Hello, I set up a laboratory to test IPsec site to site, with two routers 751.
The tunnel is established correctly, but I do not achieve connectivity between the ends point, no ping.
I established the firewall rules without restrictions, since I only want the IPSec tunnel to work.
Follow the mkt instructions for this version of this link: https://wiki.mikrotik.com/wiki/Manual:I ... NAT_Bypass , the only change its after several attempts with other instructions.
(the only change is that the wan interfaces are in the same network to make it easier.)
R1
Config of each routers and attached verbose export:
# jan/02/1970 00:10:03 by RouterOS 6.41.2
# software id = 4XFG-ZISK
/interface ethernet
set [ find default-name=ether1 ] name=ether1-public
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.90.1/24 interface=ether1-public network=192.168.90.0
add address=10.1.202.1/24 interface=ether2 network=10.1.202.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.101.0/24 src-address= 10.1.202.0/24
add action=masquerade chain=srcnat out-interface=ether1-public
/ip firewall raw
add action=notrack chain=prerouting dst-address=10.1.101.0/24 src-address= 10.1.202.0/24
add action=notrack chain=prerouting dst-address=10.1.202.0/24 src-address= 10.1.101.0/24
/ip ipsec peer
add address=192.168.90.100/32 secret=test
/ip ipsec policy
add dst-address=10.1.101.0/24 sa-dst-address=192.168.90.100 sa-src-address= 192.168.90.1 src-address=10.1.202.0/24 tunnel=yes
R2
# jan/01/2002 01:16:37 by RouterOS 6.41.2
# software id = H1SN-W50H
#
# model = 750UP
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.90.100/24 interface=ether1 network=192.168.90.0
add address=10.1.101.1/24 interface=ether2 network=10.1.101.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.202.0/24 src-address= 10.1.101.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=10.1.202.0/24 src-address=10.1.101.0/24
add action=notrack chain=prerouting dst-address=10.1.101.0/24 src-address=10.1.202.0/24
/ip ipsec peer
add address=192.168.90.1/32 secret=test
/ip ipsec policy
add dst-address=10.1.202.0/24 sa-dst-address=192.168.90.1 sa-src-address= 192.168.90.100 src-address=10.1.101.0/24 tunnel=yes
Thanks for all.
Daniel.
-
-
daniel2018
just joined
- Posts: 1
- Joined:
IPSec tunnel stablished but not ping , version 6.41.2
You do not have the required permissions to view the files attached to this post.