Sorry for double-post but in the beginners basic there is no reaction:
I create a VPN-Tunnel with IPSec and IKEv2 between Windows 10 (1703) and Mikrotik rb 3011 UiAS-RM (v6.39rc79).
The configuration is made like
https://wiki.mikrotik.com/wiki/Manual:I ... rver_Setup.
Certificates are created and imported on the windows client. The client is connected and get a IP from the Mikrotik-Router:
Router: 192.168.83.1/24
VPN-Client: 192.168.83.110
Client behind Router: 192.168.83.30
Ping from VPN-Client to VPN-Router is available.
I can't ping from VPN-Client to clients behind router client.
Whats wrong with my configuration?
Thank you!!
[admin@router] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.83.1/24 192.168.83.0 ether2-master
1 xxx.xxx.xxx.xxx/30 xxx.xxx.xxx.xxx WAN
[admin@router] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
6 ;;; VPN
chain=input action=accept connection-state=new protocol=udp dst-port=500 log=no
7 chain=input action=accept protocol=udp dst-port=1701 log=no
8 chain=input action=accept protocol=udp dst-port=4500 log=no
9 chain=input action=accept protocol=ipsec-esp log=no
10 chain=input action=accept protocol=ipsec-ah log=no
11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
12 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=WAN log=no log-prefix=""
13 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=no log-prefix=""
[admin@router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.83.104/29 dst-address=192.168.83.16/28 log=no
[admin@router] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 DA src-address=0.0.0.0/0 src-port=any dst-address=192.168.83.110/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=[WAN-SRC-IP] sa-dst-address=[WAN-DST-IP] proposal=default
priority=0 ph2-count=1
[admin@router] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 213.211.236.93 1
1 ADC 192.168.83.0/24 192.168.83.1 bridge 0
2 ADC [WAN-DST-Subnet]/30 [WAN-DST-IP] WAN 0