Hi, I have an IPSEC IKEv2 VPN setup. The Active Peer is connected with PHASE 2.
I can ping the mikrotik2 IP address from LAN1 PC.
I can ping some of the devices on LAN2 from LAN1 PC.
I can ping all equipment on it own LAN from Mikrotik on the LAN.
I cannot ping any devices from any Mikrotik to the other LAN, I get request timed out.
My VPN is setup correctly but somewhere the NAT is not working.
Anyone knows where the problem might be.
Thanks
Ash
Re: IPSEC IKEv2 VPN ping fails
Hi,
The possibilities are endless. You should export your config from both sides and share it (remove any sensitive data and public IPs).
Overall, you could check this article.
Also, you could contact networkberg I believe he lives in Johannesburg too.
The possibilities are endless. You should export your config from both sides and share it (remove any sensitive data and public IPs).
Overall, you could check this article.
Also, you could contact networkberg I believe he lives in Johannesburg too.
Re: IPSEC IKEv2 VPN ping fails
Hi, I have an IPSEC IKEv2 VPN setup. The Active Peer is connected with PHASE 2 established
I can ping the mikrotik2 IP(192.168.60.1) address from LAN1 PC(192.168.20.254).
I can ping some of the devices on LAN2(e.g. 192.168.60.21,22=printer) from LAN1 PC(192.168.20.254).
I cannot ping some of the devices on LAN2(e.g. 192.168.60.250,15) from LAN1 PC(192.168.20.254).
I can ping all equipment on it own LAN from Mikrotik(e.g.192.168.60.1) on the LAN(e.g.192.168.60.250,21,22,15).
I cannot ping any devices from any Mikrotik(e.g.192.168.60.1) to the other LAN(e.g.192.168.20.x), I get request timed out.
My VPN is setup correctly but somewhere the NAT is not working.
What could possibly be the problem.
I have setup 3 other ipsec VPNs, all with the same issue. Router setups are exactly the same.
I can ping the mikrotik2 IP(192.168.60.1) address from LAN1 PC(192.168.20.254).
I can ping some of the devices on LAN2(e.g. 192.168.60.21,22=printer) from LAN1 PC(192.168.20.254).
I cannot ping some of the devices on LAN2(e.g. 192.168.60.250,15) from LAN1 PC(192.168.20.254).
I can ping all equipment on it own LAN from Mikrotik(e.g.192.168.60.1) on the LAN(e.g.192.168.60.250,21,22,15).
I cannot ping any devices from any Mikrotik(e.g.192.168.60.1) to the other LAN(e.g.192.168.20.x), I get request timed out.
My VPN is setup correctly but somewhere the NAT is not working.
What could possibly be the problem.
I have setup 3 other ipsec VPNs, all with the same issue. Router setups are exactly the same.
Re: IPSEC IKEv2 VPN ping fails
Router 1 Config
# jun/14/2022 17:44:12 by RouterOS 6.47.9
# software id = VD2G-7XQB
#
# model = RB941-2nD
# serial number = xxxxxxx
/interface bridge
add admin-mac=2C:C8:1B:78:53:8A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=HeadOffice wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxx wpa2-pre-shared-key=xxxxx
/ip ipsec profile
add dh-group=modp1024 name=ProfileBranch
/ip ipsec peer
add address=branch.dyndns.biz exchange-mode=ike2 name=BranchPeer profile=ProfileBranch
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1d name=BranchProposal
/ip pool
add name=dhcp ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.20.1/24 comment=defconf interface=ether2 network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer=BranchPeer secret=BranchSecret
/ip ipsec policy
add dst-address=192.168.60.0/24 peer=BranchPeer proposal=BranchProposal sa-dst-address=192.192.192.238 sa-src-address=0.0.0.0 src-address=192.168.20.0/24 tunnel=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Headoffice
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Router 2 Config
# jun/14/2022 17:45:04 by RouterOS 6.48.2
# software id = N891-NKV8
#
# model = RB941-2nD
# serial number = yyyyyyy
/interface bridge
add admin-mac=48:8F:5A:35:41:2F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="south africa" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Branch station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxx wpa2-pre-shared-key=xxxxx
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=HeadOffice
/ip ipsec peer
add address=headoffice.dyndns.biz exchange-mode=ike2 name=HeadOfficePeer profile=HeadOffice
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1d name=HeadOfficeProposal
/ip pool
add name=dhcp ranges=192.168.60.120-192.168.60.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.60.1/24 comment=defconf interface=ether2 network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.60.0/24 comment=defconf gateway=192.168.60.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.60.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=192.168.60.250 to-ports=3389
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer=HeadOfficePeer secret=BranchSecret
/ip ipsec policy
add dst-address=192.168.20.0/24 peer=HeadOfficePeer proposal=HeadOfficeProposal sa-dst-address=192.143.15.189 sa-src-address=192.168.8.101 src-address=192.168.60.0/24 tunnel=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Branch
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# jun/14/2022 17:44:12 by RouterOS 6.47.9
# software id = VD2G-7XQB
#
# model = RB941-2nD
# serial number = xxxxxxx
/interface bridge
add admin-mac=2C:C8:1B:78:53:8A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=HeadOffice wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxx wpa2-pre-shared-key=xxxxx
/ip ipsec profile
add dh-group=modp1024 name=ProfileBranch
/ip ipsec peer
add address=branch.dyndns.biz exchange-mode=ike2 name=BranchPeer profile=ProfileBranch
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1d name=BranchProposal
/ip pool
add name=dhcp ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.20.1/24 comment=defconf interface=ether2 network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer=BranchPeer secret=BranchSecret
/ip ipsec policy
add dst-address=192.168.60.0/24 peer=BranchPeer proposal=BranchProposal sa-dst-address=192.192.192.238 sa-src-address=0.0.0.0 src-address=192.168.20.0/24 tunnel=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Headoffice
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Router 2 Config
# jun/14/2022 17:45:04 by RouterOS 6.48.2
# software id = N891-NKV8
#
# model = RB941-2nD
# serial number = yyyyyyy
/interface bridge
add admin-mac=48:8F:5A:35:41:2F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="south africa" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Branch station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxx wpa2-pre-shared-key=xxxxx
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=HeadOffice
/ip ipsec peer
add address=headoffice.dyndns.biz exchange-mode=ike2 name=HeadOfficePeer profile=HeadOffice
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1d name=HeadOfficeProposal
/ip pool
add name=dhcp ranges=192.168.60.120-192.168.60.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.60.1/24 comment=defconf interface=ether2 network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.60.0/24 comment=defconf gateway=192.168.60.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.60.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=192.168.60.250 to-ports=3389
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer=HeadOfficePeer secret=BranchSecret
/ip ipsec policy
add dst-address=192.168.20.0/24 peer=HeadOfficePeer proposal=HeadOfficeProposal sa-dst-address=192.143.15.189 sa-src-address=192.168.8.101 src-address=192.168.60.0/24 tunnel=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Branch
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: IPSEC IKEv2 VPN ping fails
Can't find networkberg?Hi,
The possibilities are endless. You should export your config from both sides and share it (remove any sensitive data and public IPs).
Overall, you could check this article.
Also, you could contact networkberg I believe he lives in Johannesburg too.
Re: IPSEC IKEv2 VPN ping fails
@Inamandla
You could check this article. -------------------------------------------------------------
You could check this article. -------------------------------------------------------------
https://www.youtube.com/c/TheNetworkBergCan't find networkberg
You do not have the required permissions to view the files attached to this post.
Re: IPSEC IKEv2 VPN ping fails
The policies link the LAN subnets (192.168.60.0/24 and 192.168.20.0/24) together, but when you ping from the Mikrotik itself, the source address of the ping is not magically chosen to be the LAN one, so the policy cannot "see" the packet.I cannot ping any devices from any Mikrotik to the other LAN, I get request timed out.
When the router itself sends a packet, it first finds a route to the destination, and then sets the source address of the packet to the address of the out-interface through which the gateway of that route is accessible. This can be overridden by a pref-src parameter of the route, and it can also be changed later using a src-nat or masquerade rule.
In your case, the only route in the table is the default one via WAN, added dynamically via DHCP. So you can add a src-nat rule like
chain=srcnat src-address-type=local dst-address=192.168.0.0/16 action=src-nat to-addresses=the.local.lan.ip
before the action=masquerade one. Or you can add a route
dst-address=192.168.0.0/16 gateway=bridge - it seems like a nonsense but it does what is needed, it makes the router use the LAN IP as a source for all traffic towards any destinatiin in the 192.168.0.0-192.168.255.255 range. The fact that the packet ould not get anywhere if sent out via the bridge is not important, as the IPsec policy will intercept it.
Re: IPSEC IKEv2 VPN ping fails
Thanks Sindy, I have added these NAT as well as Route with no joy. Below is what is happening, I don't know why, I have tried IKE2, Aggressive and Main Peers and all give the same issue:The policies link the LAN subnets (192.168.60.0/24 and 192.168.20.0/24) together, but when you ping from the Mikrotik itself, the source address of the ping is not magically chosen to be the LAN one, so the policy cannot "see" the packet.I cannot ping any devices from any Mikrotik to the other LAN, I get request timed out.
When the router itself sends a packet, it first finds a route to the destination, and then sets the source address of the packet to the address of the out-interface through which the gateway of that route is accessible. This can be overridden by a pref-src parameter of the route, and it can also be changed later using a src-nat or masquerade rule.
In your case, the only route in the table is the default one via WAN, added dynamically via DHCP. So you can add a src-nat rule like
chain=srcnat src-address-type=local dst-address=192.168.0.0/16 action=src-nat to-addresses=the.local.lan.ip
before the action=masquerade one. Or you can add a route
dst-address=192.168.0.0/16 gateway=bridge - it seems like a nonsense but it does what is needed, it makes the router use the LAN IP as a source for all traffic towards any destinatiin in the 192.168.0.0-192.168.255.255 range. The fact that the packet ould not get anywhere if sent out via the bridge is not important, as the IPsec policy will intercept it.
I can ping the mikrotik2 IP(192.168.60.1) address from LAN1 PC(192.168.20.254).
I can ping some of the devices on LAN2(e.g. 192.168.60.21,22=printer) from LAN1 PC(192.168.20.254).
I cannot ping some of the devices on LAN2(e.g. 192.168.60.250,15) from LAN1 PC(192.168.20.254).
I can ping all equipment on it own LAN from Mikrotik(e.g.192.168.60.1) on the LAN(e.g.192.168.60.250,21,22,15).
I cannot ping any devices from any Mikrotik(e.g.192.168.60.1) to the other LAN(e.g.192.168.20.x), I get request timed out.
My VPN is setup correctly but somewhere the NAT is not working.
I have setup 3 other ipsec VPNs, all with the same issue. Router setups are exactly the same.
I am really confused.
Re: IPSEC IKEv2 VPN ping fails
Post the modified configurations.
Open a command line window as wide as your screen permits, run /tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16 in it, and try pinging from one Mikrotik to the other's LAN address. You should see the ping requests on the source Mikrotik if they escape the IPsec policy, if they are caught by the policy, they won't be seen. On the destination Mikrotik, you should see the requests if they came via the IPsec tunnel, but not the responses if a policy has caught them.
Open a command line window as wide as your screen permits, run /tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16 in it, and try pinging from one Mikrotik to the other's LAN address. You should see the ping requests on the source Mikrotik if they escape the IPsec policy, if they are caught by the policy, they won't be seen. On the destination Mikrotik, you should see the requests if they came via the IPsec tunnel, but not the responses if a policy has caught them.
Re: IPSEC IKEv2 VPN ping fails
So it seems to get to the opposite router and possibly to the device on the remote side, its not getting a reply back. Refer sniffer replyPost the modified configurations.
Open a command line window as wide as your screen permits, run /tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16 in it, and try pinging from one Mikrotik to the other's LAN address. You should see the ping requests on the source Mikrotik if they escape the IPsec policy, if they are caught by the policy, they won't be seen. On the destination Mikrotik, you should see the requests if they came via the IPsec tunnel, but not the responses if a policy has caught them.
ROUTER1 (192.168.20.1)
Ping to 192.168.60.250 from 192.168.20.254 - ERROR NO REPLY
> tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
ether3 5.86 1 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 5.86 2 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
ether3 10.374 3 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 10.374 4 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
ether3 15.376 5 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 15.376 6 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
ether3 20.374 7 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 20.374 8 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
Ping to 192.168.60.21 from 192.168.20.254 - SUCCESSFUL
> tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
ether3 2.051 1 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 2.051 2 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether1 2.118 3 <- 88:F8:72:22:74:54 2C:C8:1B:78:53:89 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 2.118 4 -> 2C:C8:1B:78:53:8A BC:5F:F4:D7:6D:25 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
ether3 3.068 5 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 3.068 6 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether1 3.133 7 <- 88:F8:72:22:74:54 2C:C8:1B:78:53:89 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 3.133 8 -> 2C:C8:1B:78:53:8A BC:5F:F4:D7:6D:25 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
ether3 4.076 9 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 4.076 10 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether1 4.15 11 <- 88:F8:72:22:74:54 2C:C8:1B:78:53:89 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 4.15 12 -> 2C:C8:1B:78:53:8A BC:5F:F4:D7:6D:25 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
ether3 5.082 13 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 5.082 14 <- BC:5F:F4:D7:6D:25 2C:C8:1B:78:53:8A 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether1 5.145 15 <- 88:F8:72:22:74:54 2C:C8:1B:78:53:89 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 5.145 16 -> 2C:C8:1B:78:53:8A BC:5F:F4:D7:6D:25 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
ROUTER2 (192.168.60.1)
Ping to 192.168.60.250 from 192.168.20.254 - ERROR NO REPLY
> tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
bridge 2.652 1 -> 48:8F:5A:35:41:2F 1C:69:7A:02:33:40 192.168.8.101 192.168.60.4 ip:icmp 149 0 no
ether1 4.139 2 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 4.139 3 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
ether1 8.647 4 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 8.647 5 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 12.802 6 -> 48:8F:5A:35:41:2F 1C:69:7A:02:33:40 192.168.8.101 192.168.60.4 ip:icmp 149 0 no
bridge 13.262 7 -> 48:8F:5A:35:41:2F 1C:69:7A:02:B2:86 192.168.8.101 192.168.60.5 ip:icmp 149 0 no
ether1 13.658 8 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 13.658 9 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
ether1 18.656 10 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 18.656 11 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.20.254 192.168.60.250 ip:icmp 74 0 no
bridge 24.172 12 -> 48:8F:5A:35:41:2F 1C:69:7A:02:B2:86 192.168.8.101 192.168.60.5 ip:icmp 149 0 no
Ping to 192.168.60.21 from 192.168.20.254 - SUCCESSFUL
> tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
bridge 3.561 1 -> 48:8F:5A:35:41:2F 1C:69:7A:02:33:40 192.168.8.101 192.168.60.4 ip:icmp 149 0 no
ether1 3.754 2 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 3.756 3 -> 48:8F:5A:35:41:2F 50:57:9C:62:7E:B1 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether2 3.758 4 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 3.758 5 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
ether1 4.787 6 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 4.787 7 -> 48:8F:5A:35:41:2F 50:57:9C:62:7E:B1 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether2 4.79 8 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 4.79 9 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
ether1 5.793 10 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 5.793 11 -> 48:8F:5A:35:41:2F 50:57:9C:62:7E:B1 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether2 5.797 12 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 5.797 13 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
ether1 6.793 14 <- 24:31:54:16:6A:59 48:8F:5A:35:41:2E 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
bridge 6.793 15 -> 48:8F:5A:35:41:2F 50:57:9C:62:7E:B1 192.168.20.254 192.168.60.21 ip:icmp 74 0 no
ether2 6.796 16 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 6.796 17 <- 50:57:9C:62:7E:B1 48:8F:5A:35:41:2F 192.168.60.21 192.168.20.254 ip:icmp 74 0 no
bridge 13.811 18 -> 48:8F:5A:35:41:2F 1C:69:7A:02:33:40 192.168.8.101 192.168.60.4 ip:icmp 149 0 no
Ping to 192.168.60.250 from 192.168.60.1 - SUCCESSFUL
> tool sniffer quick ip-protocol=icmp ip-address=192.168.0.0/16
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
bridge 2.851 3 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
bridge 3.855 4 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.60.1 192.168.60.250 ip:icmp 70 0 no
ether2 3.856 5 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
bridge 3.856 6 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
bridge 4.861 7 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.60.1 192.168.60.250 ip:icmp 70 0 no
ether2 4.861 8 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
bridge 4.861 9 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
bridge 5.864 10 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.60.1 192.168.60.250 ip:icmp 70 0 no
ether2 5.864 11 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
bridge 5.864 12 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
bridge 6.868 13 -> 48:8F:5A:35:41:2F 00:01:6C:D6:95:97 192.168.60.1 192.168.60.250 ip:icmp 70 0 no
ether2 6.868 14 <- 00:01:6C:D6:95:97 48:8F:5A:35:41:2F 192.168.60.250 192.168.60.1 ip:icmp 70 0 no
Thanks for your assistance.
Re: IPSEC IKEv2 VPN ping fails
Windows firewall by default drops ping requests from outside an own subnet of the interface they come to, i.e. nothing to do with the IPsec tunnel. Maybe that explains why some devices respond the pings and 192.168.60.250 doesn't. Some other devices may behave the same.I cannot ping some of the devices on LAN2(e.g. 192.168.60.250,15) from LAN1 PC(192.168.20.254).
Or there may be a more complex routing table on those devices, and 192.168.20.0/24 may be routed via some other gateway than 192.168.60.1.
You have not provided the updated configs so I cannot say whether you have added the srcnat rules and/or routes properly.I cannot ping any devices from any Mikrotik(e.g.192.168.60.1) to the other LAN(e.g.192.168.20.x), I get request timed out.
You have not provided the output of /tool sniffer when pinging from the Mikrotik itself so I cannot say what happened to those pings.
Re: IPSEC IKEv2 VPN ping fails
I have exactly the same problem. As soon as I am connected to the HQ via IPSEC IKEv2 I can ping some devices in the HQ subnet, some devices not. Windows devices can be reached, IP telephones or printers cannot be reached.
Whether client or site-to-site.
Whether client or site-to-site.
Re: IPSEC IKEv2 VPN ping fails
I try again,
Hello,
I have 2x networks, each with an RB3011 and a site-to-site connection between the two networks LAN1 192.168.99.0/24 LAN2 192.168.100.0/24. The IKEv2 tunnel is successful, unfortunately I cannot ping different devices from LAN2 from LAN1. from the RB3011 from LAN1 (192.168.99.220) I can ping all devices in the network 192.168.100.0/24. I can't ping different devices from a device on LAN1, see screenshot, that should explain everything.
I already tried to switch from IKEv2 to Wireguard, same problem.
Please excuse my bad English.
Hello,
I have 2x networks, each with an RB3011 and a site-to-site connection between the two networks LAN1 192.168.99.0/24 LAN2 192.168.100.0/24. The IKEv2 tunnel is successful, unfortunately I cannot ping different devices from LAN2 from LAN1. from the RB3011 from LAN1 (192.168.99.220) I can ping all devices in the network 192.168.100.0/24. I can't ping different devices from a device on LAN1, see screenshot, that should explain everything.
I already tried to switch from IKEv2 to Wireguard, same problem.
Please excuse my bad English.
You do not have the required permissions to view the files attached to this post.
Re: IPSEC IKEv2 VPN ping fails
It doesn't explain everything, it just gives some hints.see screenshot, that should explain everything.
I can see that you can ping 192.168.100.1 from both the PC and the 3011, but you can ping 192.168.100.90 only from the 3011 but not from the PC. So far so good. However, you don't specify what the 192.168.100.1 and 192.168.100.90 are, is the .100.1 an address of the other 3011?
Your issue may be firewall rules on the Mikrotiks themselves (there is a difference between chains input and forward), or firewalls on some of the devices.
If you want a more useful advice, provide a more useful input - see my automatic signature below.