Site to Site IPsec VPN tunnel is up but remote party can't ping me?

RouterOS General
1

Hey all,

I'm hoping this is a simple step that I have overlooked because I've completely hit the wall in trying to figure out where the issue is with my current setup.

The quick and dirty is this: a simple site to site IPsec tunnel between two different locations. My location uses a MikroTik hEX RB750Gr3 and the remote location is using a Fortigate device.

Here are the setup specs:

My location:

Public IP: 173.219.47.45
Netmask: 255.255.255.0
Public IP Gateway: 172.123.12.1
LAN: 192.168.14.0/24
LAN default gateway: 192.168.14.3

The remote client's location that I'm trying to VPN with:

Public IP: 66.18.99.66
LAN: 66.18.106.160/27

I have done all the usual steps including adding the srcnat accept NAT rule and placed it at the top above masquerade. After much back and forth troubleshooting this is where we currently stand:

    • The VPN tunnel shows up and "working" on both of our ends.


    • Everything checks out on both phase 1 and 2


    • I am able to ping and get a reply back when I ping the addresses in the .160/27 range


    • I see packets and current bytes traffic increase on my Firewall Mangle rules whenever they ping me


    • The remote location can ping my router's default gateway (.3) but nothing else on the LAN


    • The remote location is not getting a response back from me when they ping though and I see no increase in current bytes on my Firewall NAT rule

Any ideas? I have never encountered this issue before and I have tried several different methods but none of them seem to work. The remote location of course is telling me that it is definitely not their end so I'm not having much luck there.

Any help would be greatly appreciated. I am new to these forums so if I have messed up this post or need to edit/provide more information just let me know!

Thank you!

2

When you ping them are you seeing bytes increasing through the tunnel to them? I’d like to verify that you aren’t taking the default route out the Internet to them as that is a public IP range.

It always help to post the actual configuration. A quick way is to use the “hide-sensitive” and “compact” keywords for export. You may still have to audit it for IP addresses and what not but it shouldn’t contain any passwords.

At the very least a look at your firewall rules and your NAT table would be handy.

3

Edit: Solution below.

4

Finally reached a solution for anyone who may run into this in the future (thanks to a very helpful user on the MikroTik subreddit):

Part 1
Setup IPSec Side 1

Part 2
Setup Ipsec Side 2

Part 3
Allow IPsec Filter Ports on both sides
Ipsec Rule1 - Input chain - Allow UDP Protocol - Any Port 500
Ipsec Rule2 - Input chain - Protocol ipsec-esp
Ipsec Rule3 - Forward Chain - Src Address (Side1 lan) - Dst Address (Side2 Lan) - accept
Ipsec Rule4 - Forward Chain - Src Address (Side2 lan) - Dst Address (Side1 Lan) - accept

Set this up on each side of the tunnel

Part 4
Masquerade Bypass rule on both sides.

Side1

/ip firewall nat add chain=srcnat comment=“Side1 NAT bypass” dst-address=66.18.106.160/27 src-address=192.168.14.3/24

Side2
/ip firewall nat add chain=srcnat comment=“Side2 NAT bypass” dst-address=192.168.14.3/24 src-address=66.18.106.160/27

I had most of this done except I was missing the parts I bolded above.