Community discussions

MikroTik App
 
michaelantony012
just joined
Topic Author
Posts: 5
Joined: Mon Jul 04, 2022 7:48 am

IPSec SA Established, but ping only works one way

Mon Jul 04, 2022 11:05 am

Hi, I have IPSec tunnel established within my CHR Mikrotik server, and TPLink Omada router ER7206.
After IPSec is established between those two, at first they cannot ping to each other.
Then I added routing on the CHR Mikrotik, so now the CHR Mikrotik can ping to TPLink router and PCClient1 local IP. But not the other ways, from TPLink to Mikrotik is RTO (I've tried to use routing on TPLink but didn't work as expected).
This is the routing on the CHR Mikrotik (ether1 is the public ip interface)
route1 - mikrotik.jpg
So far, this is what my progress. I also can ping from PCClient1 to CHR Mikrotik local IP.
chr mikrotik - tplink.jpg
Other than routing on Mikrotik CHR, there is no firewall / NAT setup on both of routers.
Please help me. I'm still new to this subject.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec SA Established, but ping only works one way  [SOLVED]

Tue Jul 05, 2022 1:17 pm

The fact that the forum language is English does not mean only native speakers use it, and even native speakers may not understand all abbreviations. Short version: WTF means RTO 🙂 ?

To the actual issue - the IPsec itself works, as you can ping through the tunnel to both the TP-link and the PC behind it. Since there is no firewall, what remains is routing between the VPS and the CHR and source address selection on the TP-link device.

You had to set pref-source of the route to 192.168.10.P/24 on the CHR to make the packets visible to the IPsec policy. But you haven't mentioned doing the same on the TP-link, which most likely means that when you ping 192.168.50.10 from the TP-link, the TP-link uses its public IP (associated to the default gateway's interface) as a source address for the ping requests, which means that its local IPsec policy misses those packets. For responses to incoming pings, the source address is the one to which the incoming requests arrive.

Is the CHR the default gateway for the VPS? If not, you have to add a route to 192.168.10.0/24 via 192.168.50.10 at the VPS, or to make the CHR src-nat the traffic from 192.168.50.0/24 it forwards to the VPS, so that the VPS would send the response traffic to CHR's address.

Who is online

Users browsing this forum: adrianmartin16, Bing [Bot], gigabyte091, koer, lurker888, Michiganbroadband, thomassocz, tjr and 90 guests