Hi!
I need help because I have not traffic between Shrew VPN Client and Mikrotik X86 v6.42.2
I have followed this link: https://wiki.mikrotik.com/wiki/Manual:I ... _Mode_Conf

• Configuration
  • VirtualBox PC=10.0.1.99/24 (simulating internet)
  • VirtualBox Mikrotik
    ether1=10.0.1.1/24 (simulating internet)
    ether2=192.168.133.1/24 (simulating LAN)
• Problem:
  • Ping from Mikrotik to PC
    ping 192.168.77.254

    no route to host

  • Ping from PC to Mikrotik LAN IP
    ping 192.168.133.1

    Request timed out.

    Sniffer in Mikrotik

    ether1 1.806 1 <- 08:00:27:60:EC:7F 08:00:27:1A:D6:B3 192.168.77.254 192.168.133.1 ip:icmp 74 0 no

• Information
  IPSec tunnel is up
  icmp to Mikrotik LAN IP arrives
  ip ipsec remote-peers print

  0 R user1 established 10.0.1.99 192.168.77.254 6m17s

  ip ipsec policy print

  1 T group=RoadWarrior src-address=192.168.133.0/24 dst-address=192.168.77.0/24 protocol=all proposal=tbc template=yes
  2 DA src-address=192.168.133.0/24 src-port=any dst-address=192.168.77.254/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=10.0.1.1 sa-dst-address=10.0.1.99 proposal=tbc ph2-count=2

Why isn't there a route to 192.168.77.254 road warrior IP?

Thank you in advance for your help.

You still need to have active route to 192.168.77.0/24 in routing table or else packets do not even get to IPsec policy checking and are dropped. Usually there is 0.0.0.0/0 route already installed so there is no need for the specific route.

Hi emils!

I have checked a router in operation configuration with a IPSec site to site. There isn't a route in routing table (/ip route).
Dynamic address in IPSec remote peer is 0.0.0.0

In this case, road warrior, remote address is assigned by Mikrotik:

• /ip pool print

  1 ipsec-RW 192.168.77.2-192.168.77.254

• /ip ipsec mode-config print

  1 name="RW-cfg" system-dns=no static-dns="" address-pool=ipsec-RW address-prefix-length=24 split-include=192.168.133.0/24

• /ip ipsec policy print

  1 T group=RoadWarrior src-address=192.168.133.0/24 dst-address=192.168.77.0/24 protocol=all proposal=tbc template=yes
  
  2 DA src-address=192.168.133.0/24 src-port=any dst-address=192.168.77.254/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=10.0.1.1 sa-dst-address=10.0.1.99 proposal=tbc ph2-count=2

  Policy #1 is the template.
  Policy #2 is the dynamic tunnel based on template.

IPSec routes are implicit routes. This routes don't appears in routing table, but destination is reachable.
In this case, road warrior, I'm not able to reach destination, although tunnel i enable. If it is necessary configure a route, which is the gateway for this route?

You still need to have active route to 192.168.77.0/24 in routing table or else packets do not even get to IPsec policy checking and are dropped. Usually there is 0.0.0.0/0 route already installed so there is no need for the specific route.

IPsec daemon will not create such route, you have to manually create it. Example:

I have created next route and runs OK:

1 A S 192.168.77.0/24 10.0.1.99 1

But 10.0.1.99 is client public address, dynamic IP usually.
I can get this IP from

/ip ipsec remote-peers print
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 R user1 established 10.0.1.99 192.168.77.254 13m48s

Do I need an script to create the route?

IPsec daemon will not create such route, you have to manually create it. Example:

Code: Select all

/ip route add dst-address=192.168.77.0/24 gateway=10.0.1.254