Site-to Site VPN

shawnrussell · May 19, 2016, 1:19am

Hi!

I have been fighting with getting a BASIC VPN setup on my Mikrotik routers. I can establish the connection (Installed SA’s Shows up as it should) but I Can Not ping or pass traffic!!

Any help would be Greatly Appreciated.

server is :
WAN - 185.69.225.50
LAN - 192.168.10.0/24

client
WAN - 172.52.113.34
LAN - 192.168.30.0/24

The IPSec policy and Peer must be correct if it authenticates and installs the SA’s

I am more wondering if I need to add anything to the Filter/Route/NAT rules

I already have a NAT ruile at 0 as follows

add chain=srcnat dst-address=192.168.30.0/24 src-address=192.168.10.0/24 on the Server
add chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.30.0/24 in the Client

I don;t know if I need any coded Routes or Mangles or anything to pass traffic from 10.0 to 30.0 and vise-a-versa.

If you need a print out of anything let me know.

p3rad0x · May 19, 2016, 12:10pm

Hi,

Have you tried to use something like a SSTP tunnel?

shawnrussell · May 19, 2016, 12:24pm

No have not, I only needed to crate the VPN. I don’t need any other networking features other than to bridge the two (actually 4) subnets together.

10.0/24
20.0/24
30.0/24
40.0/24

All four locations are behind 750G’s all new, all with the most current and matching RouterOS’s

emils · May 19, 2016, 12:39pm

Did you set it up according to the manual?
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel

You can try to add similar firewall rules to Filter section that you have for NAT already.

You mind pasting your policy export?

p3rad0x · May 19, 2016, 12:41pm

You can try and do this,

Chose one location to be the main server.

Then connect the remaining 3 via a sstp tunnel.

Do some routing and devices from the 4 different subnets should be able to ping each other

shawnrussell · May 19, 2016, 12:50pm

You will have to excuse me, How do I out put just the policy? I know how to export the entire configuration, Just not what part you asking for.

emils · May 19, 2016, 12:59pm

/ip ipsec policy export

shawnrussell · May 19, 2016, 1:04pm

add comment=BMEM dst-address=192.168.10.0/24 sa-dst-address=184.68.325.50
sa-src-address=162.245.313.158 src-address=192.168.30.0/24 tunnel=yes

add comment=BMES dst-address=192.168.30.0/24 sa-dst-address=162.245.313.158 sa-src-address=184.68.325.50 src-address=
192.168.10.0/24 tunnel=yes

emils · May 19, 2016, 1:10pm

Can you please send supout.rif files from both your routers to support@mikrotik.com? You can create supout file with “/system sup-output file=filename” command.

shawnrussell · May 19, 2016, 1:15pm

Sent

DanRusu · June 1, 2016, 1:59pm

I have exactly the same issue.

LAN1: 192.168.1.0/24
WAN1: 89.42.xx.xx

LAN2: 10.0.0.0/16
WAN2: 86.122.xx.xx

Policy 1 is
src-address=192.168.1.0/24 src-port=any dst-address=10.0.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=89.42.xx.xx sa-dst-address=86.122.xx.xx proposal=default priority=0

Policy 2 is
src-address=10.0.0.0/16 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=86.122.xx.xx sa-dst-address=89.42.xx.xx proposal=default priority=0

Once tunnel is activated I get 2 Installed SA

I can ping from any host 192.168.1.0/24 to 10.0.1.1 (LAN IP 2)
And I can ping from any host 10.0.0.0/16 to 192.168.1.1 (LAN IP1)

But I cannot ping from any host 192.168.1.0/24 to any 10.0.1..0/16 host (other that 10.0.1.1)
And I cannot ping from any host 10.0.1..0/16 to any 192.168.1.0/24 host (other that 192.168.1.1)

Any solutions?

emils · June 2, 2016, 6:28am

Make sure you have proper firewall rules set up.

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_and_Fasttrack_Bypass

DanRusu · June 2, 2016, 8:29am

Awesome

It worked,

Thanks!