I try to create connection between two sites with follow configuration:
Site bd ------------------------------------------------------------------------------------------Site sf
192.168.1.0/24 - router - 89.25.116.97 ---- internet ---- 212.75.26.103 - router - 192.168.2.0/24
The connection is established but ping not pass to the other site.
The configuration of Site bd is:
[admin@MikroTik] > ip ipsec profile print detail
Flags: * - default
0 * name="default" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
1 name="Sofiaconn" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] > ip ipsec proposal print detail
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024
1 name="Sofiaconn" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
[admin@MikroTik] > ip ipsec peer print detail
Flags: X - disabled, D - dynamic, R - responder
0 name="Sofiaconn" address=harpunqcite.ddns.net profile=Sofiaconn exchange-mode=main send-initial-contact=yes
[admin@MikroTik] > ip ipsec identity print detail
Flags: D - dynamic, X - disabled
0 peer=Sofiaconn auth-method=pre-shared-key secret="***mypassword***" generate-policy=no
[admin@MikroTik] > ip ipsec policy print detail
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 A peer=Sofiaconn tunnel=yes src-address=192.168.1.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=89.25.116.97 sa-dst-address=212.75.26.103
proposal=Sofiaconn ph2-count=2
[admin@MikroTik] > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 log=no log-prefix=""
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
2 ;;; sofia_connection
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=22 protocol=tcp in-interface=pppoe-out1 dst-port=11000 log=no log-prefix=""
3 ;;; webdav
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.4 dst-port=5222 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.1.4 protocol=tcp dst-address-type=local dst-port=5222 log=no log-prefix=""
5 ;;; IP camera
chain=dstnat action=dst-nat to-addresses=192.168.1.30 to-ports=99 protocol=tcp in-interface=pppoe-out1 dst-port=99 log=no log-prefix=""
6 ;;; ;;FTP on rasppbery
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=21 protocol=tcp in-interface=pppoe-out1 src-port="" dst-port=22000 log=no log-prefix="FTP forward"
[admin@MikroTik] > ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=accept connection-state=established,related src-address=192.168.1.0/24 dst-address=192.168.2.0/24
2 chain=forward action=accept connection-state=established,related src-address=192.168.2.0/24 dst-address=192.168.1.0/24
3 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The configuration of Site sf is:
[admin@MikroTik] > ip ipsec profile print detail
Flags: * - default
0 * name="default" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
1 name="BotevgradConn" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
[admin@MikroTik] > ip ipsec proposal print detail
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024
1 name="BotevgradConn" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
[admin@MikroTik] > ip ipsec peer print detail
Flags: X - disabled, D - dynamic, R - responder
0 name="BotevgradConn" address=uc-zone.org profile=BotevgradConn exchange-mode=main send-initial-contact=yes
1 DR name="l2tp-in-server" passive=yes profile=default exchange-mode=main send-initial-contact=yes
[admin@MikroTik] > ip ipsec identity print detail
Flags: D - dynamic, X - disabled
0 peer=BotevgradConn auth-method=pre-shared-key secret="***mypassword***" generate-policy=no
1 D ;;; l2tp-in-server
peer=l2tp-in-server auth-method=pre-shared-key remote-id=ignore secret="***mypassword***" generate-policy=port-strict
[admin@MikroTik] > ip ipsec policy print detail
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 A peer=BotevgradConn tunnel=yes src-address=192.168.2.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=212.75.26.103 sa-dst-address=89.25.116.97 proposal=BotevgradConn
ph2-count=2
[admin@MikroTik] > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.2.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
2 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24
[admin@MikroTik] > ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=accept connection-state=established,related src-address=192.168.1.0/24 dst-address=192.168.2.0/24
2 chain=forward action=accept connection-state=established,related src-address=192.168.2.0/24 dst-address=192.168.1.0/24
3 ;;; Wan Administration Web
chain=input action=accept protocol=tcp dst-port=8081 log=no log-prefix=""
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500
6 ;;; allow IKE
chain=input action=accept protocol=udp dst-port=500
7 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701
8 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723
9 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443
10 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
11 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
12 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
13 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
14 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
15 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
16 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
17 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
18 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
19 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
20 ;;; Winbox administration
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
[admin@MikroTik] >
Booth ruters are version 6.49.6
I follow manual for site to site connection https://wiki.mikrotik.com/wiki/Manual:I ... unnel_mode
Can anybody help me?