A few clients have complained that when we moved one of our providers onto a RB2011 temporarily, there Cisco site to site vpn's couldn't pass traffic. They said the connection would establish but they couldn't pass any traffic through the tunnel. I don't have much details as to there setup other then they use Cisco ASA or ISR on each end of the tunnel and at one point traverses the RB2011 with no firewall or nat rules. We had a netmap rule for certain blocks but have since disabled the natmap rules as the customer is using public IP on there routers within our network. Our assumption was they were using a private ip.

Our setup worked fine when we were using a Cisco router so the only change is we moved this provider to the Mikrotik device.

I can see tcp/udp and ipsec traffic from both sides of the connection but its kilobytes of data.

Most of what I read on the forum has to do with setting up IPSec using a Mikrotik router as a termination point, not simply a pass through. Since I don't have firewall rules, and no nat translations are being performed for the referenced subnet, is there anything I need to do in order to ensure this traffic gets routed through?

Thank you for reading my post.

A few clients have complained that when we moved one of our providers onto a RB2011 temporarily, there Cisco site to site vpn's couldn't pass traffic. They said the connection would establish but they couldn't pass any traffic through the tunnel. I don't have much details as to there setup other then they use Cisco ASA or ISR on each end of the tunnel and at one point traverses the RB2011 with no firewall or nat rules. We had a netmap rule for certain blocks but have since disabled the natmap rules as the customer is using public IP on there routers within our network. Our assumption was they were using a private ip.

Our setup worked fine when we were using a Cisco router so the only change is we moved this provider to the Mikrotik device.

I can see tcp/udp and ipsec traffic from both sides of the connection but its kilobytes of data.

Most of what I read on the forum has to do with setting up IPSec using a Mikrotik router as a termination point, not simply a pass through. Since I don't have firewall rules, and no nat translations are being performed for the referenced subnet, is there anything I need to do in order to ensure this traffic gets routed through?

Thank you for reading my post.

I should mention we are running the lastest 6.31 RouterOS.

Did you exclude it from NAT and FastTrack?

Did you exclude it from NAT and FastTrack?

exclude? I didn't have "not" nat statements if that is what you mean.

Also I didn't have any FastTrack statements.

RouterOS forwards everything no matter if it is ipsec or any other kind of traffic unless you have firewall rules set to drop something.
You can check MTUs, maybe ciscos are configured to use a lot larger packets than standard 1500bytes.

RouterOS forwards everything no matter if it is ipsec or any other kind of traffic unless you have firewall rules set to drop something.
You can check MTUs, maybe ciscos are configured to use a lot larger packets than standard 1500bytes.

Thank you for your reply. Our layer 2 switches are set to 1526 MTU and the Cisco interfaces were set to 1500 MTU. I need to read up more on Mikrotik MTU vs L2MTU. I read somewhere that it could have been a packet fragmentation issue but the client indicates there MTU size is set to 1500 or below.

-Ken

If you are using NAT, you have to add an "accept" rule in the NAT table. I also had problems with using IPsec + FastTrack on the same device. I exclude all IPsec related traffic vom FastTrack:
And

If you are using NAT, you have to add an "accept" rule in the NAT table. I also had problems with using IPsec + FastTrack on the same device. I exclude all IPsec related traffic vom FastTrack:

Code: Select all

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec connections" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec \
    new-connection-mark=ipsec

And

Code: Select all

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-mark=!ipsec connection-state=established,related

So are you saying that it doesn't matter if the NAT statements you use don't apply to that subnet, if you use any NAT statements at all, you have to exclude IPSec connections in a mangle rule?

Cheers,

The mangle rule is to exclude ipsec from FastTrack. You need the NAT-rule BEFORE any SRCNAT rules, because otherwise it will change the source address and the packet will not match any ipsec policy anymore.

[quote="patrick7"]The mangle rule is to exclude ipsec from FastTrack. You need the NAT-rule BEFORE any SRCNAT rules, because otherwise it will change the source address and the packet will not match any ipsec policy anymore.[/quote

That is only if the NAT rule applies to that source address, yes?