Thanks guys,
I have the IPSec tunnel established using the default proposal (I've made it this far before....) and added what I think are the right firewall rules but still no ping across the WAN.
Office 1 - LAN 192.168.0.0/24
Policy
[...@trk-mtk-04] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 A src-address=192.168.0.0/24 src-port=any dst-address=192.168.3.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<Office 1 WAN IP> sa-dst-address=<Office 2 WAN IP> proposal=default ph2-count=2
Peers
[...@trk-mtk-04] /ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 address=<Office 2 WAN IP> auth-method=pre-shared-key secret="*************" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
Firewall Filter
[...@trk-mtk-04] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
3 ;;; allow udp/500
chain=input action=accept protocol=udp src-address=<Office 2 WAN IP> src-port=500 log=no log-prefix=""
4 ;;; allow ESP packets
chain=input action=accept src-address=<Office 2 WAN IP> log=no log-prefix="" ipsec-policy=in,ipsec
5 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
7 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
8 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
9 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
Firewall NAT
[...@trk-mtk-04] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.3.0/24 log=no log-prefix=""
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
Firewall Raw
[RogerPhilAndDave@trk-mtk-04] /ip firewall raw> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 ;;; bypass connection tracking
chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.0.0/24 dst-address=192.168.3.0/24
2 ;;; bypass connection tracking
chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.3.0/24 dst-address=192.168.0.0/24
Office 2 - LAN 192.168.3.0/24
Policy
[...@trk-mtk-03] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 A src-address=192.168.3.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<Office 2 WAN IP>
sa-dst-address=<Office 1 WAN IP> proposal=default ph2-count=3
Peers
[...@trk-mtk-03] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=<Office 1 WAN IP> auth-method=pre-shared-key secret="************" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
Firewall Filter
[...@trk-mtk-03] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
3 ;;; allow udp/500
chain=input action=accept protocol=udp src-address=<Office 1 WAN IP> src-port=500 log=no log-prefix=""
4 ;;; allow ESP packets
chain=input action=accept src-address=<Office 1 WAN IP> log=no log-prefix="" ipsec-policy=in,ipsec
5 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
7 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
8 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
9 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
Firewall NAT
[...@trk-mtk-03] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.3.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
Firewall Raw
[...@trk-mtk-03] > ip firewall raw print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 ;;; bypass connection tracking
chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.3.0/24 dst-address=192.168.0.0/24
2 ;;; bypass connection tracking
chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.0.0/24 dst-address=192.168.3.0/24
So I have allowed ICMP on both WAN interfaces - I would expect to be able to ping both 192.168.0.1 and 1912.168.3.1 from both routers or hosts in each subnet.
What am I missing?