Community discussions

 
tomsanders
just joined
Topic Author
Posts: 3
Joined: Mon Jul 08, 2019 4:14 pm

Site to Site.. Established but no traffic?

Mon Jul 08, 2019 4:39 pm

Currently have a Site to Site VPN setup between a Cloud Core 1016 and RB2011iL. The site to site is live and established and NAT rule to allow the subnet has been inserted. Please see config below;

Remote Site

IPSEC
set [ find default=yes ] dh-group=modp1024 dpd-interval=10s enc-algorithm=3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip ipsec peer
add address=217.***.***.10/32 secret=**********
/ip ipsec policy
add dst-address=172.16.11.0/24 sa-dst-address=***.***.***.10 sa-src-address=213.***.***.234 src-address=192.168.240.0/24 tunnel=yes

Firewall

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=1701 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
/ip firewall nat
add action=accept chain=srcnat comment="SITE TO SITE" disabled=yes dst-address=192.168.240.0/24 src-address=172.16.11.0/24
add action=accept chain=srcnat comment="SITE TO SITE" dst-address=172.16.11.0/24 src-address=192.168.240.0/24

Main Site
IPSEC


/ip ipsec peer profile
add dh-group=modp1024 dpd-interval=10s enc-algorithm=3des name=JACK
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des name=JACK
/ip ipsec peer
add address=46.***.***.26/32 comment=MBS secret=*********
add address=213.***.***.234/32 comment=JACK profile=JACK secret=********
/ip ipsec policy
add comment="JACK SITE TO SITE VPN" dst-address=192.168.240.0/24 proposal=JACK sa-dst-address=\
213.***.***.234 sa-src-address=217.***.***.10 src-address=172.16.11.0/24 tunnel=yes

Firewall

/ip firewall nat
add action=accept chain=srcnat comment="JACK SITE TO SITE " dst-address=192.168.240.0/24 log=yes src-address=172.16.11.0/24
add action=accept chain=srcnat comment="JACK SITE TO SITE " dst-address=172.16.11.0/24 src-address=192.168.240.0/24

/ip firewall filter
add action=accept chain=input dst-port=1701 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp


Help would be great. I have tried most things, we have multiple site to site VPN's on the main router going to Drayteks and these work great.

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site.. Established but no traffic?

Mon Jul 08, 2019 10:27 pm

By
The site to site is live and established
you mean that you can see remote-peers at both sides to be active, and a pair of installed-sa is up at both ends?

If so, two issues are typical - an omission to permit the traffic between the sites' subnets in "/ip firewall filter", or absence of a route towards the remote site's subnet - a default route is enough.

When you need assistance with unexpected behaviour, it is rarely helpful to post just excerpts from the configuration, as the issue may be in the part which you suppose to be irrelevant. So post the complete configurations anonymized according to the hint in my automatic signature below.

Also, place the configs between the [code] and [/code] tags for better readability.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tomsanders
just joined
Topic Author
Posts: 3
Joined: Mon Jul 08, 2019 4:14 pm

Re: Site to Site.. Established but no traffic?

Fri Jul 12, 2019 12:19 pm

Just a update.. the config was correct but the BT Meraki was not allowing the traffic through... the solution was remove the meraki and go direct into the BT NTE.

We now have traffic flowing

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Site to Site.. Established but no traffic?

Fri Jul 12, 2019 12:30 pm

How does this play with Drayteks working well in the same environment?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 71 guests