Community discussions

MikroTik App
just joined
Topic Author
Posts: 8
Joined: Thu May 04, 2017 11:59 am

IPSEC VPN timeout problem.

Wed Dec 30, 2020 2:09 pm

Hi all.
I don't know wich right subject use for this topic, because the problem is a little bit strange.
I configure an IPSEC tunnel from my mikrotik RB1100 and one Fortinet firewall (not know the right model).
The IPSEC communication go up and stay always up, so ipsec works good between 2 device.
In the first configuration time, we had some communication problem from the remote subnet to the local one, search for problem ... all is right (i think) .. but not works.
For testing i try PING from a local subnet machine to a remote subnet machine and my ping works good ... after this action works the communication from remote to local too.
Ok, i think all was resolve and that "the remote parts" do something that i not know, and mark the problem like solved and close the case.
But ... the day after remote to local not works .. IPSEC tunnel is up, but remote machines not reach local machines. I try make a ping from local to remote ... ping response good ... after this remote reach local too.
This happens always .. is sistemical.
Simplify: after some times (not sure how many but in past day i can say after about 15 minutes) if local network not try reach remote network ... the remote network not reach the local network. Is like my parts need to start the communication ... but the IPSEC tunnel is always UP.
Anyone run into this experience?
The only that i can add is that for testing purpose in one occasion i not start the communication making a ping from local to remote, but i try disabled ALL my firewall rules in my RB1100 ... and in this way remote network reach local network ... after enable all rule, all works good .. and after some times stop again.
Think about the "accept forward established traffic" rule ... but why ... i just put the "accept forward remote network address" rule, on top of this.

/ip ipsec policy
add dst-address=yyy.yyy.yyy.yyy/23 peer=yyyy proposal=yyyy-ph2 sa-dst-address=zz.zz.zz.zz sa-src-address=qq.qq.qq.qq tunnel=yes

/ip firewall filter
add action=accept chain=forward comment="forward allow traffic from LAN to ALL" in-interface=ether2
add action=accept chain=forward comment="forward Accept From yyyy VPN" src-address=yyy.yyy.yyy.yyy/23
add action=accept chain=forward comment="forward accept established connection packets" connection-state=established
add action=log chain=forward comment="log rule" log-prefix=Forward:
add action=drop chain=forward comment="forward drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="forward drop everything else"

/ip firewall nat
add action=accept chain=srcnat dst-address=yyy.yyy.yyy.yyy/23

Thank all for support.

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot], tdw and 151 guests