Community discussions

MikroTik App
 
tikuser1212
just joined
Topic Author
Posts: 2
Joined: Fri Jul 30, 2021 6:12 am

Site-to-site VPN w EdgeRouter - SA Established but no traffic across.

Fri Jul 30, 2021 6:39 am

Hello,

I have a model CCR2004-1G-12S+2XS and I am trying to configure my first MikroTik site-to-site IPSEC VPN. One end is the CCR2004 and the other end is an Edgerouter 12. The CCR2004 is RouterOS 6.47.9 and the ER12 is at v2.0.9-hotfix.2.

I basically followed the configuration guide to configure my CCR2004. I have a group of static IPs for my WAN at each endpoint. For the firewall on the MikroTik side I followed this tutorial. I have tested my internet for awhile with this simple configuration and everything seems to be functioning well. I followed this Site-to-Site VPN guide. And then created my vpn on the edgerouter. After getting all of the settings to match I have on both ends an established SA but I am not able to ping or send data across the VPN successfully. I suspect it has something to do with the firewall but I am not sure where it is happening. If I monitor the ipsec/installed sa pane and ping from either end my current bytes continues to increase.

I have followed the above guide so I have added a few firewall rules to hopefully allow the connection through but it hasn't fixed the connection:

/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=(src-network/16) dst-address=(dst-network/24)

And then because the advance firewall from what I can tell uses the fastrack settings I skipped the /ip firewall filter rules and used the raw rules:

/ip firewall raw
add action=notrack chain=prerouting src-address=(src-network/16) dst-address=(dst-network/24)
add action=notrack chain=prerouting src-address=(dst-network/24) dst-address=(src-network/16)

I have rebooted both sides to ensure the connection tracking was cleared after making changes but still no luck. I can provide more configs if you need but didn't want.

Thank you for reading
 
tikuser1212
just joined
Topic Author
Posts: 2
Joined: Fri Jul 30, 2021 6:12 am

Re: Site-to-site VPN w EdgeRouter - SA Established but no traffic across.

Fri Jul 30, 2021 10:57 pm

Does anyone have some troubleshooting tips for this? I have tried every combination of filter rules and NAT rules that other examples have. I have disabled the firewall and fully reset the Mikrotik and have the same issue.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Site-to-site VPN w EdgeRouter - SA Established but no traffic across.

Sat Jul 31, 2021 11:44 pm

It's user forum of volunteers, not Mikrotik's service one.
You have to be patient and wait for someone's answer but you may receive none as no one had such a problem as yours.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: Site-to-site VPN w EdgeRouter - SA Established but no traffic across.

Mon Aug 02, 2021 11:27 am

I haven't had too much experience with site-to-site VPN configurations but the obvious question is: Have you put the relevant NAT rules in on both sides of the tunnel?

[From the docs]
MikroTik router:
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=10.1.202.0/24 dst-address=10.1.101.0/24

EdgeRouter the equivalent of this:
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=10.1.101.0/24 dst-address=10.1.202.0/24

I you want us to take a look through your exact configuration, please post/attach the config from both devices (without the passwords etc.). Export with the commands:
MikroTik router:
/export hide-sensitive file=Site1

EdgeRouter:
I don't know since it's a UniFi device - You might have to do it manually but screenshots would be fine.

Who is online

Users browsing this forum: Bing [Bot], eddieb, hatred, infabo, Michiganbroadband, PavelRadvan and 78 guests