Actual Configuration.
There is IPSEC Tunnel configured between Site A (AWS) and Site B (on-premises) accordingly to official AWS guides and recommendations (https://docs.aws.amazon.com/vpn/latest/ ... tions.html). As Site B VPN endpoint we have Mikrotik hEX S (RB760iGS). Tunnel DOES WORK without issues.
- Site A (AWS) 1.1.1.0/24
- Site B (on-premises) 2.2.2.0/24
When traffic comes from Site A, it is NATed to IP address 2.2.2.123. We have full connectivity between Site A and Site B.
Site B (on-premises) also connected locally to Site C (internal) via on-premises router with IP address 2.2.2.2. Hereby router directly connected to Site C network.
- Site C (internal) - 3.3.3.0/24
Mikrotik router within Site B has configured static route to 3.3.3.0/24 via 2.2.2.2. Site B and Site C are pingable. Task:
Site A should access to Site C via Site B and vice versa.
AWS configuration:
- VPC routing table routes all traffic to used VPN gateway (0.0.0.0/0 route to IPSec tunnel)
- Used Site-to-Site VPN connection comprises required static routes configuration - 2.2.2.0/24 and 3.3.3.0/24 (accordingly to AWS official guide)
Nevertheless, we even don't see traffic are recieved by Site B Mikrotik when pinging Site C from Site A. Although, we can ping any host within Site C (internal) from Mikrotik router.
Just to mention, when we temporary tried to hook network 3.3.3.0/24 into Mikrotik interface we started see connectivity between Site A (1.1.1.0/24) and 3.3.3.0/24.
So searching help here to find issue with our setup. See following Mikrotik configuration.
Mikrotik:
Firewall NAT:
======================================================================================
Code: Select all
> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; src-nat for traffic from swconn. Source addr ->2.2.2.123
chain=srcnat action=src-nat to-addresses=2.2.2.123 src-address=1.1.1.0/24 log=yes log-prefix="nat"Firewall filter:
======================================================================================
Code: Select all
> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
7 ;;; allow winbox connections
chain=input action=accept protocol=tcp src-address-list=Mgmt in-interface=ether1 dst-port=8291 log=no log-prefix=""
8 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
9 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
10 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
11 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
12 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
13 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
14 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
15 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
16 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
17 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""Route:
======================================================================================
Code: Select all
> ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 $MikrotikPublicGateway 1
1 ADC $MikrotikPublicNet/26 $MikrotikPublicIP ether1 0
2 A S 3.3.3.0/24 2.2.2.2 1
3 ADC 169.254.23.32/30 169.254.23.34 ether1 0
4 A S ;;; Route to VPC (swconn subnet) using tunnel1
1.1.1.0/24 2.2.2.123 169.254.23.33 1
5 X S ;;; Route to VPC (swconn subnet) using tunnel2
1.1.1.0/24 169.254.21.125 1
6 ADC 2.2.2.0/24 2.2.2.123 Local 0IPSec policy:
======================================================================================
Code: Select all
> ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 A ;;; AWS Tunnel1: local-swconn
src-address=2.2.2.0/24 src-port=any dst-address=1.1.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=$MikrotikPublicIP
sa-dst-address=$AWSPublicIP proposal=ipsec-vpn-05b1182fb83354cc8-0 ph2-count=1
2 A ;;; AWS Tunnel1: Mikrotik-VPG
src-address=169.254.23.34/32 src-port=any dst-address=169.254.23.33/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=$MikrotikPublicIP
sa-dst-address=$AWSPublicIP proposal=ipsec-vpn-05b1182fb83354cc8-0 ph2-count=1