Site-to-Site VPN between SRX and Mikrotik

RouterOS General
1

PROBLEM: pc in SRX site can’t ping pc in Mikrotik site and vice versa
Error message: No route to host
Questions:

  1. what am I missing

HW INFO:
SRX210
Mikrotik 951ui-2hnd
06-Nov 19.55.56.jpg
SRX:
version 12.1X44-D40.2;
system {
root-authentication {
encrypted-password “$1$wC0UZD2C$pnhZvVdU5Ux1Bmr2wD81y.”; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
domain-name poc.local;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
192.168.88.1;
}
pool 192.168.88.0/24 {
address-range low 192.168.88.101 high 192.168.88.200;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.102/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
st0 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.88.1/24;
}
}
}
}
routing-options {
static {
route 192.168.77.0/24 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
policy ike-policy-cfgr {
mode main;
proposal-set compatible;
pre-shared-key ascii-text “$9$Q4Th3Cp0OREcl.P1hSlLX7-V”; ## SECRET-DATA
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 10.0.0.101;
external-interface ge-0/0/0;
version v1-only;
}
}
ipsec {
proposal ipsec-proposal-cfgr {
protocol esp;
}
policy ipsec-policy-cfgr {
proposals ipsec-proposal-cfgr;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.0;
ike {
gateway ike-gate-cfgr;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone vpn {
policy trust-vpn-cfgr {
match {
source-address net-cfgr_192-168-88-0–24;
destination-address net-cfgr_192-168-77-0–24;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust-cfgr {
match {
source-address net-cfgr_192-168-77-0–24;
destination-address net-cfgr_192-168-88-0–24;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address net-cfgr_192-168-88-0–24 192.168.88.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone untrust {
address-book {
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ping;
}
}
}
}
}
security-zone vpn {
address-book {
address net-cfgr_192-168-77-0–24 192.168.77.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
poe {
interface all;
}
vlans {
default;
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}


Mikrotik:
[admin@MikroTik] > export
/interface bridge
add admin-mac=D4:CA:6D:62:1A:8B auto-mac=no name=bridge-local
/interface lte
set [ find ] mac-address=1C:4B:D6:B5:17:A2 name=lte1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors hide-ssid=yes l2mtu=2290 mode=ap-bridge preamble-mode=long
ssid=mikrotik
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys wpa2-pre-shared-key=password
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=3des name=juniper
/ip pool
add name=default-dhcp ranges=192.168.77.101-192.168.77.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/system logging action
set 2 remember=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.77.1/24 comment=“default configuration” interface=bridge-local network=192.168.77.0
add address=10.0.0.101/24 interface=ether1-gateway network=10.0.0.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.77.0/24 comment=“default configuration” dns-server=192.168.77.1 gateway=192.168.77.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.77.1 name=router
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
add chain=forward comment=“default configuration” connection-state=established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
/ip ipsec peer
add address=10.0.0.102/32 dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des hash-algorithm=md5 nat-traversal=no secret=Rahasia
/ip ipsec policy
add dst-address=192.168.88.0/24 sa-dst-address=10.0.0.102 sa-src-address=10.0.0.101 src-address=192.168.77.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=10.0.0.102
/ip upnp
set allow-disable-external-interface=no
/snmp
set trap-community=public
/system leds
set 5 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
add interface=lte1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
add interface=lte1