Strange IPSec, please little help

Krusty · January 11, 2013, 9:20am

Hello,

Im using IPSec for few locations. Today I want to add new location and Im not able to find what is wrong, if somebody can help me with this.

SITUATION:
IPSec betwen two locations
IPSec seems to be established, i see installed sas on both sites
Im able to connect to internal network from site A to site B, even to router on site B
Everything from site A to site B seem to be OK
but
From site B Im able to use DNS server on site A (dns names of servers on site A are resolved to internal adresses)
Im not able to ping from B to A
Im not able to reach network A from site B

site A: 192.168.1.0/24
one single MT port
site B: 192.168.5.0/24
bridged ports

here are configurations
NAT
site A

chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.5.0/24

site B

chain=srcnat action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24

FW rules (I even tryed to disable FW)
site A

chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.5.0/24 
chain=forward action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24 
chain=input action=accept protocol=ipsec-esp src-address=89.233.144.232 in-interface=eth01.WAN 
chain=input action=accept protocol=udp src-address=89.233.144.232 in-interface=eth01.WAN dst-port=500 
chain=output action=accept protocol=ipsec-esp dst-address=89.233.144.232 out-interface=eth01.WAN 
chain=output action=accept protocol=udp dst-address=89.233.144.232 out-interface=eth01.WAN dst-port=500

site B

chain=forward action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24 
chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.5.0/24 
chain=input action=accept protocol=ipsec-esp src-address=109.107.208.42 in-interface=eth01.WAN 
chain=input action=accept protocol=udp src-address=109.107.208.42 in-interface=eth01.WAN dst-port=500 
chain=output action=accept protocol=ipsec-esp dst-address=109.107.208.42 out-interface=eth01.WAN 
chain=output action=accept protocol=udp dst-address=109.107.208.42 out-interface=eth01.WAN dst-port=500

IPSec policy
site A

src-address=192.168.1.0/24 src-port=any dst-address=192.168.5.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=109.107.208.42 sa-dst-address=89.233.144.232 proposal=SSI - Flora Personalka priority=10

site B

src-address=192.168.5.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=89.233.144.232 sa-dst-address=109.107.208.42 proposal=SSI centrala priority=10

IPSec peer
site A

address=89.233.144.232/32 port=500 auth-method=pre-shared-key secret="" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=exact hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

site B

address=109.107.208.42/32 port=500 auth-method=pre-shared-key secret="" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=exact hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

IPSec proposal
site A

name="SSI - Flora Personalka" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=30m pfs-group=modp1024

site B

name="centrala" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=30m pfs-group=modp1024

routes
site A

A S  192.168.5.0/24                     eth02.SSI.LAN             1

site B

A S  192.168.1.0/24                     bg1.LAN                   1

thank you

Krusty · January 11, 2013, 11:45am

New think, when I try to ping with ARP ping, than it seems to be ok, I got reply

Krusty · January 12, 2013, 8:03pm

nobody ?