I agree with that - been there, many times! Yes I do specify the source address.... It would be overkill to export the entire configuration I think but anything that I can add to give some context, I'm happy to do so.It is hard to debug things remotely without at least seeing the configuration. When you ping while the 172.x.x.x addresses are used, do you also specify the src-address or you let the machine choose one autonomously?
The problem is that the issue is always where you don't suspect it could be - if it was where you expect it, you would find it, right?It would be overkill to export the entire configuration I think
/ip addresses (includes one further public IP dynamically assigned to PPPoE client WAN interface) add address=192.168.88.1/24 interface=bridge network=192.168.88.0 add address=10.5.0.254/16 interface=VLAN10 network=10.5.0.0 add address=10.6.0.254/16 interface=VLAN20 network=10.6.0.0 add address=10.8.0.254/16 interface=VLAN60 network=10.8.0.0 add address=10.9.0.254/16 interface=VLAN80 network=10.9.0.0 add address=xx.xx.xx.xx/29 interface=ether3 network=xx.xx.xx.xx add address=xx.xx.xx.xx/29 interface=ether3 network=xx.xx.xx.xx add address=xx.xx.xx.xx/29 interface=ether3 network=xx.xx.xx.xx add address=xx.xx.xx.xx/29 interface=ether3 network=xx.xx.xx.xx add address=xx.xx.xx.xx/29 interface=ether3 network=xx.xx.xx.xx add address=xx.xx.xx.xx/29 interface=ether3 network=xx.xx.xx.xx add address=192.168.2.100/24 interface=ether1 network=192.168.2.0 add address=192.168.5.1/30 interface=VLAN5 network=192.168.5.0 add address=10.8.6.1/16 interface=VLAN60 network=10.8.0.0 add address=192.168.6.1/29 interface=VLAN6 network=192.168.6.0 add address=192.168.32.1/30 interface=ether5 network=192.168.32.0 add address=192.168.10.1/30 interface=ospf_gre network=192.168.10.0 add address=192.168.25.254/24 interface=192_168_25_0 network=192.168.25.0 add address=192.168.255.1/30 interface=GRE_for_OSPF network=192.168.255.0 add address=192.168.15.254/24 interface=VLAN15 network=192.168.15.0 add address=172.16.0.1 interface=Lo0 network=172.16.0.1 /ip firewall filter add action=accept chain=input dst-address=172.16.0.1 protocol=gre \ src-address=172.16.0.2 add action=accept chain=output dst-address=172.16.0.2 protocol=gre \ src-address=172.16.0.1 add action=accept chain=input dst-address=172.16.0.1 protocol=icmp \ src-address=172.16.0.2 add action=accept chain=output dst-address=172.16.0.2 protocol=icmp \ src-address=172.16.0.1 /ip firewall nat add action=accept chain=srcnat dst-address=172.16.0.2 src-address=172.16.0.1 /ip ipsec policy add dst-address=172.16.0.2/32 peer=xx proposal=xx sa-dst-address=\ xx.xx.xx.xx sa-src-address=0.0.0.0 src-address=172.16.0.1/32 tunnel=yes /routing filters add action=discard chain=xx-In prefix=0.0.0.0/0 add action=discard chain=xx-In prefix=xx.xx.xx.xx (R2 PPPoE client WAN remote address) add action=discard chain=xx-In disabled=yes prefix=10.0.0.0/16 add action=discard chain=xx-In prefix=192.168.2.0/24 add action=discard chain=xx-In prefix=192.168.88.0/24 add action=discard chain=xx-In prefix=192.168.255.4/30 add action=discard chain=xx-In prefix=xx.xx.xx.xx/29 (R2 public addresses) add action=discard chain=xx-Out prefix=0.0.0.0/0 add action=discard chain=xx-Out prefix=xx.xx.xx.xx (R1 PPPoE client WAN remote address) add action=discard chain=xx-Out disabled=yes prefix=10.5.0.0/16 add action=discard chain=xx-Out prefix=192.168.2.0/24 add action=discard chain=xx-Out prefix=192.168.88.0/24 add action=discard chain=xx-Out prefix=192.168.255.0/30 add action=discard chain=xx-Out prefix=xx.xx.xx.xx/29 (R1 public addresses) add action=discard chain=yy_In prefix=192.168.88.0/24 (yy_In/Out is OSPF area 1 physically connected to eth5) add action=discard chain=yy_Out prefix=192.168.88.0/24 add action=discard chain=yy_In prefix=192.168.32.0/30 add action=discard chain=yy_Out prefix=192.168.32.0/30 add action=discard chain=xx-In prefix=172.16.0.2 add action=discard chain=xx-Out prefix=172.16.0.1 /routing ospf /routing ospf instance set [ find default=yes ] distribute-default=if-installed-as-type-1 in-filter=\ xx-In name=xx out-filter=xx-Out redistribute-connected=as-type-1 \ redistribute-other-ospf=as-type-1 router-id=192.168.10.1 add distribute-default=always-as-type-1 in-filter=yy_In name=yy out-filter=\ yy_Out redistribute-connected=as-type-1 redistribute-other-ospf=as-type-1 \ router-id=192.168.32.1 /routing ospf area add area-id=0.0.0.1 instance=yy name=yy /routing ospf network add area=yy network=192.168.32.0/30 add area=backbone network=192.168.10.0/30
What does /ip route check 172.16.0.2 show? I.e. is there any route at all (even if the default one) for that destination?
> ip route check 172.16.0.2 status: ok interface: Uno FTTC nexthop: 172.16.0.2 & "R2" > ip route check 172.16.0.1 status: ok interface: Uno ADSL nexthop: 172.16.0.1
/ip firewall connection print detail where protocol=icmp dst-address="172.16.0.2" Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 0 C protocol=icmp src-address=172.16.0.1 dst-address=172.16.0.2 reply-src-address=172.16.0.2 reply-dst-address=172.16.0.1 icmp-type=8 icmp-code=0 icmp-id=23334 timeout=9s orig-packets=243 orig-bytes=12 150 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=400bps repl-rate=0bps > ip ipsec installed-sa print detail interval=1s where dst-address="xx.xx.xx.xx" Flags: H - hw-aead, A - AH, E - ESP 0 E spi=0x11E09A5 src-address=xx.xx.xx.xx dst-address=xx.xx.xx.xx state=mature enc-algorithm=aes-gcm enc-key-size=288 enc-key="xx" addtime=feb/21/2021 11:26:33 expires-in=17m20s add-lifetime=24m14s/30m18s current-bytes=209839 current-packets=2692 replay=128 These counters are NOT increasing 1 E spi=0x5C968BB src-address=xx.xx.xx.xx dst-address=xx.xx.xx.xx state=mature enc-algorithm=aes-gcm enc-key-size=288 enc-key="xx" addtime=feb/21/2021 11:34:09 expires-in=24m48s add-lifetime=24m8s/30m10s current-bytes=163365 current-packets=2190 replay=128 These counters are increasing
The thing is that you cannot know which pair of SAs is linked to which policy by any indicator. You would have to disable the policy for 192.168 to be sure. But a question - what level is set on the individual policies, require or unique? And is the level the same at both ends? The thing is that unique causes strict use and checking of the particular SA per policy (so packets which come through a wrong SA are dropped), whereas require uses and allows any of the SAs between the peers to be used. So if this setting doesn't match between the peers, it could be the explanation.With the installed SAs, I assume it's one pair per policy hence 4 for 2 policies? That being the case, it looks like the counters are increasing on the pair for the 192.168.255.x subnets, but those associated to the 172.16.x.x counters are not changing.
The SAs normally get replaced by ones every about 30 minutes by default, so the fact that the silent one did count some packets in the past is suspicious. Some traffic must have been sent down that SA during past 30 minutes at maximum.I presume the current byte count (not increasing in either direction) relates to when the tunnel was first established.
Yes, this is enough, so the transport packets get received and the payload ones are extracted from them allright.> /tool sniffer quick ip-address=172.16.0.1
INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN
Uno ADSL 19.287 1 <-
Uno ADSL 20.291 2 <-
...you get the idea
It need not. Just put a rule chain=input dst-address=172.16.0.2 action=passthrough as the very first static one in chain input of filter,chain=filter dst-address=172.16.0.2 action=passthrough as the very first static one in chain forward of filter, and chain=dstnat dst-address=172.16.0.2 action=passthrough as the very first static one in chain dstnat of nat, all three on R2, do some pinging from R1 and see whether any of the three rules has counted.If needs be, I can post the filter rulesets, but it'll take me a while to redact public IPs, so if it's needed, I won't do that tonight...