Community discussions

MikroTik App
 
bliss21
just joined
Topic Author
Posts: 1
Joined: Sat Dec 03, 2022 12:39 pm

Mikrotik VPN Site to Site

Sat Dec 03, 2022 1:34 pm

Hello,

I have the following network diagram:
Two locations (datacenter) connected through Mikrotik routers with VPN Site 2 Site connection configured with IPsec and on each router client to site l2tp VPN connection. I will present this with different IPs just to make an idea.
Site 1 : WAN: 80.80.80.25
LAN : 192.168.2.0/24 Gateway:192.168.2.1 (lan router IP)
Site 2 : WAN: 81.81.81.25
LAN : 192.168.5.0/24 Gateway: 192.168.5.1 (lan router IP)

VPN Site 2 Site IPsec connection shows that is established.
client to site l2tp VPN connection is working on both routers.
NAT for both networks is created on the routers.
Firewall rules are the same on both routers.

If I'm connected on VPN on Site 1 I can access everything from Site 2 and Site 1 (ping is working , web services is working) but after a few minutes after connection I can only ping on devices but I can't connect on their web interfaces (ILo's interfaces, web servers a.s.o.).
If I'm connected on VPN on Site 2 I can only access devices from Site 2, not the ones from Site 1.

In both cases the VPN connections (site-to-site, client-to-site) are always up and never goes down.

Do you have any idea why I'm having this behavior ?

Thank you !
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik VPN Site to Site

Sat Dec 03, 2022 7:57 pm

Ask your company IT staff.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik VPN Site to Site

Mon Dec 05, 2022 5:29 pm

What you describe is really strange. I have seen cases where any connection becomes impossible after some time of silence and these have a perfectly logical explanation, but I hear for the first time that ping remains possible but normal connections don't.

At the moment I can only imagine some load distribution rules to come into play. So post anonymized exports first. If that is not enough, it will require some packet sniffing to find out.

Who is online

Users browsing this forum: anav, Andrey05, infabo and 99 guests