The IPsec SA's are flowing in both directions but cannot ping any devices from Lan of 750 to Lan of Juniper.
Scenario is as follows:
(PC-DHCP-172.16.132.126)<->(172.19.132.1/25-LAN)**RB750**(WAN-DHCP-Client)->Internet<-(WAN-Static)**Juniper**(LAN-Static-216.231.198.233)<->(216.231.198.234-PC-Static)
Here is my config:
Code: Select all
[admin@MikroTik] > ip export
# jan/02/1970 03:09:23 by RouterOS 5.14
# software id = 9HDQ-0000
#
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=\
0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m \
transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=juniper pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-172.19.132.0/24 ranges=172.19.132.11-172.19.132.126
/ip dhcp-server
add address-pool=pool-172.19.132.0/24 authoritative=after-2sec-delay bootp-support=static disabled=no interface=\
ether2-master-local lease-time=3d name=default
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=172.19.132.1/25 comment="default configuration" disabled=no interface=ether2-master-local network=172.19.132.0
/ip dhcp-client
add add-default-route=yes comment="default configuration" default-route-distance=1 disabled=no interface=ether1-gateway \
use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=172.19.132.0/25 dhcp-option="" dns-server=8.8.8.8 gateway=172.19.132.1 ntp-server="" wins-server=""
add address=192.168.88.0/24 comment="default configuration" dhcp-option="" dns-server=192.168.88.1 gateway=192.168.88.1 \
ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=""
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address=216.231.198.232/29 protocol=255 src-address=!172.19.132.0/25
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip ipsec peer
add address=216.231.198.13/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=1m \
dpd-maximum-failures=2 enc-algorithm=3des exchange-mode=aggressive generate-policy=no hash-algorithm=sha1 lifebytes=0 \
lifetime=10h my-id-user-fqdn=OM-ess-LAB2@xxxxxxx.com nat-traversal=no port=500 proposal-check=obey secret=\
8888888888888888 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=216.231.198.232/29 dst-port=any ipsec-protocols=esp level=require priority=0 \
proposal=juniper protocol=all sa-dst-address=216.231.198.13 sa-src-address=0.0.0.0 src-address=172.19.132.0/24 \
src-port=any tunnel=yes
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=\
8080 serialize-connections=no src-address=0.0.0.0
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
[admin@MikroTik] >