Let's suppose that the VPN connection is established, but the server does not respond to ICMP requests.
Here is the actual (active) ipsec policy:
Code: Select all
[admin@client] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUN SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION
0 T * 0.0.0.0/0 0.0.0.0/0 all
1 A la.. yes 192.168.19.0/24 192.168.14.0/24 all encrypt
Code: Select all
[admin@client] /ip ipsec active-peers> print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS
0 not.telling.com established 32m57s 1 89.134.111.123
Code: Select all
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 100% 4 timeout
2 100% 4 timeout
3 100% 4 timeout
4 100% 4 timeout
5 100% 4 timeout
Code: Select all
[admin@client] /ip route> /tool traceroute 192.168.14.254
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 89.134.243.1 56.. 16 timeout 0.1 0 0.1 0 host unreachable from 89.134.243.1
2 89.134.243.1 53.. 16 0ms 0 0 0 0 host unreachable from 89.134.243.1
3 89.134.243.1 13.. 15 0ms 77.1 0 986.2 262.4 host unreachable from 89.134.243.1
4 0% 0 0ms
The routing table on the client was created with:
Code: Select all
/ip route
add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=10.0.0.0/8 type=unreachable
add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=172.16.0.0/12 type=unreachable
add comment="Prevent package leak RFC1918 class C" distance=1 dst-address=192.168.0.0/16 type=unreachable
add comment="VPN to server" distance=1 dst-address=192.168.14.0/24 gateway=ipsec pref-src=192.168.19.254
Code: Select all
/ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 89.134.255.254 1
1 A SU ;;; Prevent package leak RFC1918 class A
10.0.0.0/8 1
2 ADC 10.19.10.0/24 10.19.10.1 BLUE_VLAN 0
3 ADC 10.19.20.0/24 10.19.20.1 GREEN_VLAN 0
4 ADC 10.19.30.0/24 10.19.30.1 RED_VLAN 0
5 ADC 89.134.240.0/20 89.134.243.1 ether5-wan 0
6 A SU ;;; Prevent package leak RFC1918 class B
172.16.0.0/12 1
7 A SU ;;; Prevent package leak RFC1918 class C
192.168.0.0/16 1
8 A S ;;; VPN to server
192.168.14.0/24 192.168.19.254 ipsec 1
9 ADC 192.168.19.0/24 192.168.19.254 BASE_VLAN 0
Code: Select all
/interface bridge
add name=ipsec protocol-mode=none
Code: Select all
8 A S ;;; VPN to server
192.168.14.0/24 192.168.19.254 ipsec 1
Code: Select all
7 A SU ;;; Prevent package leak RFC1918 class C
192.168.0.0/16 1
As far as I understand packet flow, the packets with 192.168.14.0/24 destination should leave the routing process towards the ipsec bridge, and the ESP encapsulation should happen after that.
So how does my router responds with "host unreachable" messages? And why it is undeterministic? (E.g. 90% of the time I get a timeout, and only in 10% I get a "host unreachable" message)?