There is one guide found which have newer guide but it is slightly different from what I am doing. So far, I am unable to connect to AWS with phase 1.
Here are the details:
192.168.10.0/24 --> Mikrotik VPN --> Mikrotik firewall (only have 1 public IP) --> AWS VPN gateway --> 10.0.0./16
So far getting Phase1 failed due to send error.
It there something I need to configure in Mikrotik firewall like port forwarding? Mikrotik VPN is NATted and able to go out to internet. Can ping AWS VPN IP.
Please let me know if more information is needed. Thank you for kindly looking into this.
Code: Select all
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
3 ;;; allow winbox on wan
chain=input action=accept protocol=tcp dst-port=8291 log=yes
log-prefix=""
4 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related
6 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
7 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
8 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1
Code: Select all
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
1 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=10.0.0.0/16 log=no
log-prefix=""
2 chain=srcnat action=accept src-address=169.254.30.78 dst-address=169.254.30.77 log=no
log-prefix=""
Code: Select all
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether2-master
1 192.168.10.23/24 192.168.10.0 ether1
2 169.254.30.78/30 169.254.30.76 ether1
Code: Select all
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.10.226 1
1 ADC 169.254.30.76/30 169.254.30.78 ether1 0
2 ADC 192.168.10.0/24 192.168.10.23 ether1 0
3 DC 192.168.88.0/24 192.168.88.1 ether2-master 255
Code: Select all
/routing bgp peer print
Flags: X - disabled, E - established
# INSTANCE REMOTE-ADDRESS REMOTE-AS
0 default 169.254.30.77 64512
Code: Select all
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 src-address=192.168.88.0/24 src-port=any dst-address=10.0.0.0/16 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=175.141.41.143 sa-dst-address=x.x.19.152
proposal=aws-proposal priority=0
2 src-address=169.254.30.78/32 src-port=any dst-address=169.254.30.77/32 dst-port=any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=175.141.41.143
sa-dst-address=x.x.19.152 proposal=aws-proposal priority=0
Code: Select all
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=x.x.19.152/32 local-address=175.141.41.143 passive=no port=500 auth-method=pre-shared-key
secret="secretsecretsecret" generate-policy=no policy-template-group=default
exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-128 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=10s dpd-maximum-failures=3