Community discussions

MikroTik App
 
pietvwakpm
just joined
Topic Author
Posts: 4
Joined: Thu Aug 11, 2022 10:14 pm

IPSec VPN Bi-Directional Communication not working

Thu Aug 11, 2022 10:56 pm

So I've been having a network routing or firewall issue, and I'm hoping that someone here has a great idea on how to resolve the issue.

Scenario:
Our main network (net1) is behind a Sonicwall NSA, and we have many VPNs coming into our network.
I'm trying to get my Mikrotik to create a VPN into our facility to allow bi-directional communication to my network (net2).
After some tinkering around the VPN is up and running. (YEAH!!!)

Here is where the problem lies...
net2 can see all the defined subnets in net1 and can access all the computers in net1. (Success!!)
net1 can ONLY ping the Mikrotik, and nothing on net2.

net1 consists of:
10.200.0.0/21
10.100.1.0/24

net2 consists of:
10.200.254.0/24

At this point I've tried several solutions, but nothing seems to work.

In /ip/firewall/nat...
0 chain=srcnat action=accept src-address=10.200.0.0/21 dst-address=10.200.254.0/24 log=no log-prefix=""
1 chain=srcnat action=accept src-address=10.100.1.0/24 dst-address=10.200.254.0/24 log=no log-prefix=""

In /ip/firewall/raw...
0 chain=prerouting action=notrack log=no log-prefix="" src-address=10.200.0.0/21 dst-address=10.200.254.0/24
1 chain=prerouting action=notrack log=no log-prefix="" src-address=10.200.254.0/24 dst-address=10.200.0.0/21

In /ip/firewall/filter...
1 chain=forward action=accept src-address=10.200.0.0/21 dst-address=10.200.254.0/24 log=no log-prefix=""
2 chain=forward action=accept src-address=10.200.254.0/24 dst-address=10.200.0.0/21 log=no log-prefix=""

In /ip/route...
DAd 0.0.0.0/0 10.20.30.1 1
DAc 10.20.30.0/24 ether1 0
DAc 10.200.254.0/24 bridge 0

So I figured I would reach out and see if anybody here has ideas...
It's frustrating when it feels like it will be a simple solution.

Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec VPN Bi-Directional Communication not working

Thu Aug 25, 2022 10:35 pm

As you have the action=notrack rules in place in raw, there is no need to have the action=accept rules in nat. So it doesn't matter that src-address and dst-address in these rules in nat are swapped.

However, the rules in both raw and filter only cover 10.200.0.0/21 out of net1, another two rules in each table (or an address-list for net1) are necessary to cover also 10.100.1.0/24.

Next, the usual advice:
  • by default, the Windows firewall blocks ping requests from other subnets than the one attached to the interface through which the request came in
  • the order of firewall rules matters, so without seeing rule 0 in the output of /ip/firewall/filter/print it is not possible to say whether it doesn't prevent packets from net1 from reaching rules 1 and 2
  • /tool/sniffer/quick helps this kind of analyses a lot, as it shows you how far the request packet and, possibly, the response packet got; just bear in mind that while it shows the payload packets decrypted from the incoming IPsec transport ones, it does not show the payload packets going to be encrypted into IPsec transport ones.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], itsbenlol, Joseph and 69 guests