I got an OpenVPN site to site setup running and I can ping both subnets from the routers without any problems but I can not access any resources via IP while connected. (I can access e.g. the router though the vpn ip address (192.168.89.1 (RB3011) & 192.168.89.100 (RB2011))
SITE A: 192.168.16.0/24
SITE B: 192.168.100.0/24
Site A
Code: Select all
[admin@RB3011] >
/ppp profile print
2 name="ovpn_profile" local-address=192.168.89.1 remote-address=vpn_89
remote-ipv6-prefix-pool=*0 bridge=bridge-local use-ipv6=no use-mpls=default
use-compression=no use-encryption=required only-one=default change-tcp-mss=yes
use-upnp=default address-list="" dns-server=8.8.4.4,8.8.8.8 on-up="" on-down=""
/ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
6 office any **** ovpn_profile 192.168.89.100
/interface ovpn-server server print
enabled: yes
port: 1194
mode: ip
netmask: 24
mac-address: FE:F8:42:72:CC:3A
max-mtu: 1500
keepalive-timeout: 120
default-profile: ovpn_profile
certificate: SERVER
require-client-certificate: yes
auth: sha1
cipher: aes128,aes256
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
9 ADC 192.168.89.100/32 192.168.89.1 <ovpn-office> 0
10 A S 192.168.100.0/24 192.168.89.100 1
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Access IPSec Subnets
chain=srcnat action=accept src-address=192.168.16.0/24 dst-address-list=Owned IP log=no
log-prefix=""
1 ;;; OFFICE OVPN NAT
chain=srcnat src-address=192.168.16.0/24 dst-address=192.168.100.0/24
2 ;;; default configuration
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""
3 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix=""
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
4 ;;; Access RB from IPSec
chain=input action=accept protocol=tcp src-address-list=Owned IP dst-port=80,443,8291,22
log=no log-prefix=""
5 chain=forward action=drop connection-state=invalid log=no log-prefix=""
10 ;;; allow ovpn
chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix=""
Site B
Code: Select all
[admin@RB2011] >
/interface ovpn-client print
Flags: X - disabled, R - running
0 R name="ovpn-astarti" mac-address=02:3B:B0:D5:66:8B max-mtu=1500
connect-to=****** port=1194 mode=ip user="office"
password="*****" profile=ovpn_profile
certificate=cert_export_client-office.crt_0 auth=sha1 cipher=aes128
add-default-route=no
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
2 A S 192.168.16.0/24 192.168.89.1 1
3 ADC 192.168.89.0/24 192.168.89.100 ovpn-astarti 0
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.16.0/24
1 ;;; Masq OVPN Traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24
2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.16.0/24
1 ;;; Masq OVPN Traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24
2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
2 ;;; Open VPN
chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix=""
3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept out ipsec policy
What am I missing?