Community discussions

MikroTik App
 
tastic
just joined
Topic Author
Posts: 1
Joined: Wed Feb 01, 2023 3:56 am

IPSec site-to-site stopped working

Wed Feb 01, 2023 4:26 am

Hi, I've had IPSec site-to-site working between two Mikrotiks for years (literally) and now it has stopped working with no config change on the routers. ROS 6.48.6 (long term channel). Here's the two IPSec configs.

Router 1 (local subnet 192.168.0.0/24):
/ip ipsec profile
add enc-algorithm=aes-256 name=profile_1 nat-traversal=no
/ip ipsec peer
add address=xxxxxx name=xxxxxx profile=profile_1
/ip ipsec identity
add peer=xxxxxx secret=mysecret
/ip ipsec policy
add dst-address=192.168.0.0/24 peer=xxxxxx src-address=192.168.3.0/24 tunnel=yes
Router 2 (local subnet 192.168.3.0/24):
/ip ipsec profile
add enc-algorithm=aes-256 name=profile_2 nat-traversal=no
/ip ipsec peer
add address=yyyyyy name=yyyyyy profile=profile_2
/ip ipsec identity
add peer=yyyyyy secret=mysecret
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=yyyyyy src-address=192.168.0.0/24 tunnel=yes

Here's the firewall configs.
Router 1:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Router access" src-address=192.168.0.0/24
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.3.0/24
add action=accept chain=input dst-port=443 protocol=tcp src-address=192.168.3.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward in-interface=all-vlan out-interface=ether1
add action=reject chain=forward in-interface=all-vlan reject-with=icmp-host-unreachable
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.3.0/24 new-mss=1350 passthrough=yes protocol=tcp src-address=192.168.0.0/24 tcp-flags=syn \
    tcp-mss=!0-1350
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.0.0/24
add action=accept chain=srcnat dst-address=0.0.0.0/0 src-address=10.11.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.3.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=192.168.3.0/24
Router 2:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Allow to router from LAN" src-address=192.168.3.0/24
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input dst-port=443 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="Exclude marked connections to non-default WAN" connection-mark=!unid2cm connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward in-interface=all-vlan out-interface-list=WAN
add action=drop chain=forward in-interface=all-vlan
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.0.0/24 new-mss=1350 passthrough=yes protocol=tcp src-address=192.168.3.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.3.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=192.168.3.0/24

In "active peers", Router 1 seems to have both incoming & outgoing traffic:
/ip ipsec active-peers> print detail
Flags: R - responder, N - natt-peer
 0 R  local-address=xxxxxx remote-address=yyyyyy state=established side=responder uptime=41m38s last-seen=1m29s ph2-total=4
      spii="37e611e3dc0a7e8b" spir="734a5991018f3b0f"
/ip ipsec active-peers> print stats
Flags: R - responder, N - natt-peer
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                            DYNAMIC-ADDRESS            RX-BYTES          TX-BYTES
 0 R                       established        44m24s                  4 yyyyyy                                                        94 428           934 357
But Router 2 seems to have no incoming:
/ip ipsec active-peers> print detail
Flags: R - responder, N - natt-peer
 0    local-address=yyyyyy remote-address=xxxxxx state=established side=initiator uptime=43m40s last-seen=1m30s ph2-total=4 spii="37e611e3dc0a7e8b"
      spir="734a5991018f3b0f"
/ip ipsec active-peers> print stats
Flags: R - responder, N - natt-peer
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                            DYNAMIC-ADDRESS            RX-BYTES          TX-BYTES
 0                         established        43m43s                  4 xxxxxx                                                               0            94 024
Any ideas why this would not be working? My best guess is something at ISP level. Thanks.

Who is online

Users browsing this forum: Semrush [Bot] and 65 guests