Hi,

I'll try to explain the situation as clear as possible. I have two mikrotik routers (RB4011iGS at home and a RB2011UAS-2HnD on a remote location) for which i would like to use a SSTP site-to-site tunnel. The tunnel is up & running, but it seems only possible to ping from one router to the other on the vpn address. I cannot ping or use resources from a remote computer. The same goes for the other site, when I try to ping or connect a resource on the home lan, it is not possible, only the remote address of the vpn tunnel can be reached.
RB4011iGS is connected with a fixed ip on a cable internet connection and has a DDNS hostname that is used by the SSTP client on the remote RB2011UAS router. The RB2011UAS router is connected to a shared internet connection and uses the SSTP ability to travel through NAT and make the connection to the home router (RB4011iGS).
RB4011iGS local lan : 10.10.10.0/24
RB2011UAS local lan : 10.20.10.0/24
SSTP tunnel addresses : 10.100.10.1 (RB4011iGS side) & 10.100.10.2 (RB2011UAS side)

10.10.10.1 = local gateway
10.20.10.1 = remote gateway

The routes seem to be OK, i'll list them here :

Routes on the RB4011iGS (home) :

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 X S 0.0.0.0/0 VPN - Hide.me (NL) 1
1 X S 0.0.0.0/0 VPN - Hide.me (... 1
2 ADS 0.0.0.0/0 public-ip 1
3 ADC 10.10.10.0/24 10.10.10.1 LAN-Bridge 0
4 ADC 10.10.10.2/32 10.10.10.2 MGMT-Bridge 0
5 ADC 10.10.20.0/24 10.10.20.1 VLAN - WiFi-Open 0
6 ADC 10.10.100.0/24 10.10.100.1 LAN-Bridge 0
7 A S 10.20.10.0/24 10.100.10.2 1
8 ADC 10.100.10.2/32 10.100.10.1 0
9 ADC public-iprange/20 public-ip WAN-Bridge 0

Firewall :

I added two allow rules (in & outbound) so nothing should be blocked, and even without these rules, there was no traffic seen on the Lan-Bridge.


Routes on the RB2011UAS (remote) :

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.0.1 1
1 A S 10.10.10.0/24 SSTP-VPN-Site-T... 1
2 ADC 10.20.10.0/24 10.20.10.1 LAN-Bridge 0
3 ADC 10.20.10.2/32 10.20.10.2 MGMT-Bridge 0
4 ADC 10.20.20.0/24 10.20.20.1 VLAN - WiFi-Open 0
5 ADC 10.100.10.1/32 10.100.10.2 SSTP-VPN-Site-T... 0
6 ADC 192.168.0.0/24 192.168.0.149 WAN-Bridge 0

Firewall :

I added two allow rules (in & outbound) so nothing should be blocked, and even without these rules, there was no traffic seen on the Lan-Bridge.

If there is any specific information i need to provide, please by all means, ask !

I've spent already so much time and I cannot find the problem. From both mikrotiks, i can ping the local tunnel address and the remote tunnel address, that's it ... i cannot ping the default gateway on the other side nor any clients.

Hoping for some help or guidance, or any clue that might lead to the solution

Kind Regards,

Bart

Post the configurations of both machines as per my automatic signature below. Either copy-paste the text exports into the body of the post, each between [code] and [/code] tags, or attach them as file attachments to the post. At first glance, the routes seem OK, so it is likely that the firewall behaves differently than you expect.

Hi, I tried to obfuscate all sensitive data (mostly replaced by xxxx characters).

On the 2011, there is the following static IPsec policy:
comment=vpn01 dst-address=10.10.10.0/24 proposal=secure-proposal sa-dst-address=you.forgot.to.substitute.it sa-src-address=0.0.0.0 src-address=10.20.10.0/24 tunnel=yes

On the 4011, a complementary policy exists.

Traffic matching a traffic selector of an existing and enabled IPsec policy, no matter whether a security association for that policy is currently available or not, is always intercepted by that policy. So disable both these policies, and the traffic should start running via the SSTP tunnel as per the result of the regular routing.

Gonna try this tomorrox. I would never thought of that myself !! Thanks, hope this is it !

This was the solution, would never have thought about the policy having that effect.

Nice one and I’m really grateful that you nailed it soo fast.

Big thanks Sindy !!