Site-to-site VPN w EdgeRouter - SA Established but no traffic across.

tikuser1212 · July 30, 2021, 3:39am

Hello,

I have a model CCR2004-1G-12S+2XS and I am trying to configure my first MikroTik site-to-site IPSEC VPN. One end is the CCR2004 and the other end is an Edgerouter 12. The CCR2004 is RouterOS 6.47.9 and the ER12 is at v2.0.9-hotfix.2.

I basically followed the configuration guide to configure my CCR2004. I have a group of static IPs for my WAN at each endpoint. For the firewall on the MikroTik side I followed this tutorial. I have tested my internet for awhile with this simple configuration and everything seems to be functioning well. I followed this Site-to-Site VPN guide. And then created my vpn on the edgerouter. After getting all of the settings to match I have on both ends an established SA but I am not able to ping or send data across the VPN successfully. I suspect it has something to do with the firewall but I am not sure where it is happening. If I monitor the ipsec/installed sa pane and ping from either end my current bytes continues to increase.

I have followed the above guide so I have added a few firewall rules to hopefully allow the connection through but it hasn’t fixed the connection:

/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=(src-network/16) dst-address=(dst-network/24)

And then because the advance firewall from what I can tell uses the fastrack settings I skipped the /ip firewall filter rules and used the raw rules:

/ip firewall raw
add action=notrack chain=prerouting src-address=(src-network/16) dst-address=(dst-network/24)
add action=notrack chain=prerouting src-address=(dst-network/24) dst-address=(src-network/16)

I have rebooted both sides to ensure the connection tracking was cleared after making changes but still no luck. I can provide more configs if you need but didn’t want.

Thank you for reading

tikuser1212 · July 30, 2021, 7:57pm

Does anyone have some troubleshooting tips for this? I have tried every combination of filter rules and NAT rules that other examples have. I have disabled the firewall and fully reset the Mikrotik and have the same issue.

BartoszP · July 31, 2021, 8:44pm

It’s user forum of volunteers, not Mikrotik’s service one.
You have to be patient and wait for someone’s answer but you may receive none as no one had such a problem as yours.

MickeyT · August 2, 2021, 8:27am

I haven’t had too much experience with site-to-site VPN configurations but the obvious question is: Have you put the relevant NAT rules in on both sides of the tunnel?

[From the docs]

MikroTik router:
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=10.1.202.0/24 dst-address=10.1.101.0/24

EdgeRouter the equivalent of this:
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=10.1.101.0/24 dst-address=10.1.202.0/24

I you want us to take a look through your exact configuration, please post/attach the config from both devices (without the passwords etc.). Export with the commands:

MikroTik router:
/export hide-sensitive file=Site1

EdgeRouter:
I don't know since it's a UniFi device - You might have to do it manually but screenshots would be fine.