Community discussions

MikroTik App
 
LaRP
just joined
Topic Author
Posts: 24
Joined: Thu Mar 26, 2015 3:30 pm

IPSEC Site-to-site

Mon Dec 28, 2015 4:50 pm

Hello

I have 2 RB2011 routers setup with a IPSec Site-to-site, no problems with connecting.

The problem is that i can ping back and forth from both sides, but when i try to access other data across the tunnel, for example the web interface of a VoIP phone, nothing really happens, wireshark shows that i dont get any data.

Chrome error message is ERR_EMPTY_RESPONSE

Sometimes, but very rarely do I get a reply but it only works for a few seconds. Seems like this concurs when the IPSEC "re-authenticates" but im not sure.
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSEC Site-to-site

Tue Dec 29, 2015 10:23 am

Welcome to the club, there are a number of us with the same problem.

I finally was able to ping a PC at the far end of the tunnel and use VNC to control it, but it quit working after I rebooted the PC after windows update.

All the youtube and wiki articles seem to only ping from one router LAN IP to the far side, never to anything on the LAN. They all have static IPs on the WAN, my are DHCP but don't change very often.

I've disabled the default route in DHCP client on the WAN and added the same route as a static one but that didn't work.

I've tried IPsec tunnel and IPsec with IPIP tunnel.
I'm going to put wireshark on a PC to see if it is getting the ping request from the far side, if it is then it must be a routing issue in the near end router.
 
nickmitec
just joined
Posts: 1
Joined: Wed Dec 30, 2015 12:39 am

Re: IPSEC Site-to-site

Wed Dec 30, 2015 12:41 am

Do you nat rules set to allow the traffic on both sides?
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSEC Site-to-site

Thu Dec 31, 2015 12:15 pm

site 1 - router is 192.168.90.1

/ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.90.0/24
dst-address=192.168.91.0/24 log=yes log-prefix="SRC-NAT"

1 ;;; default configuration
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""

site 2 - 192.168.91.1

/ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.91.0/24
dst-address=192.168.90.0/24 log=yes log-prefix="srcnat"

1 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=WAN
log=no log-prefix=""
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: IPSEC Site-to-site

Thu Dec 31, 2015 5:21 pm

What about your IPSec policies or firewall rules? Both of those could be the source of the issue. I have a couple of pure IPSec site to site tunnels and they work fine.
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSEC Site-to-site

Thu Dec 31, 2015 11:45 pm

I have IPsec SAs coming out my ASS in both routers, both can ping the the opposite site's LAN.
A laptop on site 2 at 192.168.91.25 can VNC into a site 1 laptop at 192.168.90.25, so I have one way working, still trying to figure out why I can't get both sides working.

Last week the PC at 90.25 could VNC into 91.25 but not the other way, they have switched roles. The IP gods must be laughing at me every day.

I'm running Wireshark on the 90.25 PC and see ARP requests from the router and the NIC, I thought once the router know where 90.25 was those would stop, but I'm not an expert at that level of packet stuff.
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: IPSEC Site-to-site

Sat Jan 02, 2016 5:33 am

@ LaRP - what version are you running?
It dawned on me earlier today that the examples I've been looking at are version 5 or earlier, Greg's video is 3.29.

Who is online

Users browsing this forum: Bing [Bot], darxx and 44 guests