Community discussions

MikroTik App
 
BorisBorisov
just joined
Topic Author
Posts: 1
Joined: Sun May 01, 2022 7:14 pm

No trafic trought IPSEC site to site connection

Sun May 01, 2022 7:50 pm

I try to create connection between two sites with follow configuration:
Site bd ------------------------------------------------------------------------------------------Site sf
192.168.1.0/24 - router - 89.25.116.97 ---- internet ---- 212.75.26.103 - router - 192.168.2.0/24
The connection is established but ping not pass to the other site.
The configuration of Site bd is:
[admin@MikroTik] > ip ipsec profile print detail
Flags: * - default
0 * name="default" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

1 name="Sofiaconn" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] > ip ipsec proposal print detail
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

1 name="Sofiaconn" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
[admin@MikroTik] > ip ipsec peer print detail
Flags: X - disabled, D - dynamic, R - responder
0 name="Sofiaconn" address=harpunqcite.ddns.net profile=Sofiaconn exchange-mode=main send-initial-contact=yes
[admin@MikroTik] > ip ipsec identity print detail
Flags: D - dynamic, X - disabled
0 peer=Sofiaconn auth-method=pre-shared-key secret="***mypassword***" generate-policy=no
[admin@MikroTik] > ip ipsec policy print detail
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

1 A peer=Sofiaconn tunnel=yes src-address=192.168.1.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=89.25.116.97 sa-dst-address=212.75.26.103
proposal=Sofiaconn ph2-count=2
[admin@MikroTik] > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 log=no log-prefix=""

1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

2 ;;; sofia_connection
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=22 protocol=tcp in-interface=pppoe-out1 dst-port=11000 log=no log-prefix=""

3 ;;; webdav
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.4 dst-port=5222 log=no log-prefix=""

4 chain=dstnat action=dst-nat to-addresses=192.168.1.4 protocol=tcp dst-address-type=local dst-port=5222 log=no log-prefix=""

5 ;;; IP camera
chain=dstnat action=dst-nat to-addresses=192.168.1.30 to-ports=99 protocol=tcp in-interface=pppoe-out1 dst-port=99 log=no log-prefix=""

6 ;;; ;;FTP on rasppbery
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=21 protocol=tcp in-interface=pppoe-out1 src-port="" dst-port=22000 log=no log-prefix="FTP forward"
[admin@MikroTik] > ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=accept connection-state=established,related src-address=192.168.1.0/24 dst-address=192.168.2.0/24

2 chain=forward action=accept connection-state=established,related src-address=192.168.2.0/24 dst-address=192.168.1.0/24

3 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The configuration of Site sf is:
[admin@MikroTik] > ip ipsec profile print detail
Flags: * - default
0 * name="default" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

1 name="BotevgradConn" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] > ip ipsec proposal print detail
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

1 name="BotevgradConn" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
[admin@MikroTik] > ip ipsec peer print detail
Flags: X - disabled, D - dynamic, R - responder
0 name="BotevgradConn" address=uc-zone.org profile=BotevgradConn exchange-mode=main send-initial-contact=yes

1 DR name="l2tp-in-server" passive=yes profile=default exchange-mode=main send-initial-contact=yes
[admin@MikroTik] > ip ipsec identity print detail
Flags: D - dynamic, X - disabled
0 peer=BotevgradConn auth-method=pre-shared-key secret="***mypassword***" generate-policy=no

1 D ;;; l2tp-in-server
peer=l2tp-in-server auth-method=pre-shared-key remote-id=ignore secret="***mypassword***" generate-policy=port-strict
[admin@MikroTik] > ip ipsec policy print detail
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

1 A peer=BotevgradConn tunnel=yes src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=212.75.26.103 sa-dst-address=89.25.116.97 proposal=BotevgradConn
ph2-count=2
[admin@MikroTik] > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.2.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

2 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24
[admin@MikroTik] > ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=accept connection-state=established,related src-address=192.168.1.0/24 dst-address=192.168.2.0/24

2 chain=forward action=accept connection-state=established,related src-address=192.168.2.0/24 dst-address=192.168.1.0/24

3 ;;; Wan Administration Web
chain=input action=accept protocol=tcp dst-port=8081 log=no log-prefix=""

4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

5 ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500

6 ;;; allow IKE
chain=input action=accept protocol=udp dst-port=500

7 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701

8 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723

9 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443

10 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

11 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

12 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

13 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

14 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec

15 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

16 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

17 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

18 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

19 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

20 ;;; Winbox administration
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
[admin@MikroTik] >


Booth ruters are version 6.49.6
I follow manual for site to site connection https://wiki.mikrotik.com/wiki/Manual:I ... unnel_mode

Can anybody help me?

Who is online

Users browsing this forum: No registered users and 29 guests