Tools needed for trouble in point to point VPN tunnel

sprintership · September 30, 2019, 10:20pm

Experts,

I have two 3011 MT in point to point VPN tunnel. From HQ I can ping whatever is in 192.168.100.0/24 but not 192.168.100.1 - other MT side. I have from HQ side: admin prohibited …

Zacharias · September 30, 2019, 10:26pm

It is dropped by the firewall

sprintership · September 30, 2019, 10:57pm

Hmm I have this:

add action=drop chain=input comment=“Drop invalid packets” connection-state=invalid
add action=drop chain=input comment=“Drop all packets which are not destined to routes IP address” dst-address-type=!local
add action=drop chain=input comment=“Drop all packets which does not have unicast source IP address” src-address-type=!unicast
add action=drop chain=input comment=“Drop all packets from public internet which should not exist in public network” in-interface=ether1-WAN-Fiber src-address-list=NotPublic
add action=drop chain=input comment=“Drop all packets from public internet which should not exist in public network” in-interface=ether2-WAN-Cable src-address-list=NotPublic

add action=drop chain=input in-interface=ether1-WAN-Fiber
add action=drop chain=input in-interface=ether2-WAN-Cable

add action=accept chain=forward comment=“IPSec VPN” dst-address=192.168.100.0/24 src-address=192.168.168.0/24

add action=drop chain=forward comment=“Drop new connections from internet which are not dst-natted” connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN-Fiber
add action=drop chain=forward comment=“Drop new connections from internet which are not dst-natted” connection-nat-state=!dstnat connection-state=new in-interface=ether2-WAN-Cable
add action=drop chain=forward comment=“Drop all packets from public internet which should not exist in public network” in-interface=ether1-WAN-Fiber src-address-list=NotPublic
add action=drop chain=forward comment=“Drop all packets from public internet which should not exist in public network” in-interface=ether2-WAN-Cable src-address-list=NotPublic
add action=drop chain=forward comment=“Please keep this rule disabled for traffic between VLANS !!!” disabled=yes dst-address-list=NotPublic in-interface=bridge1-lan
add action=drop chain=forward comment=“Drop all packets in local network which does not have local network address” in-interface=bridge1-lan src-address=!192.168.0.0/16

this should do a trick:
add action=accept chain=forward comment=“IPSec VPN” dst-address=192.168.100.0/24 src-address=192.168.168.0/24

192.168.168.0/24 = HQ
192.168.100.0/24 remote location