I've recently set site-to-site connection with IPSEC. peers are established, policies seems to be up.
but for some reason I can get connection only in one direction. from SiteB to SiteA is working fine, the opposite direction - no chance.
any idea what to take a look on ? I've tried similar settings in virtual machines and it's working there without issues
SiteA
Code: Select all
/ip firewall address-list
add address=SITEB_IP list=secure
add address=192.168.0.0/24 list=local
add address=172.168.0.0/24 list=local
add address=192.168.2.0/24 list=remote
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=accept chain=forward comment="cust: qnap download" connection-state=established,related dst-address=192.168.0.100
add action=accept chain=forward comment="cust: qnap upload" connection-state=established,related src-address=192.168.0.100
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: accept from known devices" dst-port=22,8291 in-interface-list=WAN protocol=tcp src-address-list=secure
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="cust: allow from remote clients" in-interface-list=WAN ipsec-policy=in,ipsec src-address-list=remote
add action=drop chain=forward comment="cust: drop access for guests to main network" dst-address-list=private in-interface=br_500_guests
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log-prefix=pass-ipsec protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from internal" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from external not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="cust: drop all other" in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec log-prefix=MSS new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=remote src-address-list=local
add action=masquerade chain=srcnat dst-address-list=local src-address-list=remote
add action=masquerade chain=srcnat comment="cust: masquerade for main link" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="cust: masquerade for backup link" ipsec-policy=out,none out-interface=lte1 src-address-list=lte
/ip firewall raw
add action=accept chain=prerouting dst-address-list=remote src-address-list=local
add action=accept chain=prerouting dst-address-list=local src-address-list=remote
/ip ipsec mode-config
add address-pool=vpn_pool name=roadwarrior
add address=192.168.2.242 name=bifrost
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=roadwarrior
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2
/ip ipsec peer
add address=SITEB_IP/32 exchange-mode=ike2 name=bifrost passive=yes profile=ike1-site2
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=roadwarrioor
add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER_ipsec comment=beowulf generate-policy=port-override match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
remote-certificate=client_ipsec_beowulf remote-id=ignore
add auth-method=digital-signature certificate=SERVER_ipsec comment=hekate generate-policy=port-strict match-by=certificate mode-config=roadwarrior peer=roadwarrior policy-template-group=roadwarrior \
remote-certificate=client_ipsec_hekate remote-id=ignore
add peer=bifrost
/ip ipsec policy
add dst-address=0.0.0.0/0 group=roadwarrior proposal=roadwarrioor src-address=0.0.0.0/0 template=yes
add disabled=yes dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=10.10.10.0/24 tunnel=yes
add dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=172.168.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 peer=bifrost proposal=ike1-site2 src-address=192.168.0.0/24 tunnel=yes
Code: Select all
/ip firewall address-list
add address=SiteA_IP list=secure
add address=172.168.0.0/24 list=remote
add address=192.168.0.0/24 list=remote
add address=192.168.2.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="cust: accept from known devices" dst-port=22,8291 in-interface-list=WAN protocol=tcp src-address-list=secure
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="cust: allow from remote clients" in-interface-list=WAN ipsec-policy=in,ipsec src-address-list=remote
add action=accept chain=input comment="cust: allow L2TP via IPSEC" dst-port=1701 protocol=udp
add action=accept chain=input comment="cust: allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="cust: allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="cust: allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="cust: allow IPsec NAT" dst-port=4500 log-prefix=pass-ipsec protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from internal" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from external not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="cust: drop all other" in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec log-prefix=MSS new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="cust: allow access from IPSEC" dst-address-list=remote src-address-list=local
add action=accept chain=srcnat comment="cust: allow access from IPSEC" dst-address-list=local src-address-list=remote
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether-wan
/ip firewall raw
add action=accept chain=prerouting dst-address-list=remote src-address-list=local
add action=accept chain=prerouting dst-address-list=local src-address-list=remote
/ip ipsec mode-config
add address=172.168.0.1 name=bifrost
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1
/ip ipsec peer
add address=SITEA_IP/32 exchange-mode=ike2 name=valhalla profile=ike1-site1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048
/ip ipsec identity
add peer=valhalla
/ip ipsec policy
add disabled=yes dst-address=10.10.10.0/24 peer=valhalla proposal=ike1-site1 src-address=192.168.2.0/24 tunnel=yes
add dst-address=172.168.0.0/24 peer=valhalla proposal=ike1-site1 src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.0.0/24 peer=valhalla proposal=ike1-site1 src-address=192.168.2.0/24 tunnel=yes
SiteA->SiteB not working