Community discussions

MikroTik App
 
ssh88
just joined
Topic Author
Posts: 2
Joined: Mon Oct 31, 2022 1:29 pm

IPSec - no RX on one side

Mon Oct 31, 2022 1:42 pm

Hi,
i'm losing my mind and banging my head against the wall for last XXX months. I have failing IPSec connection which works (very) randomly.
When I first configured it it worked for some time without problems - until i rebooted the server. After playing again with configuration and fw rules, it started working again - until the next reboot.

I have two subnets (one VLAN on each router): 192.168.98.0/24 on router A and 192.168.99.0/24 on router B. The interesting thing is that the routers does not ping each other. But the situation is as follows:
- when pinging from router A to B: there is Tx counter increasing (ipsec => active peers), but not a single packet is returned. On router B there are both Tx and Rx counters increasing.
- when pinging from router B to A: there is Tx counter increasing, but no Rx on both sides. So the packets don't reach router A.

Tracert returns nothing usable - only timeouts. There is also nothing usable from netwatch (or i don't know how to use properly).

The configuration has been deleted and done again, from tutarials and from (proven) working configurations i use on two other networks. But there are two diferences:
- on side A there is other internet provider that i'm used to working with.
- side A has 6 static IP addresses and one dynamic (modem). The modem is configured in bridged mode so there is no NAT traversal.

Thank you and best regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSec - no RX on one side

Mon Oct 31, 2022 7:12 pm

Basically, you have two options:

a) Keep banging your head and hope for the best.
b) Post some actual useful info that someone can work with. Exported configs from both routers and description of things that may not be apparent often leads to success. Known facts so far are only that you have some unknown config and that there seems to be some problem delivering encrypted packets from B to A. I think you may agree that it's not much.
 
ssh88
just joined
Topic Author
Posts: 2
Joined: Mon Oct 31, 2022 1:29 pm

Re: IPSec - no RX on one side

Sun Nov 06, 2022 1:53 pm

hi,
i've forgotten a little about this post ..... but (hopefully) found a solution - now it is working as it should. the problem was that i am using virtual IP address for IPSec.

router A has 4 (5) ip addresses:
10.0.0.1 (A_IP1)
10.0.0.2 (A_IP2) - the address i use for IPSec traffic
10.0.0.3 (A_IP3)
10.0.0.4 (A_IP4)
and
20.0.0.1 (WAN interface IP - WANIP_A)

router B has one IP address 30.0.0.1 - WANIP_B

------

after using packet sniffer, i've found out the following when doing traceroute from router A to local subnet on B site:
rx WANIP_A => WANIP_B
tx WANIP_B => A_IP2
rx WANIP_A => WANIP_B
tx WANIP_B => A_IP2

which should look like

rx A_IP2 => WANIP_B
tx WANIP_B => A_IP2
rx A_IP2 => WANIP_B
tx WANIP_B => A_IP2

after i did some housekeeping regarding NAT rules and enabling NAT Traversal, the thing works.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSec - no RX on one side

Sun Nov 06, 2022 7:11 pm

Makes sense. You should have local-address=A_IP2 for peer on router A, and then make sure that srcnat won't touch any packets from A_IP2.

Who is online

Users browsing this forum: Google [Bot], nuwang13 and 59 guests