Community discussions

MikroTik App
 
SystemFailure
just joined
Topic Author
Posts: 4
Joined: Wed Jun 30, 2021 12:30 pm

Mikrotik (VPN Client) no ping between peers and vpn internal network (solved)

Tue Jul 13, 2021 5:20 pm

Hey there;

Strongswan Server (Selfhost vpn internet) IP:20.20.20.20 (VPN Internal IP pool 172.10.10.0)
Mikrotik as vpn client (IKEv2 ) 192.168.88.1
Peers (Mikrotik internal devices using a specific connection mark in some VLAN) Example: 192.168.1.2

Two scenario:

-Peer 192.168.1.2 configured directly without using mikrotik as vpn client:
All OK, internal vpn network ping between 192.168.1.2 and 172.10.10.1 ok, works like a charm fast and very stable

-Peer 192.168.1.2 without vpn configuration, mikrotik as vpn client:
No internal ping in vpn network between 192.168.1.2 and 172.10.10.1, connection is fast but i can't post in forums or login in websites.

Dynamic address and routes are generated:
 D 172.10.10.1/24      172.10.10.0      PPPoE 
 ADC  172.10.10.1/24     172.10.10.0      PPPoE 
I think server is not the problem, because if i configure a vpn inside the internal network devices, work fine, i think problem is Mikrotik Ipsec policy and NAT rules are generated dynamically
D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=172.10.10.2 connection-mark=strongswan
I was playing with firewall, creating forwading rules between internal vlans and internal vpn netork but no way. All rules are placed before fastrack.
Any idea?
Last edited by SystemFailure on Mon Jul 26, 2021 12:30 pm, edited 1 time in total.
 
SystemFailure
just joined
Topic Author
Posts: 4
Joined: Wed Jun 30, 2021 12:30 pm

Re: Mikrotik (VPN Client) no ping between peers and vpn internal network

Sat Jul 17, 2021 7:56 pm

[228284.036300] [UFW BLOCK] IN=ens3 OUT= MAC=**************:08:00 SRC=IO DST=IP VPN LEN=566 TOS=0x00 PREC=0x00 TTL=51 ID=40084 PROTO=TCP SPT=443 DPT=40598 WINDOW=335 RES=0x00 ACK PSH URGP=0 
StrongSwan is a headache, the documentation is too long and using VTE device change the rules, but the problem here seems to be the firewall. I tried to open 443 port but without luck.
Conmark plugin is disable, following the documentation.
 
SystemFailure
just joined
Topic Author
Posts: 4
Joined: Wed Jun 30, 2021 12:30 pm

Re: Mikrotik (VPN Client) no ping between peers and vpn internal network (solved)

Mon Jul 26, 2021 12:34 pm

Using Strongswan recommended rules and switching from ufw to iptables resolve the issue. Now everything works fine.

Who is online

Users browsing this forum: loloski and 34 guests