Community discussions

MikroTik App
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

IPSEC site-to-site connection only one direction

Wed Oct 05, 2022 1:16 pm

Hi,

I've recently set site-to-site connection with IPSEC. peers are established, policies seems to be up.
but for some reason I can get connection only in one direction. from SiteB to SiteA is working fine, the opposite direction - no chance.
any idea what to take a look on ? I've tried similar settings in virtual machines and it's working there without issues :?

SiteA
/ip firewall address-list
add address=SITEB_IP list=secure
add address=192.168.0.0/24 list=local
add address=172.168.0.0/24 list=local
add address=192.168.2.0/24 list=remote
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=accept chain=forward comment="cust: qnap download" connection-state=established,related dst-address=192.168.0.100
add action=accept chain=forward comment="cust: qnap upload" connection-state=established,related src-address=192.168.0.100
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: accept from known devices" dst-port=22,8291 in-interface-list=WAN protocol=tcp src-address-list=secure
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="cust: allow from remote clients" in-interface-list=WAN ipsec-policy=in,ipsec src-address-list=remote
add action=drop chain=forward comment="cust: drop access for guests to main network" dst-address-list=private in-interface=br_500_guests
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log-prefix=pass-ipsec protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from internal" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from external not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="cust: drop all other" in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec log-prefix=MSS new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=remote src-address-list=local
add action=masquerade chain=srcnat dst-address-list=local src-address-list=remote
add action=masquerade chain=srcnat comment="cust: masquerade for main link" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="cust: masquerade for backup link" ipsec-policy=out,none out-interface=lte1 src-address-list=lte
/ip firewall raw
add action=accept chain=prerouting dst-address-list=remote src-address-list=local
add action=accept chain=prerouting dst-address-list=local src-address-list=remote
/ip ipsec mode-config
add address-pool=vpn_pool name=roadwarrior
add address=192.168.2.242 name=bifrost
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=roadwarrior
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2
/ip ipsec peer
add address=SITEB_IP/32 exchange-mode=ike2 name=bifrost passive=yes profile=ike1-site2
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=roadwarrioor
add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER_ipsec comment=beowulf generate-policy=port-override match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
    remote-certificate=client_ipsec_beowulf remote-id=ignore
add auth-method=digital-signature certificate=SERVER_ipsec comment=hekate generate-policy=port-strict match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
    remote-certificate=client_ipsec_hekate remote-id=ignore
add peer=bifrost
/ip ipsec policy
add dst-address=0.0.0.0/0 group=roadwarrior proposal=roadwarrioor src-address=0.0.0.0/0 template=yes
add disabled=yes dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=10.10.10.0/24 tunnel=yes
add dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=172.168.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=192.168.0.0/24 tunnel=yes
SiteB
/ip firewall address-list
add address=SiteA_IP list=secure
add address=172.168.0.0/24 list=remote
add address=192.168.0.0/24 list=remote
add address=192.168.2.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: accept from known devices" dst-port=22,8291 in-interface-list=WAN protocol=tcp src-address-list=secure
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="cust: allow from remote clients" in-interface-list=WAN ipsec-policy=in,ipsec src-address-list=remote
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log-prefix=pass-ipsec protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from internal" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from external not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="cust: drop all other" in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec log-prefix=MSS new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="cust: allow access from IPSEC" dst-address-list=remote src-address-list=local
add action=accept chain=srcnat comment="cust: allow access from IPSEC" dst-address-list=local src-address-list=remote
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether-wan
/ip firewall raw
add action=accept chain=prerouting dst-address-list=remote src-address-list=local
add action=accept chain=prerouting dst-address-list=local src-address-list=remote
/ip ipsec mode-config
add address=172.168.0.1 name=bifrost
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1
/ip ipsec peer
add address=SITEA_IP/32 exchange-mode=ike2 name=valhalla profile=ike1-site1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
/ip ipsec identity
add peer=valhalla
/ip ipsec policy
add disabled=yes dst-address=10.10.10.0/24 peer=valhalla proposal=ike1-site1 src-address=192.168.2.0/24 tunnel=yes
add dst-address=172.168.0.0/24 peer=valhalla proposal=ike1-site1 src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.0.0/24 peer=valhalla proposal=ike1-site1 src-address=192.168.2.0/24 tunnel=yes
SiteB->SiteA works
SiteA->SiteB not working
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC site-to-site connection only one direction  [SOLVED]

Wed Oct 05, 2022 1:33 pm

I guess it is a copy-paste error. On Site A, you've got
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=remote src-address-list=local
add action=masquerade chain=srcnat dst-address-list=local src-address-list=remote

In these rules, action must be accept instead.

Also, the second one of these rules, the one with dst-address-list=local src-address-list=remote, is useless (at both devices).

Off topic, at both sites the action=accept rules in raw are just slowing down packet processing because there is no action=drop rule, and the default handling in all firewall chains is always accept.
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: IPSEC site-to-site connection only one direction

Wed Oct 05, 2022 1:39 pm

that was fast :D that's for answer - that did the work.

I think I need a break from configuration as I'm starting to make some basic mistakes and not able to find them -_-
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: IPSEC site-to-site connection only one direction

Wed Oct 05, 2022 2:09 pm

one question though - how to make sure that ROADWARRIOR can access SiteB ? because currently I see that it's reaching only SiteA
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC site-to-site connection only one direction

Wed Oct 05, 2022 2:16 pm

No mode-config, no pool, no identity for road warriors...?
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: IPSEC site-to-site connection only one direction

Wed Oct 05, 2022 2:24 pm

it's already in main post but:
# serial number = A36A0D0B008A
/ip ipsec mode-config
add address-pool=vpn_pool name=roadwarrior
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=roadwarrior
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2
/ip ipsec peer
add address=SITEB/32 exchange-mode=ike2 name=bifrost passive=yes profile=ike1-site2
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=roadwarrioor
add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
[b]/ip ipsec identity
add auth-method=digital-signature certificate=SERVER_ipsec comment=beowulf generate-policy=port-override match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
    remote-certificate=client_ipsec_beowulf remote-id=ignore[/b]
add peer=bifrost
[b]/ip ipsec policy
add dst-address=0.0.0.0/0 group=roadwarrior proposal=roadwarrioor src-address=0.0.0.0/0 template=yes[/b]
add dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=10.10.10.0/24 tunnel=yes
add dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=172.168.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=192.168.0.0/24 tunnel=yes
[noyes@valhalla] /ip/ipsec> /ip/pool/print where name=vpn_pool
Columns: NAME, RANGES
#  NAME      RANGES                   
0  vpn_pool  172.168.0.10-172.168.0.20

client would be laptop/phone, so not much options to configure there...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC site-to-site connection only one direction

Wed Oct 05, 2022 2:28 pm

You've said road warriors cannot connect to site B, and now you've re-posted config of Site A:

/ip ipsec peer
add address=SITEB/32 exchange-mode=ike2 name=bifrost passive=yes profile=ike1-site2
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior


On Site B, it says just
/ip ipsec peer
add address=SITEA_IP/32 exchange-mode=ike2 name=valhalla profile=ike1-site1


I.e. nothing done for road wariors...

Or maybe I've misunderstood what you had in mind, and you actually mean that road warriors connected to Site A cannot access subnets on Site B?
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: IPSEC site-to-site connection only one direction

Wed Oct 05, 2022 2:31 pm

Or maybe I've misunderstood what you had in mind, and you actually mean that road warriors connected to Site A cannot access subnets on Site B?
apologies if wasn't clear, RoadWarrior connects to SiteA with IPSEC, but cannot access subnets on SiteB.
 
Babujnik
newbie
Topic Author
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: IPSEC site-to-site connection only one direction

Fri Oct 07, 2022 3:03 pm

interesting... when I'm connecting with RoadWarrior to SiteB, I can without any issue reach subnets on SiteA. when other way around - connection RoadWarrior to SiteA - I cannot reach subnet on SiteB.

below configs of IPSEC and FIREWALL

SiteA
/ip firewall address-list
add address=192.168.0.4 list=lte
add address=192.168.0.3 list=lte
add address=192.168.0.1 list=lte
add address=192.168.0.2 list=lte
add address=192.168.0.7 list=lte
add address=192.168.0.58 list=lte
add address=192.168.0.8 list=lte
add address=192.168.0.57 list=lte
add address=192.168.0.202 list=lte
add address=SITEB list=secure
add address=10.10.10.0/24 list=private
add address=192.168.0.0/24 list=private
add address=192.168.0.0/24 list=local
add address=172.168.0.0/24 disabled=yes list=local
add address=192.168.2.0/24 list=remote
add address=10.10.10.0/24 list=local
add address=172.168.0.0/24 disabled=yes list=secure
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=accept chain=forward comment="cust: qnap download" connection-state=established,related dst-address=192.168.0.100
add action=accept chain=forward comment="cust: qnap upload" connection-state=established,related src-address=192.168.0.100
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: accept from known devices" dst-port=22,8291 in-interface-list=WAN protocol=tcp src-address-list=secure
add action=accept chain=forward comment="cust: accept from known devices" disabled=yes in-interface-list=WAN src-address-list=secure
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="cust: allow from remote clients" in-interface-list=WAN ipsec-policy=in,ipsec
add action=drop chain=forward comment="cust: drop access for guests to main network" dst-address-list=private in-interface=br_500_guests
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="cust: allow from VPN" disabled=yes ipsec-policy=in,ipsec src-address=172.16.0.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from internal" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from external not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="cust: drop all other" in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec log-prefix=MSS new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat dst-address-list=remote src-address-list=local
add action=masquerade chain=srcnat comment="cust: masquerade for main link" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="cust: masquerade for backup link" ipsec-policy=out,none out-interface=lte1 src-address-list=lte
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip ipsec mode-config
add address-pool=vpn_pool name=roadwarrior split-include=0.0.0.0/0
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=roadwarrior
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2
/ip ipsec peer
add address=SITE_B/32 exchange-mode=ike2 name=bifrost passive=yes profile=ike1-site2
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=roadwarrioor
add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER_ipsec comment=beowulf generate-policy=port-override match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
    remote-certificate=client_ipsec_beowulf remote-id=ignore
add auth-method=digital-signature certificate=SERVER_ipsec comment=hekate generate-policy=port-strict match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
    remote-certificate=client_ipsec_hekate remote-id=ignore
add peer=bifrost
/ip ipsec policy
add comment="not working" disabled=yes dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=172.168.0.0/24 tunnel=yes
add comment=working dst-address=172.168.0.0/24 peer=bifrost proposal=ike1-site2 src-address=10.10.10.0/24 tunnel=yes
add dst-address=0.0.0.0/0 group=roadwarrior proposal=roadwarrioor src-address=0.0.0.0/0 template=yes

and SiteB:
/ip firewall address-list
add address=SITEA list=secure
add address=172.168.0.0/24 disabled=yes list=remote
add address=192.168.0.0/24 list=remote
add address=192.168.2.0/24 list=local
add address=10.10.10.0/24 list=remote
add address=172.168.0.0/24 list=secure
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: accept from known devices" dst-port=22,8291 in-interface-list=WAN protocol=tcp src-address-list=secure
add action=accept chain=forward comment="cust: accept from known devices" disabled=yes in-interface-list=WAN src-address-list=secure
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="cust: allow from remote clients" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log-prefix=pass-ipsec protocol=udp
add action=accept chain=input comment="cust: allow from VPN" disabled=yes ipsec-policy=in,ipsec src-address=172.16.0.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from internal" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from external not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="cust: drop all other" in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec log-prefix=MSS new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="cust: allow access from IPSEC" dst-address-list=remote src-address-list=local
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether-wan
/ip firewall raw
add action=accept chain=prerouting disabled=yes dst-address-list=remote src-address-list=local
add action=accept chain=prerouting disabled=yes dst-address-list=local src-address-list=remote
 
/ip ipsec mode-config
add address=172.168.0.1 name=bifrost
add address-pool=vpn_pool name=roadwarrior split-include=0.0.0.0/0
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1
add dh-group=modp1024 enc-algorithm=aes-128 name=roadwarrior
/ip ipsec peer
add address=SITEA/32 exchange-mode=ike2 name=valhalla profile=ike1-site1
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
add auth-algorithms=sha256,sha1 name=roadwarrioor
/ip ipsec identity
add peer=valhalla
add auth-method=digital-signature certificate=SERVER_ipsec generate-policy=port-strict match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
    remote-certificate=client_ipsec_beowulf remote-id=ignore
/ip ipsec policy
add comment="not working" disabled=yes dst-address=172.168.0.0/24 peer=valhalla proposal=ike1-site1 src-address=192.168.2.0/24 tunnel=yes
add comment=working dst-address=10.10.10.0/24 peer=valhalla proposal=ike1-site1 src-address=172.168.0.0/24 tunnel=yes
add dst-address=0.0.0.0/0 group=roadwarrior proposal=roadwarrioor src-address=0.0.0.0/0 template=yes

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], CJWW, GoogleOther [Bot], orionren and 38 guests