Community discussions

MikroTik App
  4. RouterOS
  5. General

IKE IPSEC working but can't ping. NAT-T?

Post Reply
 
Webslider
just joined
Topic Author
Posts: 2
Joined: Wed Oct 18, 2006 6:27 pm

IKE IPSEC working but can't ping. NAT-T?

Wed Oct 18, 2006 7:02 pm

Greetings to the Forum,

Okay, a customer moved and got a new VOIP phone system with MicroTik Model 532 router out front using the 2.9.2.7 OS. After Dialogix installed the phones and router, I configured the MicroTik with an IPSEC IKE encrypted tunnel to a remote site using a SonicWall Pro2040. The guy on the other end says the link is up, unfortunately, we can't pass any packets back and forth between the two private networks behind the routers. Could someone assist or steer us in the right direction to help the 172.16.20.0 network behind the MicroTik router communicate with the 192.168.2.0 clients behind the SonicWall. This was working before with a Linksys VPN Endpoint connecting to the SonicWall Pro router before the move caused changes. I believe we are talking about NAT Traversal here but this may just be a routing issue. And I suppose a primary question is does the MicroTik support NAT Traversal? Please forgive me for sounding such the rookie but I was hoping for some guidance with this tricky issue.
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Wed Oct 18, 2006 11:13 pm

No NAT-T until v3.

Regards

Andrew
Top
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 986
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Fri Oct 20, 2006 2:20 pm

you don't need NAT-T in this case. All you have to do is adding nat exception rules for traffic flowing between local networks to the top of nat rule list on both routers. This is in examples in the IPsec manual.

Eugene
Top
 
Webslider
just joined
Topic Author
Posts: 2
Joined: Wed Oct 18, 2006 6:27 pm

Entries

Fri Oct 20, 2006 6:12 pm

you don't need NAT-T in this case. All you have to do is adding nat exception rules for traffic flowing between local networks to the top of nat rule list on both routers. This is in examples in the IPsec manual.

Eugene
Hello Eugene,

I was hoping you could clarify your statement or give examples. I look at the IPSEC section of the manual and only find 1 example matching your statement, that is under the sub-heading of IPsec Between two Masquerading MikroTik Routers.

My existing firewall nat config:
0 chain=srcnat out-interface=ether1 action=masquerade

So in the firewall menu I can:
nat add chain-srcnat src-address=172.16.20.0/24 dst-address=192.168.1.0/24

and I guess the below entry would be redundant because of the first entry in the nat config:
nat add chain=srcnat out=interface=public action=masquerade

Unfortunately, after enable, this entry by itself does not enable ping between the router and a host 192.168.1.99 behind the other router.

If you could provide more info...it would be greatly appreciated. I am also curious if any routing entries might be needed as well?

Randy
Top
Post Reply

Who is online

Users browsing this forum: CGGXANNX, Dulcow, holvoetn, infabo, petardo, Ralfu, vingjfg, voljka and 67 guests
  4. RouterOS
  5. General