chain=srcnat comment=“SITE TO SITE” disabled=yes dst-address=192.168.240.0/24 src-address=172.16.11.0/24
add action=accept chain=srcnat comment=“SITE TO SITE” dst-address=172.16.11.0/24 src-address=192.168.240.0/24

Main Site
IPSEC

/ip ipsec peer profile
add dh-group=modp1024 dpd-interval=10s enc-algorithm=3des name=JACK
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=JACK
/ip ipsec peer
add address=46...26/32 comment=MBS secret=*********
add address=213...234/32 comment=JACK profile=JACK secret=********
/ip ipsec policy
add comment=“JACK SITE TO SITE VPN” dst-address=192.168.240.0/24 proposal=JACK sa-dst-address=
213...234 sa-src-address=217...10 src-address=172.16.11.0/24 tunnel=yes

Firewall

/ip firewall nat
add action=accept chain=srcnat comment="JACK SITE TO SITE " dst-address=192.168.240.0/24 log=yes src-address=172.16.11.0/24
add action=accept chain=srcnat comment="JACK SITE TO SITE " dst-address=172.16.11.0/24 src-address=192.168.240.0/24

/ip firewall filter
add action=accept chain=input dst-port=1701 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp

Help would be great. I have tried most things, we have multiple site to site VPN’s on the main router going to Drayteks and these work great.

Thanks

sindy · July 8, 2019, 7:27pm

By

you mean that you can see remote-peers at both sides to be active, and a pair of installed-sa is up at both ends?

If so, two issues are typical - an omission to permit the traffic between the sites’ subnets in “/ip firewall filter”, or absence of a route towards the remote site’s subnet - a default route is enough.

When you need assistance with unexpected behaviour, it is rarely helpful to post just excerpts from the configuration, as the issue may be in the part which you suppose to be irrelevant. So post the complete configurations anonymized according to the hint in my automatic signature below.

Also, place the configs between the [****code] and [/****code] tags for better readability.

tomsanders · July 12, 2019, 9:19am

Just a update.. the config was correct but the BT Meraki was not allowing the traffic through… the solution was remove the meraki and go direct into the BT NTE.

We now have traffic flowing

Thanks

sindy · July 12, 2019, 9:30am

How does this play with Drayteks working well in the same environment?