Community discussions

MikroTik App
 
habibcss
just joined
Topic Author
Posts: 2
Joined: Mon May 23, 2022 11:51 am

unable to pass IPSEC traffic through my Network

Mon May 23, 2022 12:19 pm

Dear ALL ,

i need your help to forward an IPSEC traffic through my Mikrotik network ,
my scenario like this i have small ISP consist of one Mikrotik router as EDG and an other as FW and also one PoP
now i have one client need to connect to his HQ in foreign country .
in all mikrotik router i allow the IPESC tunnel to pass by this commands :

/ip firewall filter
add action=accept chain=forward dst-address=\
102.219.207.180/30 ipsec-policy=in,ipsec protocol=\
ipsec-esp
add action=accept chain=input dst-address=102.219.207.180/30 \
ipsec-policy=in,ipsec protocol=ipsec-esp
add action=accept chain=input dst-address=102.219.207.180/30 \
ipsec-policy=in,ipsec protocol=ipsec-ah
add action=accept chain=forward dst-address=\
102.219.207.180/30 ipsec-policy=in,ipsec protocol=\
ipsec-ah
add action=accept chain=forward dst-address=102.219.207.182 \
dst-port=500,1701,4500,4501 in-interface=sfp-plus1 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=forward dst-address=102.219.207.182 \
dst-port=500,1701,4500,4501 in-interface=sfp-plus1 \
ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input dst-address=102.219.207.182 \
dst-port=500,4500,4501,1701 in-interface=sfp-plus1 \
ipsec-policy=in,ipsec protocol=udp src-port=""

please advice us if i miss any configuration because the IPSEC traffic still cant go through my network .
BR
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: unable to pass IPSEC traffic through my Network

Mon May 23, 2022 2:20 pm

If you're ISP and your client wants to have IPSec tunnel to their remote network, the usual way is that client creates tunnel from own router, and it has nothing to do with you as ISP, because you're already allowing all incoming and outgoing traffic between client's router and internet. So it needs some explanation how exactly this scenario differs from that.
 
habibcss
just joined
Topic Author
Posts: 2
Joined: Mon May 23, 2022 11:51 am

Re: unable to pass IPSEC traffic through my Network

Mon May 23, 2022 3:56 pm

If you're ISP and your client wants to have IPSec tunnel to their remote network, the usual way is that client creates tunnel from own router, and it has nothing to do with you as ISP, because you're already allowing all incoming and outgoing traffic between client's router and internet. So it needs some explanation how exactly this scenario differs from that.
Dear
thanks for your reply
i just want to confirm if i need to permit l2tp ipsec vpn through my firewall.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: unable to pass IPSEC traffic through my Network

Mon May 23, 2022 4:22 pm

I don't know, because it's not clear how everything is connected and configured, if the tunnel is from customer's router or yours, if from customer's then if they have public address, etc. The rules you posted are certainly no help, they look like you randomly added "something with ipsec" anywhere you could.

Who is online

Users browsing this forum: No registered users and 20 guests