The VPN connection is working (estabilshed) and from the SITE A they can ping the machine in my internal network but i can't ping machines on the other site -> Ping is not working from SITE B to SITE A.
Using tracert i see that the request to a SITE A IP is sent to the mikrotik router and next is routed through the isp router and not directly through the IPSEC tunnel.
Why the traffic to 192.168.27.48/29 is not routed through the IPSEC tunnel ?
The configuration file of SITE B:
Code: Select all
/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=SITE-IPSEC
/ip ipsec peer
add address=155.XXX.XXX.XXX/32 local-address=10.0.2.10 name=Peer-SITE \
profile=SITE-IPSEC
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=2h10m name=\
SITE-proposal
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_vlan20 ranges=192.168.178.2-192.168.178.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge \
lease-time=30m name=dhcp_server_local
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip arp
add address=192.168.1.246 interface=bridge mac-address=XXXXXXX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN1
add dhcp-options=hostname disabled=no interface=WAN2
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
8.8.8.8,8.8.4.4,10.0.1.1,10.0.2.1 gateway=192.168.1.1 netmask=24
add address=192.168.178.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Accept da WAN1" dst-address=\
10.0.1.0/24
add action=accept chain=prerouting comment="Accept da WAN2" dst-address=\
10.0.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-connection chain=forward in-interface=WAN1 \
new-connection-mark=WAN1
add action=mark-connection chain=forward in-interface=WAN2 \
new-connection-mark=WAN2
/ip firewall nat
add action=dst-nat chain=dstnat comment="Server App su WAN1 tcp" \
dst-port=2000 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.253 \
to-ports=443
add action=dst-nat chain=dstnat comment="Server App su WAN2 tcp" \
dst-port=2000 in-interface=WAN2 protocol=tcp src-port="" to-addresses=\
192.168.1.253 to-ports=443
add action=dst-nat chain=dstnat comment="Server App su WAN2 udp" \
dst-port=2000 in-interface=WAN2 protocol=udp src-port="" to-addresses=\
192.168.1.253 to-ports=443
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Peer-SITE secret=SECRET_SHARED
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.27.48/29 peer=Peer-SITE proposal=SITE-proposal \
sa-dst-address=155.XXX.XXX.XXX sa-src-address=10.0.2.10 src-address=\
192.168.1.0/24 tunnel=yes
/ip route
add check-gateway=ping comment="WAN 2 marked route" distance=3 gateway=\
10.0.2.1 routing-mark=WAN2-mark
add check-gateway=ping comment="WAN 1 marked route" distance=1 gateway=\
10.0.1.1 routing-mark=WAN1-mark
add comment="Defult route WAN 2" distance=1 gateway=10.0.2.1
add comment="Defult route WAN 2" distance=1 gateway=10.0.2.1
add comment="Default route WAN 1" distance=1 gateway=10.0.1.1
add comment="Default route WAN 1" distance=2 gateway=10.0.1.1
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-address=192.168.1.253/32