Community discussions

MikroTik App
 
User avatar
crazydesigner
just joined
Topic Author
Posts: 11
Joined: Sat Apr 15, 2017 7:28 pm

Site to Site IPsec tunnel. Can't ping hosts

Mon Jan 28, 2019 10:19 pm

Hello

I have a site-to-site vpn and it is working correctly PH2 State is estabilished and also I see Installed Sas, but I can not ping the router and network computers.

I am using this tutorial and everything works fine but can't ping hosts. https://wiki.mikrotik.com/wiki/Manual:I ... sec_tunnel

Image

Site 1 configuration
/ip ipsec peer
add address=192.168.80.1/32 auth-method=pre-shared-key secret="test"
Using default proposal and will not write command for this
/ip ipsec policy
add src-address=10.1.202.0/24 src-port=any dst-address=10.1.101.0/24 dst-port=any \
sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 \
tunnel=yes action=encrypt proposal=default
---------------------------------------------------------------------------------------------------------------

Site 2 configuration
/ip ipsec peer
add address=192.168.90.1/32 auth-method=pre-shared-key secret="test"
Using default proposal and will not write command for this
/ip ipsec policy
add src-address=10.1.101.0/24 src-port=any dst-address=10.1.202.0/24 dst-port=any \
sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 \
tunnel=yes action=encrypt proposal=default
After this PH2 State is estabilished and also I see Installed Sas.


NAT and Fasttrack Bypass

Office 1 router:
/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
 src-address=10.1.202.0/24 dst-address=10.1.101.0/24
Office 2 router:
/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
 src-address=10.1.101.0/24 dst-address=10.1.202.0/24

Adding Firewall raw Rule
/ip firewall raw
add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
So also which steps I must do in firewall or nat, route to hosts from network 10.1.202.0 ping 10.1.101.0 computers?

Thanks and waiting advice using this tuturoial
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Site to Site IPsec tunnel. Can't ping hosts

Mon Jan 28, 2019 10:46 pm

Default firewall accepts untracked connections. Are you using default firewall? Are you pinging from/to routers or hosts? If routers, add route to remote subnet via local interface to ensure router picks correct source address.
 
User avatar
crazydesigner
just joined
Topic Author
Posts: 11
Joined: Sat Apr 15, 2017 7:28 pm

Re: Site to Site IPsec tunnel. Can't ping hosts

Tue Feb 05, 2019 6:11 pm

moderator note: do not quote preceding post, just use "Post Reply".
Thanks. added route and now i can ping/tracert from 10.1.202.1 to 10.1.101.1 and from 10.1.101.1 to 10.1.202.1 but after some time I am unable ping/tracert from 10.1.202.1. if i send ping from 10.1.101.1 then I am able to ping again. what kind of problem I have no idea
 
JanWerner
just joined
Posts: 3
Joined: Fri Aug 09, 2019 11:14 pm

Re: Site to Site IPsec tunnel. Can't ping hosts

Thu Oct 31, 2019 2:33 pm

moderator note: do not quote preceding post, just use "Post Reply".
Hi. I have the same problem. Have you solved this problem?
 
albantax
just joined
Posts: 2
Joined: Wed Jun 16, 2021 5:08 pm

Re: Site to Site IPsec tunnel. Can't ping hosts

Thu Jun 17, 2021 1:33 am

moderator note: do not quote preceding post, just use "Post Reply".
I have same problem, i have to ping before i can send traffic, any one solved this issue?
 
Elranchero
just joined
Posts: 4
Joined: Mon Jun 28, 2021 3:59 pm

Re: Site to Site IPsec tunnel. Can't ping hosts

Sun Oct 02, 2022 7:27 pm

Hi

Do you have a drop rule at the end?

If yes than just add this rule before the drop rule

chain: input
protocol: ipsec-esp
Action: Accept

Who is online

Users browsing this forum: No registered users and 22 guests