HI ,
I’am trying to setting up an IPsec tunnel between two locations.
At the moment I have the two routers setup at home behind my home router for testing.
The problem I have is that when I go from Site2 to Site1 it will work
And I can go from Site1 to Site2.
But when the life time expires I cannot go from Site1 to Site2, until I ping once from Site2 to Site1.
I have used the example https://wiki.mikrotik.com/wiki/Manual:IP/IPsec (Site to Site IPsec tunnel)
PS windows will block the ping from an other subnet mask if you have the windows firewall setup.
Hardware hAP ac2
Software:6.46.1
Stie 1
192.168.2.43 ( internet IP address)
192.168.7.0/24
Stie 2
192.168.2.44 ( internet IP address)
192.168.6.0/24
Configurations
########################################################################################################
# Setup Site1
########################################################################################################
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=Site2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=Site2 pfs-group=modp2048
/ip ipsec peer
add address=192.168.2.44/32 name=Site2 profile=Site2
/ip ipsec identity
add peer=Site2 secret=Site00Site
/ip ipsec policy
add src-address=192.168.7.0/24 src-port=any dst-address=192.168.6.0/24 place-before=0 dst-port=any tunnel=yes action=encrypt proposal=default peer=Site2
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.7.0/24 dst-address=192.168.6.0/24
/ip firewall filter
add chain=forward action=accept place-before=1 src-address=192.168.6.0/24 dst-address=192.168.7.0/24 connection-state=established,related
add chain=forward action=accept place-before=1 src-address=192.168.7.0/24 dst-address=192.168.6.0/24 connection-state=established,related
/ip firewall raw
add action=notrack chain=prerouting src-address=192.168.6.0/24 dst-address=192.168.7.0/24
add action=notrack chain=prerouting src-address=192.168.7.0/24 dst-address=192.168.6.0/24
/ip ipsec
active-peers print
installed-sa print
########################################################################################################
# setup Site2
########################################################################################################
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=Site1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=Site1 pfs-group=modp2048
/ip ipsec peer
add address=192.168.2.43/32 name=Site1 profile=Site1
/ip ipsec identity
add peer=Site1 secret=Site00Site
/ip ipsec policy
add src-address=192.168.6.0/24 src-port=any dst-address=192.168.7.0/24 place-before=0 dst-port=any tunnel=yes action=encrypt proposal=default peer=Site1
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.6.0/24 dst-address=192.168.7.0/24
/ip firewall filter
add chain=forward action=accept place-before=1 src-address=192.168.7.0/24 dst-address=192.168.6.0/24 connection-state=established,related
add chain=forward action=accept place-before=1 src-address=192.168.6.0/24 dst-address=192.168.7.0/24 connection-state=established,related
/ip firewall raw
add action=notrack chain=prerouting src-address=192.168.6.0/24 dst-address=192.168.7.0/24
add action=notrack chain=prerouting src-address=192.168.7.0/24 dst-address=192.168.6.0/24
/ip ipsec
active-peers print
installed-sa print