Community discussions

MikroTik App
 
Mameo96
just joined
Topic Author
Posts: 1
Joined: Wed Nov 20, 2019 1:12 pm

IPSec Tunnel Established But unable to Ping/Connect Remote Devices

Wed Nov 20, 2019 1:34 pm

Hi,

I have created a site-to-site vpn and the PH2 Phase is Estabilished and I also see the two installed SA, my final target is to connect one pc of Router 1's LAN to Router 2's LAN via RDP, but it dosn't work, i can't even ping no one in LAN 2.

Here's my network:

Image

Can someone help me?

Sorry for my bad English.

Thanks in advance.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSec Tunnel Established But unable to Ping/Connect Remote Devices

Wed Nov 20, 2019 2:07 pm

That's what you think you have, but the question is what you really have. Since nobody here knows that, let's try one guess. Did you add exception from main srcnat/masquerade for traffic going from local LAN to remote LAN? Because if not and srcnat rule applies to this traffic too, the source gets changed and IPSec policy no longer matches.
 
angriukas
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Nov 22, 2013 9:20 am
Contact:

Re: IPSec Tunnel Established But unable to Ping/Connect Remote Devices

Wed Nov 20, 2019 3:00 pm

I guess also: probably your firewall masquerades and/or drops packets to/from tunnel.
Depending from router model - default configuration usually contains properly configured firewall rules for ipsec traffic.
Following rules was taken from default config: two accepts should happen before last drops in forward chain.
Marked in bold important parts.

/ip firewall filter
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec

And replace your masquerade rule with this one, make sure out-interface is correct or use Out. Interface List=WAN if such exists.

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
ipsec-policy=out,none out-interface=ether1
 
TomosRider
Member Candidate
Member Candidate
Posts: 209
Joined: Thu Nov 20, 2014 1:51 pm

Re: IPSec Tunnel Established But unable to Ping/Connect Remote Devices

Fri May 07, 2021 4:34 pm

If this topic is still active, i would add my solution.
I added accept NAT rule before masquerade rule, with src of local subnet and dst remote local subnet.
I updated both of my routers to newest ROS and in ipsec profiles, de-checked NAT traversal option.
Rebooted both routers.
I was able to ping and access resources on the other side of the tunnel.
Hope i helped. Cheers!

Who is online

Users browsing this forum: BioMax, giovanniv, mtkvvv, normis and 49 guests