Community discussions

MikroTik App
 
6string
just joined
Topic Author
Posts: 4
Joined: Wed Jan 18, 2017 1:15 am

IPSEC Site to Site UP but can't ping remote devices

Wed Jan 18, 2017 11:26 pm

I'm a newb to mikrotik so hopefully this is something easy that I am missing
I spent several hours trying to find the answer before I posted this

Using 2 Mikrotik 9B951G with v6.38.1stable
Both sites can access the internet
I have set up a simple test IPSEC site to site in my office but I can't seem to get it right
The Remote peers show established and I show the Installed SA's
I can ping the remote router both from both sides
The issue is I can't ping any devices other than the remote routers

Site A
Wan 10.1.10.10
Lan 10.192.103.0/24
Policy
Src 10.192.103.0/24
Dst 192.168.88.0/24
SA Src 10.1.10.10
SA Dst 10.1.10.11
Peer
10.1.10.11
Preshared Key ****
Sha1
aes-256
modo1024
Proposal
sha1
aes-256 cbc
aes-256 ctr

Site B
Wan 10.1.10.11
Lan 192.168.88.0/24
Policy
Src 192.168.88.0/24
Dst 10.192.103.0/24
SA Src 10.1.10.11
SA Dst 10.1.10.10
Peer
10.1.10.10
Preshared Key ****
Sha1
aes-256
modo1024
Proposal
sha1
aes-256 cbc
aes-256 ctr

I have added 3 rules to the top of the Firewall Rules, and I show traffic on 50 and 500 on both routers
Accept Input
50 ipsec esp
51 ipsec ah
500 udp

I have added a Nat rule to the TOP of the NAT table
Site A
Accept
srcnat
Src 10.192.103.0/24
Dest 192.168.88.0/24
Site B
Accept
srcnat
Src 192.168.88.0/24
Dst 10.192.103.0/24

I am also flushing the SA's when making changes
I have tried adding and IP/Routes (actually several combinations)
for example from site A
Dst 192.168.88.0/24
Gateway 10.1.10.11

Can anyone tell me what I am missing
Thanks a lot !!
 
gooseleggs
just joined
Posts: 3
Joined: Tue Jan 17, 2017 4:27 am

Re: IPSEC Site to Site UP but can't ping remote devices

Thu Jan 19, 2017 1:32 am

In the firewall tab, go to connections, and then enable the "Reply Src Address" and "Reply Dst Address" columns. Ensure that the addresses you see in these are the IP Addresses of the remote computer and not the WAN interface of one of the routers.
 
6string
just joined
Topic Author
Posts: 4
Joined: Wed Jan 18, 2017 1:15 am

Re: IPSEC Site to Site UP but can't ping remote devices

Thu Jan 19, 2017 3:09 am

Under IP / Firewall /tab then the Connections tab
There is only a button named Tracking and a table of current connections
Not sure what you are referring to
I am using Webfig V6.38.1
Thanks
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: IPSEC Site to Site UP but can't ping remote devices

Thu Jan 19, 2017 7:38 am

Sis you set up NTP?
 
6string
just joined
Topic Author
Posts: 4
Joined: Wed Jan 18, 2017 1:15 am

Re: IPSEC Site to Site UP but can't ping remote devices

Thu Jan 19, 2017 9:20 pm

SIS?
Yes I have NTP set up
 
6string
just joined
Topic Author
Posts: 4
Joined: Wed Jan 18, 2017 1:15 am

Re: IPSEC Site to Site UP but can't ping remote devices

Thu Jan 19, 2017 10:08 pm

OK
After a week of goofing around I found the answer to this for anyone who goes down this path :/
As well as the above initial configuration in order to see the computers on each side of the site to site
I added under IP/Firewall/Raw
Site A
No Track Pre routing Src 10.192.103.0/24 Dst 192.168.88.0/24
No Track Pre routing Src 192.168.88.0/24 Dst 10.192.103.0/24

Site B
No Track Pre routing Src 192.168.88.0/24 Dst 10.192.103.0/24
No Track Pre routing Src 10.192.103.0/24 Dst 192.168.88.0/24
 
zubaid
just joined
Posts: 1
Joined: Mon Jun 18, 2018 1:52 pm

Re: IPSEC Site to Site UP but can't ping remote devices

Mon Jun 18, 2018 1:56 pm

I already successfully done site to site configuration in Mikrotik but I cant ping the remote site in bout side it shows establish please help me in this configuration
 
eifelis
just joined
Posts: 1
Joined: Fri Sep 21, 2018 10:43 am

Re: IPSEC Site to Site UP but can't ping remote devices

Fri Sep 21, 2018 10:45 am

OK
After a week of goofing around I found the answer to this for anyone who goes down this path :/
As well as the above initial configuration in order to see the computers on each side of the site to site
I added under IP/Firewall/Raw
Site A
No Track Pre routing Src 10.192.103.0/24 Dst 192.168.88.0/24
No Track Pre routing Src 192.168.88.0/24 Dst 10.192.103.0/24

Site B
No Track Pre routing Src 192.168.88.0/24 Dst 10.192.103.0/24
No Track Pre routing Src 10.192.103.0/24 Dst 192.168.88.0/24
Registered here to say thanks - this fixed my problem!
 
LittleMan
just joined
Posts: 21
Joined: Fri Jul 28, 2017 4:02 am

Re: IPSEC Site to Site UP but can't ping remote devices

Sun Sep 06, 2020 2:40 am

Awesone stuff @6string!
I can't understand why the setup manual/example on Mikrotik's website is so incomplete. Without the prerouting raw rules nothing actually works. I have no idea how the rest of the people configure it, seems that this "last step" is very well kept by the knowledgeable gurus (probably this is how they earn their food).

I have one last problem I have here though: I can't ping the LAN IPs of each routers between them. I can ping the routers on the LAN addresses from a machine on the remote LAN, but I can't ping them from the router themselves. What am I missing here?
 
LittleMan
just joined
Posts: 21
Joined: Fri Jul 28, 2017 4:02 am

Re: IPSEC Site to Site UP but can't ping remote devices

Sun Sep 06, 2020 3:07 am

OK, the suggestion to use the connections tab was very good, as I have observed that my ping was actually going from the WAN address to the remote router LAN address.
So to ping the 2 routers between each other, you either need to specify the interface (in my case the bridge interface, as that's the one with the gateway LAN IP), or the correct source IP, as the ping application won't know that you want to exit/check through the tunnel, and will default to the WAN (or probably first interface found).
Last edited by LittleMan on Sun Sep 06, 2020 3:08 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSEC Site to Site UP but can't ping remote devices

Sun Sep 06, 2020 3:07 am

There's no secret, current default firewall allows tunneled traffic by default, you don't need to add anything.

Your problem with ping is most likely because you do simple "ping <address>", router chooses "wrong" source address and IPSec policy doesn't match. If you want to only test that it works, add src-address=<router's internal address> to ping command. If you want it to work automatically, add route to remote subnet with pref-src=<router's internal address>. Little more about IPSec and routes is here.
 
LittleMan
just joined
Posts: 21
Joined: Fri Jul 28, 2017 4:02 am

Re: IPSEC Site to Site UP but can't ping remote devices

Sun Sep 06, 2020 3:30 am

Thank you, Sob, you are right, the route was missing (actually it was deactivated, when I was going back and forth with settings and configuration).
I have created the route with the remote LAN subnet, and the gateway as the bridge. Now all works.
 
eddulh
just joined
Posts: 1
Joined: Thu Jun 02, 2022 5:24 pm

Re: IPSEC Site to Site UP but can't ping remote devices

Thu Jun 02, 2022 5:31 pm

Quick note some years later.

Make sure any NAT - Masquerade rule on outgoing WAN interface is set to not apply for IPSEC traffic. (Advanced - IPsec Policy: out: none)
 
soulreaver1
just joined
Posts: 22
Joined: Tue May 11, 2010 12:19 pm
Location: Warsaw, Poland

Re: IPSEC Site to Site UP but can't ping remote devices

Thu Jun 09, 2022 2:04 pm

I've encountered the same problem. In my case the solution was to add the static route for the remote network. Based on the addresses from this topic for site A this would be :

 /ip route add gateway=10.1.10.11 dst-address=192.168.88.0/24
 
pashew
just joined
Posts: 6
Joined: Sat Jan 29, 2022 10:54 am

Re: IPSEC Site to Site UP but can't ping remote devices

Mon Nov 14, 2022 7:31 am

thank you a lot for your answer.
it is worked for me, best solution ever :)
There's no secret, current default firewall allows tunneled traffic by default, you don't need to add anything.

Your problem with ping is most likely because you do simple "ping <address>", router chooses "wrong" source address and IPSec policy doesn't match. If you want to only test that it works, add src-address=<router's internal address> to ping command. If you want it to work automatically, add route to remote subnet with pref-src=<router's internal address>. Little more about IPSec and routes is here.
 
pcp
just joined
Posts: 1
Joined: Fri Jul 28, 2023 3:34 pm

Re: IPSEC Site to Site UP but can't ping remote devices

Fri Jul 28, 2023 3:39 pm

There's no secret, current default firewall allows tunneled traffic by default, you don't need to add anything.

Your problem with ping is most likely because you do simple "ping <address>", router chooses "wrong" source address and IPSec policy doesn't match. If you want to only test that it works, add src-address=<router's internal address> to ping command. If you want it to work automatically, add route to remote subnet with pref-src=<router's internal address>. Little more about IPSec and routes is here.
Hi there, i'm quite new on Miktrotik but I have the same problem (i think).
Can someone tell me how to add route to remote subnet with pref-src=<router's internal address>?
Thanks in advance!

Who is online

Users browsing this forum: GoogleOther [Bot], Lumpy, RHWwijk and 95 guests