Hello,
I have a model CCR2004-1G-12S+2XS and I am trying to configure my first MikroTik site-to-site IPSEC VPN. One end is the CCR2004 and the other end is an Edgerouter 12. The CCR2004 is RouterOS 6.47.9 and the ER12 is at v2.0.9-hotfix.2.
I basically followed the configuration guide to configure my CCR2004. I have a group of static IPs for my WAN at each endpoint. For the firewall on the MikroTik side I followed this tutorial. I have tested my internet for awhile with this simple configuration and everything seems to be functioning well. I followed this Site-to-Site VPN guide. And then created my vpn on the edgerouter. After getting all of the settings to match I have on both ends an established SA but I am not able to ping or send data across the VPN successfully. I suspect it has something to do with the firewall but I am not sure where it is happening. If I monitor the ipsec/installed sa pane and ping from either end my current bytes continues to increase.
I have followed the above guide so I have added a few firewall rules to hopefully allow the connection through but it hasn't fixed the connection:
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=(src-network/16) dst-address=(dst-network/24)
And then because the advance firewall from what I can tell uses the fastrack settings I skipped the /ip firewall filter rules and used the raw rules:
/ip firewall raw
add action=notrack chain=prerouting src-address=(src-network/16) dst-address=(dst-network/24)
add action=notrack chain=prerouting src-address=(dst-network/24) dst-address=(src-network/16)
I have rebooted both sides to ensure the connection tracking was cleared after making changes but still no luck. I can provide more configs if you need but didn't want.
Thank you for reading