Having issue where I created profile with IPsec Road Warrior connection for android clients, but can't access any resources on LAN or Server Subnet. Clients connects without any issues.
I created ipsec chain and ESP with NAT-T marking connection in mangle table to make sure allow only encrypted packet.
RouterOS ver 6.31
Input chain
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=input
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp log=no log-prefix=""
1 chain=input action=accept connection-state=established,related log=no log-prefix=""
2 ;;; Jump to IPsec chain
chain=input action=jump jump-target=ipsec in-interface=WAN-eth1 log=no log-prefix=""
3 chain=input action=accept protocol=tcp in-interface=!WAN-eth1 dst-port=80,22,443 log=no log-prefix=""
4 chain=input action=accept protocol=udp in-interface=!WAN-eth1 dst-port=53,123 log=no log-prefix=""
5 chain=input action=accept protocol=ospf src-address=10.3.3.0/29 log=no log-prefix=""
6 ;;; IPsec ESP encrypted.
chain=input action=accept packet-mark=ipsec-encrypted log=no log-prefix=""
7 chain=input action=reject reject-with=icmp-network-unreachable dst-address=LAN_SUBNET log=no log-prefix=""
8 chain=input action=drop log=yes log-prefix=""
Code: Select all
[volga629@canlrt01] > /ip firewall filter print where chain=ipsec
Flags: X - disabled, I - invalid, D - dynamic
0 chain=ipsec action=accept protocol=ipsec-esp log=no log-prefix=""
1 chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=500 log=no log-prefix=""
2 chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""
Code: Select all
[volga629@canlrt01] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T group=RemoteAccess src-address=10.30.254.0/24 dst-address=0.0.0.0/0 protocol=all proposal=netlab-remote-access template=yes
1 D src-address=0.0.0.0/0 src-port=any dst-address=10.30.254.245/32 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=my_pub_ip sa-dst-address=142.169.78.37 priority=2
Code: Select all
2 chain=ipsec action=accept protocol=udp in-interface=WAN-eth1 dst-port=4500 log=no log-prefix=""
[volga629@canlrt01] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; IPsec encrypted ESP traffic mark
chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=ipsec-esp in-interface=WAN-eth1
log=no log-prefix=""
1 chain=prerouting action=mark-packet new-packet-mark=ipsec-encrypted passthrough=no protocol=udp in-interface=WAN-eth1
dst-port=4500 log=no log-prefix=""