VPN between 2 Mikrotiks, Can't ping client unless...

RouterOS Beginner Basics
1

Hello all

I have this little problem I’ve been unable to resolve: I have this scenario where two Mikrotiks are connected using an L2TP + IPSec VPN, everything is working fine but one thing:

From the “server” side of the VPN (being it the LAN of the server or the SERVER Mikrotik itself) I’m unable to ping the LAN side of the client unless at least one packet travels first from the LAN side of the client to the server, after that everything works just fine.

The problem is that the equipment behind the client only serves web pages and is unable to connect by itself or send packages to the SERVER side, also there’s no way I can get a public IP address on the client side, so I need a VPN between the CLIENT and the SERVER in order to access the devices from the CLIENT side from the SERVER side

I hope you can understand my point here, thank you very much

2

I’d suggest using GRE.

3

Ok, I may try that, but in the meantime I’ve noticed that the client doesn’t installs any SAs until one packet travels from client to server

4

Reason I suggest GRE is it is very easy to debug and keepalive.

5

One question about GRE: Client side has a Dynamic private IP address and nothing can be done about that (ISP doesn’t provide Public IP address for that end) can I still use GRE?

6

I’m pretty sure you can, although I’ve never been in this situation. It just means you have the dynamic one initiating the connections.

7

As far as I could see GRE cannot be used since it requires both ends to have public IP addresses, remember one of my sides has a Private+Dynamic IP address.

I’m gonna try manual SA as it seems the problem is there, will be back if it works

8



This is expected and the only possible behavior. I suggest you ping periodically something on the server side from the client side. If the “equipment behind the client” is not capable of periodically sending ping packets, you can try to do it from the VPN endpoint itself- just make sure the right source IP address is used (i.e. an address that is covered by your IPsec policy).

9

I’ve had issue with an similar setup as you mention but i’ve solved it with:
A scheduled ping.
Site1) Winbox → Schedule
Name: Keep Alive
Start date: enter todays date
Start time: enter the actual time
Interval: 00:00:30
On Event:
ping 10.208.80.1 src-address=10.208.81.1

Finally press apply. Note 10.208.80.1 is my site2 and 10.208.81.1 is my local site(site1)

Repeat same procedure mentioned above on site2, just switch ip-adresses so site2 pings site1 and vice versa.

Good luck!

10

Thank you very much Andriys, that did the trick, Just to explain a little further in case some one else has my problem I had the following setup

On the server side I had the following network on the LAN side: 192.168.203.0/24
On the client side I had this network on the LAN side: 192.168.88.0/24

So to fix the problem i put the following script on the Client Mikrotik:

/system script add name="PingServerSide" on-event="pinging" source={
   :delay 30
   /ping 192.168.203.1 src-address=192.168.88.1 count=5
}

This script was scheduled to start at boot and gives 30 seconds delay before start pinging since the Client mikrotik connects using a 3G datacard and it takes a little while to get connected. To keep alive the connection the server has the “keepalive” parameter set to 15 secs

Again thank you very much guys