I'm trying to setup an IPsec tunnel between two private networks at different sites and I'm having difficulty getting traffic to flow.
I've added IPsec policies and Peers, and added the Firewall NAT rule. I also added the Firewall Filter rules to bypass Fasttrack. Another thread on this forum suggested adding rules to allow udp 4500 and ipsec-esp so I did that as well.
Initially I don't see any packets in the Firewall Filters. If I edit the Fasttrack bypass rule connection state to include New, I begin to see packets traveling from Site 1 to Site 2 but I still can not make a connection.
Site1 Policy
Site1 Peer
Site1 Firewall
Site1 NAT
Site2 Policy
Site2 Peer
Site2 Firewall
Site2 NAT
Site 1 Router Export
# may/10/2018 11:43:22 by RouterOS 6.23
# software id = DUHI-IMYE
#
/interface bridge
add arp=proxy-arp name=local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-GE
set [ find default-name=ether3 ] master-port=ether2-master-GE name=ether3-slave-GE
set [ find default-name=ether4 ] master-port=ether2-master-GE name=ether4-slave-GE
set [ find default-name=ether5 ] master-port=ether2-master-GE name=ether5-slave-GE
set [ find default-name=ether6 ] name=ether6-master-FE
set [ find default-name=ether7 ] master-port=ether6-master-FE name=ether7-slave-FE
set [ find default-name=ether8 ] master-port=ether6-master-FE name=ether8-slave-FE
set [ find default-name=ether9 ] master-port=ether6-master-FE name=ether9-slave-FE
set [ find default-name=ether10 ] name=ether10-Interconnect-FE
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors l2mtu=2290 mode=station-bridge ssid=MikroTik-FF4EFD \
wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_internal ranges=192.168.218.100-192.168.218.150
/ip dhcp-server
add address-pool=dhcp name=default
add address-pool=dhcp_internal disabled=no interface=local lease-time=3d name=dhcp-local
/ip ipsec mode-config
add address-pool=dhcp_internal name=" " split-include=0.0.0.0/0
/port
set 0 name=serial0
/ppp profile
set 1 bridge=local local-address=192.168.218.1 remote-address=dhcp_internal
/interface bridge port
add bridge=local interface=ether2-master-GE
add bridge=local interface=ether6-master-FE
add bridge=local interface=sfp1
add bridge=local interface=wlan1
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set enabled=yes
/interface ovpn-server server
set certificate=ca_1 enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.218.1/24 comment="Internal network" interface=ether2-master-GE network=192.168.218.0
add address=Site1_Public_IP comment="This shouldn't be static maybe." interface=ether1-gateway network=Site1_Default_Gateway
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.218.105 mac-address= server=dhcp-local
add address=192.168.218.24 always-broadcast=yes mac-address=
add address=192.168.218.22 mac-address=
add address=192.168.218.7 mac-address=
add address=192.168.218.8 mac-address=
add address=192.168.218.10 mac-address=
add address=192.168.218.11 mac-address=
add address=192.168.218.52 mac-address=
add address=192.168.218.23 mac-address=
add address=192.168.218.114 mac-address= server=dhcp-local
add address=192.168.218.103 mac-address= server=dhcp-local
add address=192.168.218.149 mac-address= server=dhcp-local
add address=192.168.218.101 mac-address= server=dhcp-local
add address=192.168.218.124 mac-address= server=dhcp-local
add address=192.168.218.127 mac-address= server=dhcp-local
add address=192.168.218.110 mac-address= server=dhcp-local
add address=192.168.218.150 mac-address= server=dhcp-local
add address=192.168.218.146 mac-address= server=dhcp-local
add address=192.168.218.145 mac-address= server=dhcp-local
add address=192.168.218.143 mac-address= server=dhcp-local
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.218.0/24 dns-server=192.168.218.10,8.8.8.8,4.2.2.2 domain= gateway=192.168.218.1
/ip dns
set allow-remote-requests=yes servers=192.168.218.10,8.8.8.8,4.2.2.2
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="Allow related/Established connections to this device" connection-state=established,related
add chain=forward connection-state=established,related,new dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add chain=forward connection-state=established,related,new dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add chain=input dst-port=4500 protocol=udp src-port=4500
add chain=input protocol=ipsec-esp
add chain=output protocol=ipsec-esp
add chain=input comment="Allow pinging this device" protocol=icmp
add chain=input comment="Allow TCP port 1723 to this device" dst-port=1723 protocol=tcp
add chain=input comment="Allow GRE traffic to this device" log=yes protocol=gre
add chain=input comment="Allow all traffic from the local network." src-address=192.168.218.0/24
add action=drop chain=input comment="Drop all other traffic to this device from the internet" in-interface=ether1-gateway
add chain=forward comment="Accept Related/Established Forwards" connection-state=established,related
add action=drop chain=forward comment="Drop packets with an invalid connection state" connection-state=invalid
add chain=forward comment="Allow new http, https and printer traffic from us to the redacted network" connection-state=new dst-address=\
10.99.88.0/23 dst-port=80,443,515,631,9100 protocol=tcp src-address=192.168.218.0/24
add chain=forward comment="Allow new SNMP requests from us to the redacted network" connection-state=new dst-address=10.99.88.0/23 dst-port=161 \
protocol=udp src-address=192.168.218.0/24
add chain=forward comment="Allow from us to redacted." connection-state=new disabled=yes dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add chain=forward comment="allow from redacted to us" connection-state=new disabled=yes dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add action=drop chain=forward comment="Drop any other traffic from us to the redacted network" connection-state=new dst-address=10.99.88.0/23 \
src-address=192.168.218.0/24
add action=drop chain=forward comment="redacted network is not allowed to initiate forwards through this device" connection-state=new \
src-address=10.99.88.0/23
add action=drop chain=forward comment="Drop new packets from the internet to us unless they're sent to forwarded ports" connection-nat-state=\
!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=" " src-address=192.168.218.2-192.168.218.254
/ip firewall nat
add chain=srcnat dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat log-prefix=masquerade out-interface=ether10-Interconnect-FE to-addresses=10.99.88.100
# tunnel not ready
add action=masquerade chain=srcnat out-interface=tunnel
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=8166 protocol=tcp to-addresses=192.168.218.6 to-ports=8166
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=80 protocol=tcp to-addresses=192.168.218.30
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=22 protocol=tcp to-addresses=192.168.218.30
add action=dst-nat chain=dstnat dst-address=Site1_Public_IP dst-port=2222 protocol=tcp to-addresses=192.168.218.141 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=Site1_Public_IP dst-port=5900 protocol=tcp to-addresses=192.168.218.4
add action=dst-nat chain=dst-nat dst-address=Site1_Public_IP dst-port=3000 protocol=tcp to-addresses=192.168.218.50
#
add action=masquerade chain=srcnat out-interface=" "
/ip ipsec peer
add disabled=yes enc-algorithm=3des,aes-128,aes-256 exchange-mode=main-l2tp generate-policy=port-override
add address=10.0.0.228/32 disabled=yes
add address=Site2_Public_IP/32 port=4500
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.0.0/24 sa-dst-address=Site2_Public_IP sa-src-address=Site1_Public_IP src-address=192.168.218.0/24 tunnel=yes
/ip route
add distance=1 gateway=Site1_Default_Gateway
add disabled=yes distance=1 dst-address=10.99.88.0/23 gateway=ether10-Interconnect-FE
/lcd
set time-interval=hour
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=
/system ntp client
set enabled=yes primary-ntp=192.168.218.10 secondary-ntp=
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-GE
add interface=ether3-slave-GE
add interface=ether4-slave-GE
add interface=ether5-slave-GE
add interface=ether6-master-FE
add interface=ether7-slave-FE
add interface=ether8-slave-FE
add interface=ether9-slave-FE
add interface=ether10-Interconnect-FE
add interface=sfp1
add interface=wlan1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-GE
add interface=ether3-slave-GE
add interface=ether4-slave-GE
add interface=ether5-slave-GE
add interface=ether6-master-FE
add interface=ether7-slave-FE
add interface=ether8-slave-FE
add interface=ether9-slave-FE
add interface=ether10-Interconnect-FE
add interface=sfp1
add interface=wlan1
add
Site 2 Router Export
# may/10/2018 11:59:59 by RouterOS 6.28
# software id = 7UZ3-A7HR
#
/interface bridge
add arp=proxy-arp name=Internal protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local-10.0.0.0
set [ find default-name=ether3 ] master-port=ether2-master-local-10.0.0.0 name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local-10.0.0.0 name=ether4-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip dhcp-server
# DHCP server can not run on slave interface!
add disabled=no interface=ether2-master-local-10.0.0.0 name=default
/ip pool
add name=openVPN-employee-pool ranges=10.0.0.0/28
add name=openVPN-customer-pool ranges=10.0.0.16/28
add name=dhcp-lan-client-pool ranges=10.0.0.17-10.0.0.32
/ip dhcp-server
add address-pool=dhcp-lan-client-pool disabled=no interface=Internal name=dhcp1
/interface bridge port
add bridge=Internal interface=ether2-master-local-10.0.0.0
/ip firewall connection tracking
set enabled=yes
/ip address
add address=10.0.0.228/24 interface=ether2-master-local-10.0.0.0 network=10.0.0.0
add address=Site2_Public_IP interface=ether1-gateway network=Site2_Default_Gateway
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.228 netmask=24
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
/ip dns static
add address=10.0.0.228 name=router
/ip firewall filter
add chain=forward comment="RELATED/ESTABLISHED forward" connection-state=established,related
add chain=forward connection-state=established,related,new dst-address=10.0.0.0/24 src-address=192.168.218.0/24
add chain=forward connection-state=established,related,new dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add chain=input dst-port=4500 protocol=udp src-port=4500
add chain=input protocol=ipsec-esp
add chain=output protocol=ipsec-esp
add chain=input protocol=icmp
add chain=forward protocol=icmp
add chain=input in-interface=ether1-gateway src-address=Site1_Public_IP
add chain=forward dst-address=10.0.0.0/24
add chain=input src-address=10.0.0.0/24
add chain=forward comment="Allow internal servers internet connectivity." in-interface=Internal
add chain=input dst-port=1194 protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input dst-port=47 protocol=tcp
add action=drop chain=forward comment="Drop everything else forwarded"
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall mangle
add chain=postrouting dst-address=10.0.0.234 protocol=icmp src-address=Site2_IP
add chain=prerouting dst-address=Site2_IP src-address=10.0.0.0/24
/ip firewall nat
add chain=srcnat dst-address=192.168.218.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="Masquerade for internal servers." out-interface=ether1-gateway src-address=10.0.0.0/24
add action=dst-nat chain=dstnat dst-port=9101 in-interface=ether1-gateway protocol=tcp to-addresses=10.0.0.234 to-ports=9101
add action=dst-nat chain=dstnat dst-port=9102 in-interface=ether1-gateway protocol=tcp to-addresses=10.0.0.234 to-ports=9102
add action=dst-nat chain=dstnat dst-port=9103 in-interface=ether1-gateway protocol=tcp to-addresses=10.0.0.234 to-ports=9103
/ip ipsec peer
add address=Site1_Public_IP port=4500
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.218.0/24 sa-dst-address=Site1_Public_IP sa-src-address=Site2_Public_IP src-address=10.0.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=Site2_Public_IP
/ip service
set telnet disabled=yes
set www-ssl certificate=cert_1 disabled=no
/romon port
add disabled=no
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="MikroTik"
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local-10.0.0.0
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local-10.0.0.0
/tool sniffer
set filter-interface=Internal