Community discussions

MikroTik App
 
piotrchm93
just joined
Topic Author
Posts: 12
Joined: Mon Feb 13, 2023 8:53 pm

VPN IPSEC cant ping from one side

Tue Feb 14, 2023 1:06 am

Good morning,
Hello everyone on the forum, this is my first post, so I apologize for any inaccuracies or omissions.
SITE A - vlan7 - LAN+mgmt (192.168.7.1) main router, DHCP server, firewall, L2TP VPN server (192.168.11.1 - currently disabled), IPSEC VPN (10.0.88.1). Ethernet 1 is as WAN and gets public address as DHCP client.
SITE B - no VLAN, only bridge on eth 1,2,3. 192.168.55.1 (no DHCP server), L2TP VPN client (disabled) 192.168.11.33, now VPN CLIENT (10.0.88.3). WLAN1 (wifi) connects to a simple LTE router (without management options) and receives an address from dhcp 192.168.43.3, i.e. it is behind NAT.
MT SUPPORT.png
The situation is as follows. I have a network at home (Site A) and the main hAP ac2 router (ARM) in it. I want to connect to a remote Mikrotik hAP mini using IPSEC VPN. Both work under ROS 6.49.7.
So far I've used PPP/L2TP connection with IPSEC and everything worked as I wanted. SITE B connected as a client to SITE A (192.168.11.1), got the address 192.168.11.33. It was enough to set the routing and both networks were reachable without any problems (of course with the appropriate rules on the firewall).
Now L2TP has been completely disabled on both sides so that it doesn't conflict. Now the situation with IPSEC looks more complicated. SITE A is the Server with the address 10.0.88.1, site B gets the address 10.0.88.3. (I was based on Mikrotik Wiki and MUM2019 by Nikita Tarikin).
The connection is established correctly, but there is a problem. And now:

SITE A can PING -> 10.0.88.1 , 10.0.88.3
SITE A cannot PING -> 192.168.55.1 (its LAN address of SITE B)
SITE B can PING -> 10.0.88.1, 10.0.88.3, 192.168.7.1 and others from this network, e.g. 192.168.7.4, which is how it is supposed to work.

I tried turning off the firewall completely (for a test), I set the NAT firewall
ACCEPT / SRCNAT src: 192.168.7.0/24 dst: 192.168.55.0/24 as first rule (#0)
ACCEPT / SRCNAT src: 10.0.88.0/24 dst: 192.168.55.0/24 as #0
And vice versa by setting addresses, no effect.
The second rule (#1) is masquarade scnat out interface WAN
I disabled Mangle for QoS, set FIREWALL Raw
No track, prerouting src. 192.168.7.0/24 dst. 192.168.55.0/24
No effect.
I suspect that the problem lies where the VPN address appears. On site A it is 10.0.88.1 assigned to bridge-loopback, while on site B it appears on wlan1 which is WAN (disabling the firewall had no effect). However, I can't change the place where it is assigned in SITE B.

Please help or tips 😊
Regards !



SITE A
# model = RBD52G-5HacD2HnD
/interface bridge
add fast-forward=no name=bridge-loopback
add admin-mac=48:8F:5A:57:22:F8 auto-mac=no fast-forward=no name=bridge_vlany \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether3 ] name=ether3_PC
set [ find default-name=ether4 ] name=ether4_TAG
set [ find default-name=ether5 ] name=ether5_TAG

/interface vlan
add interface=bridge_vlany name=vlan_5 vlan-id=5
add interface=bridge_vlany name=vlan_6 vlan-id=6
add arp=proxy-arp interface=bridge_vlany name=vlan_7_LAN vlan-id=7
add interface=bridge_vlany name=vlan_8 vlan-id=8
add interface=bridge_vlany name=vlan_9 vlan-id=9
add interface=bridge_vlany name=vlan_10 vlan-id=10

/ip ipsec mode-config
set [ find default=yes ] src-address-list=local-RW
add address=10.0.88.3 name="modeconf SITEB static ip" split-include=\
    0.0.0.0/0,10.0.88.0/24,192.168.7.0/24 static-dns=10.0.88.1 system-dns=no
/ip ipsec policy group
add name="group vpn.ike2.xyz"
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    "profile vpn.ike2.xyz"
/ip ipsec peer
add disabled=yes exchange-mode=ike2 local-address=37.190.212.87 name=\
    "peer 123.45.67.8-x" passive=yes profile="profile vpn.ike2.xyz"
add exchange-mode=ike2 name="peer SITEB" passive=yes profile=\
    "profile vpn.ike2.xyz"
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name=\
    "proposal vpn.ike2.xyz" pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_lan_vlan7 ranges=192.168.7.70-192.168.7.177
add name=pool_vlan8 ranges=192.168.8.50-192.168.8.100
add name=pool_vlan9 ranges=192.168.9.50-192.168.9.100
add name="pool vpn.ike2.xyz" ranges=10.0.88.50-10.0.88.100
/ip dhcp-server
add add-arp=yes address-pool=pool_lan disabled=no interface=vlan_7_LAN \
    lease-time=30m name=dhcp_LAN
add add-arp=yes address-pool=pool_iot disabled=no interface=vlan_6 name=\
    dhcp_iot

/ip ipsec mode-config
add address-pool="pool vpn.ike2.xyz" name="modeconf dhco ikev2pool" \
    split-include=0.0.0.0/0,192.168.7.0/24 static-dns=10.0.88.1 system-dns=no
/ppp profile

add local-address=192.168.11.1 name=l2tp-server-new only-one=no \
    use-compression=yes use-encryption=required use-upnp=no
/queue type
add kind=pcq name=pcq_download pcq-classifier=dst-address pcq-rate=300M
add kind=pcq name=pcq_upload pcq-classifier=src-address pcq-rate=35M
/queue tree
add comment="Download 300M Gwarantowane 100M" limit-at=100M max-limit=300M \
    name=PCQ_download packet-mark=lan_download parent=global queue=\
    pcq_download
add name=PCQ_upload packet-mark=lan_upload parent=global queue=pcq_upload

/interface bridge port
add bridge=bridge_vlany comment=defconf interface=ether3
add bridge=bridge_vlany comment=defconf interface=ether4_TAG
add bridge=bridge_vlany comment=defconf interface=wlan1_2Ghz_LAN pvid=7
add bridge=bridge_vlany comment=defconf interface=wlan2_5Ghz pvid=7
add bridge=bridge_vlany interface=ether5_TAG
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge_vlany tagged=\
    bridge_vlany,*B,*15,ether5_TAG_Netgear_7.4,ether4_TAG untagged=*9 \
    vlan-ids=6
add bridge=bridge_vlany tagged=\
    bridge_vlany,*B,*15,ether5_TAG_Netgear_7.4,ether4_TAG vlan-ids=8
add bridge=bridge_vlany tagged=\
    bridge_vlany,*B,*15,ether5_TAG_Netgear_7.4,ether4_TAG untagged=*A \
    vlan-ids=9
add bridge=bridge_vlany tagged=\
    bridge_vlany,ether5_TAG_Netgear_7.4,ether4_TAG untagged=\
    ether2,ether3_White_RyzenX,wlan1_2Ghz_LAN,wlan2_5Ghz vlan-ids=7
add bridge=bridge_vlany tagged=\
    bridge_vlany,ether5_TAG_Netgear_7.4,ether4_TAG,*15 vlan-ids=10
add bridge=bridge_vlany tagged=\
    bridge_vlany,ether5_TAG_Netgear_7.4,ether4_TAG vlan-ids=77
add bridge=bridge_vlany tagged=\
    bridge_vlany,ether5_TAG_Netgear_7.4,ether4_TAG_HP vlan-ids=67
add bridge=bridge_vlany tagged=\
    bridge_vlany,ether4_TAG_HP_7.11,ether5_TAG_ vlan-ids=5
add bridge=bridge_vlany tagged=bridge_vlany vlan-ids=13

/interface list member
add comment=defconf disabled=yes interface=bridge_vlany list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=vlan_7_LAN list=LAN
add interface=ether2 list=WAN

/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=PUBLICIP disabled=no interface=ether1_WAN

/ip dns
set allow-remote-requests=yes servers=192.168.7.15

/ip firewall address-list

add address=192.168.7.0/24 list=Lista_LAN

add address=0.0.0.0/0 list=INTERNET


add address=DDNSSITE-B comment=CloudDNS \
    list=Lista_myCLOUD
add address=192.168.55.0/24 list=Lista_LAN
add address=10.0.88.0/24 list=Lista_LAN
/ip firewall filter
add action=drop chain=input disabled=yes dst-address=192.168.7.0/24 \
    src-address=10.0.88.3
add action=accept chain=forward dst-address=192.168.55.0/24 src-address=\
    192.168.7.0/24
add action=accept chain=input dst-address=192.168.50.0/24 src-address=\
    192.168.7.0/24
add action=accept chain=input dst-address=192.168.7.0/24 src-address=\
    192.168.55.0/24
add action=accept chain=input dst-address=192.168.7.0/24 src-address=\
    192.168.50.0/24
add action=accept chain=input dst-address=192.168.7.0/24 src-address=\
    10.0.88.0/24
add action=accept chain=output dst-address=192.168.7.0/24 src-address=\
    10.0.88.0/24
add action=accept chain=forward dst-address=10.0.88.0/24 src-address=\
    192.168.7.0/24
add action=accept chain=forward dst-address=192.168.55.0/24 src-address=\
    10.0.88.0/24
add action=accept chain=input comment=l2tp-allow dst-port=1701 protocol=udp \
    src-address-list=Lista_myCLOUD
add action=accept chain=input comment=l2tp-allow dst-port=500 log=yes \
    log-prefix=l2tp_log_500_ protocol=udp src-address-list=Lista_myCLOUD
add action=accept chain=input comment=l2tp-allow dst-port=4500 protocol=udp \
    src-address-list=Lista_myCLOUD
add action=drop chain=input in-interface-list=WAN src-address-list=reczny_ban
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward dst-address=192.168.11.11 src-address=\
    192.168.11.22
add action=accept chain=input dst-address=192.168.7.0/24 src-address=\
    192.168.110.0/24
add action=accept chain=input dst-address=192.168.1.0/24 src-address=\
    192.168.7.0/24
add action=accept chain=input dst-address=192.168.11.0/24 src-address=\
    192.168.60.0/24
add action=accept chain=input dst-address=192.168.11.1 src-address=\
    192.168.11.0/24
add action=accept chain=input dst-address=192.168.7.0/24 src-address=\
    192.168.11.0/24
add action=accept chain=input dst-address=192.168.9.99 protocol=icmp \
    src-address=192.168.6.66
add action=accept chain=input dst-address=192.168.7.1 src-address=\
    192.168.77.1
add action=accept chain=input dst-address=192.168.10.1 src-address=\
    192.168.77.1
add action=accept chain=input dst-address=192.168.11.0/24 src-address=\
    192.168.77.1

add action=accept chain=forward dst-address=192.168.6.66 src-address=\
    192.168.7.0/24
add action=accept chain=forward connection-state=established dst-address=\
    192.168.7.0/24 src-address=192.168.6.66

add action=accept chain=input comment=FW_MY_accept_from_LAN_List \
    src-address-list=Lista_LAN
add action=accept chain=forward comment=\
    "FW_MY_accept(ICMP)_est_bridge433_to_LAN" connection-state=established \
    dst-address=192.168.7.0/24 protocol=icmp src-address=192.168.6.67
add action=accept chain=forward comment=\
    "FW_MY_accept(http:80)_est_bridge433_to_LAN" connection-state=established \
    dst-address=192.168.7.0/24 protocol=tcp src-address=192.168.6.67 \
    src-port=80
add action=accept chain=input comment="DNS Accept from IoT to LAN" \
    dst-address=192.168.7.1 dst-port=53 protocol=udp src-address=\
    192.168.6.0/24
add action=accept chain=input comment="DNS Accept from CAM to LAN" \
    dst-address=192.168.7.1 dst-port=53 protocol=udp src-address=\
    192.168.10.0/24
add action=accept chain=forward comment="DNS Accept from IoT to LAN" \
    dst-address=192.168.7.1 dst-port=53 protocol=udp src-address=\
    192.168.6.0/24
add action=accept chain=forward comment="DNS Accept from IoT to LAN" \
    dst-address=192.168.7.1 dst-port=53 protocol=tcp src-address=\
    192.168.6.0/24
add action=accept chain=input comment="DNS Accept from IoT to LAN" \
    dst-address=192.168.7.1 dst-port=53 protocol=tcp src-address=\
    192.168.6.0/24

add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid

add action=accept chain=input comment=OPEN-VPN-ALLOW dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=test
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes in-interface=vlan_7_LAN \
    new-packet-mark=lan_upload passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface=ether1_WAN \
    new-packet-mark=lan_download passthrough=yes

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.55.0/24 src-address=\
    192.168.7.0/24
add action=masquerade chain=srcnat comment="IPSEC POLICY OUT" disabled=yes \
    dst-address-type="" fragment=no ipsec-policy=out,none out-interface-list=\
    WAN src-address-type=""
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.88.0/24 \
    src-address=192.168.7.0/24
add action=accept chain=srcnat disabled=yes dst-address=10.0.88.0/24 \
    src-address=192.168.55.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.55.0/24 \
    src-address=192.168.7.0/24
add action=masquerade chain=srcnat comment=WAN_1 ipsec-policy=out,none \
    out-interface=ether1_WAN
add action=masquerade chain=srcnat out-interface=ether2 src-address=\
    192.168.7.0/24
add action=dst-nat chain=dstnat comment=pihole dst-address=192.168.7.15 \
    dst-port=53 protocol=udp src-address=192.168.7.0/24 to-addresses=\
    192.168.7.15

add action=masquerade chain=srcnat comment="NAT DO SITEB" disabled=yes \
    dst-address=192.168.55.0/24 src-address=192.168.7.0/24
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.55.0/24 \
    src-address=192.168.7.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.7.0/24 \
    src-address=192.168.55.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add disabled=yes generate-policy=port-strict mode-config=\
    "modeconf dhco ikev2pool" peer="peer 123.45.67.8-x" \
    policy-template-group="group vpn.ike2.xyz" secret=SECRET
add generate-policy=port-override mode-config="modeconf SITEB static ip" \
    peer="peer SITEB" policy-template-group="group vpn.ike2.xyz" secret=\
    SECRET
/ip ipsec policy
add comment="policy template vpn.ike2.xyz" dst-address=10.0.88.0/24 group=\
    "group vpn.ike2.xyz" proposal="proposal vpn.ike2.xyz" src-address=\
    0.0.0.0/0 template=yes


/ip route
#WAN 0.0.0.0/0 (add default route from dhcp CLIENT)
add distance=1 dst-address=192.168.55.0/24 gateway=10.0.88.3
add disabled=yes distance=15 dst-address=192.168.55.0/24 gateway=\
    192.168.11.11
add distance=1 dst-address=192.168.55.0/24 gateway=192.168.11.33
add disabled=yes distance=1 dst-address=192.168.55.0/24 gateway=10.0.88.3

SITE B
# model = RB931-2nD

/interface bridge
add admin-mac=DC:2C:6E:DD:AF:19 arp=proxy-arp auto-mac=no comment=defconf \
    fast-forward=no igmp-snooping=yes name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    "4g usb" supplicant-identity="" wpa2-pre-shared-key=WIFILTEPASSWORD
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=poland disabled=no \
    distance=indoors frequency=2437 installation=indoor security-profile=\
    "4g usb" ssid="4G UFI-9211" wireless-protocol=802.11
/ip ipsec policy group
add name="group vpn.ike2.xyz"
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    "profile vpn.ike2.xyz"
/ip ipsec peer
add address=DDNSMIKROTIK-SITE-A exchange-mode=ike2 name=\
    "peer SITE-A server" profile="profile vpn.ike2.xyz"
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name=\
    "proposal vpn.ike2.xyz" pfs-group=none

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=wlan1 list=WAN
/ip address
add address=192.168.55.1/24 interface=bridge network=192.168.55.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add disabled=no interface=wlan1

/ip dns
set allow-remote-requests=yes servers=192.168.50.1,1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=DDNSMIKROTIK-SITE-A comment=MT_SITE-A list=My_Cloud_MT
/ip firewall filter
add action=accept chain=input disabled=yes src-address=192.168.7.0/24
add action=accept chain=input disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=input comment=mt_mycloud_allow disabled=yes \
    src-address-list=My_Cloud_MT
add action=accept chain=input comment=Wireguard disabled=yes dst-port=13231 \
    protocol=udp
add action=accept chain=forward comment=Wireguard disabled=yes dst-port=13231 \
    protocol=udp
add action=accept chain=input disabled=yes src-address=192.168.11.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.55.0/24 src-address=\
    192.168.7.0/24 to-addresses=192.168.55.0/24
add action=accept chain=srcnat disabled=yes protocol=udp src-port=500,4500
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.55.0/24 \
    src-address=192.168.7.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.7.0/24 \
    src-address=192.168.55.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add generate-policy=port-strict mode-config=request-only peer=\
    "peer plock server" policy-template-group="group vpn.ike2.xyz" secret=\
    SECRETPASSWORD
/ip ipsec policy
set 0 disabled=yes
add comment="policy template vpn.ike2.xyz" dst-address=0.0.0.0/0 group=\
    "group vpn.ike2.xyz" proposal="proposal vpn.ike2.xyz" src-address=\
    10.0.88.0/24 template=yes
/ip route
add distance=2 gateway=192.168.55.1
add distance=1 dst-address=10.0.88.0/24 gateway=10.0.88.1
add comment="SITE-A over IKEv2" distance=5 dst-address=192.168.7.0/24 gateway=\
    10.0.88.1
add comment="SITE-A over L2TP" distance=10 dst-address=192.168.7.0/24 gateway=\
    192.168.11.1
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.11.1
add distance=1 dst-address=192.168.55.0/24 gateway=192.168.55.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.7.0/24,192.168.11.0/24
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MT_SITEB
/system ntp client
set enabled=yes primary-ntp=153.19.250.123 secondary-ntp=178.252.19.225



You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN IPSEC cant ping from one side  [SOLVED]

Tue Feb 14, 2023 2:37 pm

It seems overcomplicated. You probably don't need mode config and extra addresses, just simple static tunnel between subnets. Also plain IPSec is different from L2TP, it doesn't give you any new interface and doesn't use routes the same way. Instead if defines what should go to tunnel using policies, and that traffic appears on WAN interface, as if it's from/to internet (but it's not exactly true). Something like this should work:

Site A:
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=siteB
/ip ipsec peer
add exchange-mode=ike2 name=siteB passive=yes profile=siteB
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=siteB pfs-group=modp2048
/ip ipsec identity
add peer=siteB secret="SomeVeryVeryVeryLongAndImpossibleToGuessSecret"
/ip ipsec policy
add dst-address=192.168.55.0/24 peer=siteB proposal=siteB src-address=192.168.7.0/24 tunnel=yes
Site B:
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=siteA
/ip ipsec peer
add address=<public address or hostname of site A> exchange-mode=ike2 name=siteA profile=siteA
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=siteA pfs-group=modp2048
/ip ipsec identity
add peer=siteA secret="SomeVeryVeryVeryLongAndImpossibleToGuessSecret"
/ip ipsec policy
add dst-address=192.168.7.0/24 peer=siteA proposal=siteA src-address=192.168.55.0/24 tunnel=yes
 
piotrchm93
just joined
Topic Author
Posts: 12
Joined: Mon Feb 13, 2023 8:53 pm

Re: VPN IPSEC cant ping from one side

Wed Feb 15, 2023 1:51 am

Sob, Thank you very much for your reply and your time. Of course, I'm probably fussing too much.

I uploaded the configuration from you and the IPSEC tunnel connected without a problem. Unfortunately, the pings do not fly, this time from both sides. I am posting screenshots from the mikrotik configuration.

I tried with your configuration with the firewall turned off on both sides - the result is the same
reply to Sob.png
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN IPSEC cant ping from one side

Wed Feb 15, 2023 8:28 pm

Those blue unreachable routes to remote subnets (on both routers) are wrong. Right now I'm not sure (temporary brain outage ;)) they are breaking it, I think they shouldn't. But you don't need them, so they can be removed. You can also check if IPSec counters are increasing (in IP->IPSec->Installed SAs) when you're trying to ping something remote. But I don't see what's blocking it.
 
piotrchm93
just joined
Topic Author
Posts: 12
Joined: Mon Feb 13, 2023 8:53 pm

Re: VPN IPSEC cant ping from one side

Wed Feb 15, 2023 10:34 pm

Sob, thank you so much for your attempt to help, I really appreciate it :)

I removed redundant routing, broke the IPSEC connection using Kill Connection. SAs cleared and after reconnecting, the values ​​on the screen appeared. I ping both sides, unfortunately no change.
disabled routing.png
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN IPSEC cant ping from one side

Thu Feb 16, 2023 12:01 am

Current bytes = 0 means that nothing is sent or received. But if you're pinging from router, it's expected, you need to set source address, because it's choosing wrong one:
/ping src-address=192.168.55.1 address=192.168.7.1
 
piotrchm93
just joined
Topic Author
Posts: 12
Joined: Mon Feb 13, 2023 8:53 pm

Re: VPN IPSEC cant ping from one side

Thu Feb 16, 2023 12:48 am

It's working!

Thank you very much for your help and time!

Who is online

Users browsing this forum: 0xAA55, cmmike, Nullcaller, TheCat12 and 54 guests