Hi we have a tunnel IPSEC from Mikrotik to stonegate firewall, i can ping from my network to remote netwaork and vice versa, but i can't ping from my mikrotik router to remote network, this is a problmem for DNS, the router can't see the DNS in the remote network.
someone can help me ?

this is my configuration :
I modified the public address .
Thanks
Cris

have you added ip firewall accept rule...

No, can you explain me ?
I added a rule with SRC 0.0.0.0/0 chain=imput and action accept, but nothing chage.



Thanks.

in ur case you need a "IP FIREWALL NAT " rule like below
This rule should be on top of all nat rule.

Chk the example on this wiki link http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Thank for your reply, i have this rule, and i can ping the remote network from the local network, example: 192.168.255.30 to 192.168.1.51 but i can not ping the host 192.168.1.51 from terminal of router RB450.
the problem is that the 192.168.1.51 is a DNS, and the router can not reach it .

I don't understand where is my error.
If i configure the 192.168.1.51 into the DNS configuration of my clients pc, they can reach the DNS and all work correctly, but if i insert the ip address into the DNS configuration of router the router can not reach the IP.
Thanks
Cris

Thank for your reply, i have this rule, and i can ping the remote network from the local network, example: 192.168.255.30 to 192.168.1.51 but i can not ping the host 192.168.1.51 from terminal of router RB450.
the problem is that the 192.168.1.51 is a DNS, and the router can not reach it .

I don't understand where is my error.
If i configure the 192.168.1.51 into the DNS configuration of my clients pc, they can reach the DNS and all work correctly, but if i insert the ip address into the DNS configuration of router the router can not reach the IP.

Code: Select all

;;; VPN office 1
0   chain=srcnat action=accept src-address=192.168.255.0/24 dst-address=192.168.1.0/24 
;;;VPNoffice 2
1   chain=srcnat action=accept src-address=192.168.255.0/24 dst-address=192.168.0.0/24 

Thanks
Cris

nice to see that it works for you... did you check pinging 192.168.1.51 with SRC-address. What is the remote device make and model.

Thank for your reply, i have this rule, and i can ping the remote network from the local network, example: 192.168.255.30 to 192.168.1.51 but i can not ping the host 192.168.1.51 from terminal of router RB450.

Sorry for necrobump, but same problem here. I still have no clue how to solve it.

Late reply for you.

When trying to ping the remote network from the router, you need to change the interface to your local LAN interface in the ping utility. On my setup, it was defaulting to the 0.0.0.0/24 rule and trying to push it out the ether1 WAN interface. changing the interface to ether2 LAN, allowed the ping to go through the IPSEC tunnel.

I guess, this is one of the most viewable Topics.

Here is the answer:

When you ping/connect to the remote network from IPSec Peer, which in this case is Mikrotik Router, then Mikrotik must have some routable (from the both sides) IP address to ping destination and this is where things go not the way we think, because router doesn't have any ip addresses in that network and only route to that network will be through the interface of default route, because IPSec policies that we usually setup between two networks don't apply to the router, so, to ping remote network you must have:

1. Correct Source IP address
2. Destination route

To correct this issue, there are two ways:

A. Add route (the better):

dst-address: [destination network]
Gateway: [interface with router's source ip]

this will map routers ip address to one that is routed and then ipsec policies will be applied

B. Add netmap rule in firewall between "typical" IPsec "accept" rules and masquerading rule of gateway:

dst-address: [destination network]
out.interface: [default gateway interface]
action: netmap
to address: [source ip address of the router for destination network]

p.s. you're welcome