Community discussions

MikroTik App
 
HGSupport
just joined
Topic Author
Posts: 8
Joined: Thu Mar 16, 2023 9:53 pm

Remote browsing over ipsec

Thu May 25, 2023 3:29 pm

Hello,

I mounted a architecture with Mikrotik's in the little HQ's connected in remote browsing over ipsec toward a Cluster Fortigate located in the main HQ.

The LAN of the little HQ's are working ok and are conecting behind the tunnel without any problem.

The problem is, the devices cannot ping its own gateway.

For the PC, it doesn´t create any problems (even if they don´t ping their gateway, they can connect to internet or LAN servers ) but for the printers it does, and the users who are using the scan to email is not working anymore if the tunnel is enabled (Printers seem to need ping the gateway in order to work)

Do you have any suggestions about this issue?

Many thanks guys.
 
HGSupport
just joined
Topic Author
Posts: 8
Joined: Thu Mar 16, 2023 9:53 pm

Re: Remote browsing over ipsec

Thu May 25, 2023 4:30 pm

My Mikrotik configuration for the IPSEC tunnel:

#Configuración del IPSEC hacia Fortigate, cambiar las IP correspondiente.
/ip ipsec profile
add dh-group=modp2048 dpd-interval=30s dpd-maximum-failures=5 enc-algorithm=aes-128 name=Phase1 nat-traversal=yes lifetime=24h
/ip ipsec peer
add address=$remotepublicip name=To-Fortigate profile=Phase1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=12h name=Phase2 pfs-group=none
/ip ipsec identity
add peer=To-Fortigate secret=$secretpsk
/ip ipsec policy
add dst-address=0.0.0.0/0 level=unique peer=To-Fortigate proposal=Phase2 src-address="$lansubnet/24" tunnel=yes
/ip firewall nat
add chain=srcnat action=accept src-address="$lansubnet/24" dst-address=$remotesubnet

Maybe should I add another rule to be able to ping the gateway?

Thanks
 
HGSupport
just joined
Topic Author
Posts: 8
Joined: Thu Mar 16, 2023 9:53 pm

Re: Remote browsing over ipsec

Mon May 29, 2023 11:22 am

Is it normal or not to not be able to ping the gateway if there is a tunnel ipsec in remote browsing?
 
HGSupport
just joined
Topic Author
Posts: 8
Joined: Thu Mar 16, 2023 9:53 pm

Re: Remote browsing over ipsec

Mon May 29, 2023 12:39 pm

When I am doing a arp-a, I can see the address:

>arp -a

Interfaz: 192.168.52.238 --- 0x3
Dirección de Internet Dirección física Tipo
192.168.52.1
192.168.52.238

When I am doing a tracert, it goes directly through the tunnel without passing by this gateway:

Traza a la dirección dns.google [8.8.8.8]
sobre un máximo de 30 saltos:

1 * * * Tiempo de espera agotado para esta solicitud.
2 22 ms 30 ms 28 ms 10.48.0.2
3 32 ms 30 ms 33 ms 10.48.0.1
4 32 ms 38 ms 31 ms 10.52.191.161

Many thanks

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], CGGXANNX, iustin and 94 guests