site to site VPN issue

zmitya · August 19, 2020, 9:26pm

Hi All,

I have the following site-to-site VPN setup:

10.177.177.0/24 - Mikrotik … Internet … LibreSwan - 192.168.1.0/24

Once the peers connected initially I can NOT send packet from 192.168.1.116 to 10.177.177.1 (from behind Linux to behind Mikrotik)

BUT, after I sent at least one packet from 10.177.177.1 to 192.168.1.116 the other direction starts working as well.

I debugged it and I can see the ESP packet arrives to the Mikrotik, but it does not decapsulate it and does not send the ICMP packet to the destination (10.177.177.1) for some reason.

Here is my relevant ipsec config (pretty simple):
https://i.imgur.com/S7zNTRj.png

Any comments are welcome.

Thanks,
Mitya

Sob · August 19, 2020, 10:52pm

Could be firewall. Make sure you accept ESP packets from peer.

zmitya · August 20, 2020, 9:12am

YESS! I was focused on the forward chain but forgot to accept ESP packets in the input chain…
Thank you !