Community discussions

MikroTik App
 
SimoleS
just joined
Topic Author
Posts: 1
Joined: Tue Oct 23, 2018 5:30 pm

IPsec S2S Works only one way

Thu May 06, 2021 10:04 am

Hello dear Community. Last two day I´m facing a problem with the new Client configuration.

Problem

We are running 2 MikroTik routers on both sites. We are unable to make a connection to site B until some device makes a connection to site A, for example.
I'm unable to ping, access etc network 192.168.49.0/24 from 10.118.0.0/24 until I ping from 192.168.49.10 (NAS) to 10.118.0.1 (Mikrotik BOX)


Network

Site A: WAN: (NAT) - 192.168.88.250 - Dynamic Public IP | LAN: 192.169.49.0/24 | Passive
Site B: WAN: xxx.xxx.xxx.206 - Static Public IP | LAN: 10.118.0.0/24 | Active
Tunnels
Site A
Image
Site B
Image

Diagram:
Image

Config

Site A
/ip firewall filter
add action=accept chain=forward src-address=192.168.35.0/24
add action=accept chain=forward src-address=192.168.34.0/24
add action=accept chain=forward src-address=172.26.207.0/24
add action=accept chain=input src-address=xxxxx
add action=accept chain=input src-address=192.168.35.0/24
add action=accept chain=input src-address=10.118.0.0/24
add action=accept chain=forward src-address=10.118.0.0/24
add action=accept chain=forward dst-address=192.168.49.0/24 src-address=\
10.118.0.0/24
add action=accept chain=forward disabled=yes dst-address=10.118.0.0/24 \
src-address=192.168.49.0/24
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-mark=!ipsec connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=10.118.0.0/24 src-address=\
192.168.49.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN

Site B
ip firewall filter
add action=accept chain=input comment="Allow From xxxx - BACKUP" \
src-address=xxxxx
add action=accept chain=input comment="Alow From xxxx - MAIN" src-address=\
xxxx
add action=accept chain=input comment="Allow from OLD xxxx" src-address=\
xxxx
add action=accept chain=input comment="Allow from xxx- LAN" src-address=\
192.168.35.0/24
add action=accept chain=input comment="Allow from VPN to LAN" dst-address=\
10.118.0.0/24 in-interface=all-ppp
add action=accept chain=input comment="Allow from OLD xxxx" src-address=\
192.168.49.0/24
add action=accept chain=forward comment="Allow from OLD xxxxx" src-address=\
192.168.49.0/24
add action=accept chain=forward comment="Forward LAN - NEW to LAN - OLD" \
disabled=yes dst-address=192.168.49.0/24 src-address=10.118.0.0/24
add action=accept chain=forward comment="Forward VPN to LAN - OLD" disabled=\
yes dst-address=192.168.49.0/24 src-address=10.118.1.0/24
add action=accept chain=input comment="Allow OVPN" dst-port=1194 \
in-interface="WAN - Combo" protocol=tcp
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="Accept established, related" \
connection-state=established,related,new,untracked
add action=accept chain=input comment="Allow IPSec - ESP" in-interface-list=\
ZoneWAN protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec - AH" in-interface-list=\
ZoneWAN protocol=ipsec-ah
add action=accept chain=forward dst-port=1701,4500,500 in-interface-list=\
ZoneWAN protocol=udp
add action=drop chain=input comment="Drop all from WAN" in-interface-list=\
ZoneWAN
add action=drop chain=forward comment="Drop ALL from WAN not DSNAT"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.49.0/24 src-address=\
10.118.0.0/24
add action=masquerade chain=srcnat comment=" == NAT to WAN == " ipsec-policy=\
out,none out-interface-list=ZoneWAN src-address=10.118.0.0/24
Thank you for your help.

Who is online

Users browsing this forum: itamx and 89 guests