Community discussions

MikroTik App
 
tinodj
just joined
Topic Author
Posts: 5
Joined: Fri Oct 05, 2018 4:04 pm

IPsec site-to-site tunnel is not working for some traffic

Sun Feb 03, 2019 8:00 pm

Hi,

I have IPsec site-to-site tunnel. This was working without much setup, only following this tutorial:
https://wiki.mikrotik.com/wiki/Manual:I ... sec_tunnel

However, it stoped. I suspect this was due to recent updates on both sides. So, it stopped passing by http/https traffic. For example, remote desktop was working just fine, copying files through remote desktop was also fine, although the speed was not very satisfying (only 3Mbit/s, router cpu on 30% while copying),

Both routers are the same: 2011UiAS-2HnD. On site A it is ppoe (1480 mtu), on site B it is 1500mtu ethernet Internet connection.

I was reading a lot, and concluded this has to do with MTU/MSS. I added mangle rule, and now office to office http/https works. However, office to other-office internet out link is not working. Traceroute is not going through, and traffic is going very slowly, almost none. I am enabling this by ip firewall NAT rule, saying accept anything going to 0.0.0.0/0 from this IP. And then this goes trough the IPSEC tunnels.

Pinging IP from MacOS on site A to any machine/mikrotik router on site B:
max 8192 bytes goes fine, more than this it is saying packet too large.

Pinging IP from Win machine on site A to Mikrotik on Site B:
even packages big 20000bytes are going trough.

Traceroute from Site A to Site B and vice-versa works. Traceroute to other destination going through the internet on the other side is not working. HTTP/HTTPS traffic also not working.

Tried adding proxy-arp on the interfaces, didn't help, although I remember this helped me few months back having similar issue (but not the same).

Anyone here can help?
 
tinodj
just joined
Topic Author
Posts: 5
Joined: Fri Oct 05, 2018 4:04 pm

Re: IPsec site-to-site tunnel is not working for some traffic

Sun Feb 03, 2019 9:25 pm

update, althought ip firewall mangle rule is there:
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.98.0/24 new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=forward log=yes new-mss=1300 passthrough=yes protocol=tcp src-address=192.168.98.0/24 tcp-flags=syn tcp-mss=1301-65535
when I look in sniffer / connection, I can see the connection from 192.168.98.76 has MSS 1460. I believe somehow this might be the issue, but how come the MSS not to be changed ?

also in packets, every packet has size 78 bytes.

I can do some export of configurations if someone is willing to help me. I spend two days on this and I have no idea where to look further.
 
yacsap
Member Candidate
Member Candidate
Posts: 110
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: IPsec site-to-site tunnel is not working for some traffic

Sun Feb 03, 2019 9:40 pm

Do you have Fasttrack enabled?

If so, read this article: https://saputra.org/mikrotik-fasttrack-with-ipsec/
[ IMikroTik ] >
 
tinodj
just joined
Topic Author
Posts: 5
Joined: Fri Oct 05, 2018 4:04 pm

Re: IPsec site-to-site tunnel is not working for some traffic

Sun Feb 03, 2019 10:05 pm

Do you have Fasttrack enabled?

If so, read this article: https://saputra.org/mikrotik-fasttrack-with-ipsec/
Tried with enabled and with RAW no track workaround, as well as, with disabling it. None helped :(
 
User avatar
nichky
Long time Member
Long time Member
Posts: 601
Joined: Tue Jun 23, 2015 2:35 pm

Re: IPsec site-to-site tunnel is not working for some traffic

Sun Feb 03, 2019 11:59 pm

what this ip address=192.168.98.0/24 does?
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
tinodj
just joined
Topic Author
Posts: 5
Joined: Fri Oct 05, 2018 4:04 pm

Re: IPsec site-to-site tunnel is not working for some traffic

Mon Feb 04, 2019 12:45 am

huh,

after playing for some time it started working. I had a rule saying this:

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=ETH1_and_PPPoE log=no log-prefix=""

Removing it and configuring step-by-step from the beginning it started working. I have no idea what this rule was doing and why it was not working when it was in-force. Now - all good.

Thanks to all! Me happy, finally after whole weekend spend, this works again.

Who is online

Users browsing this forum: Bing [Bot], Gilbertof, Google [Bot], ste and 61 guests