I am slowly losing my mind on this topic .
I am trying to establish an ipsec tunnel between my on-site mikrotik router (OS 6.48.4) to our company's checkpoint FW.
I got an established tunnel, and regarding our support engineer also on the checkpoint side the tunnel seems fine.
To avoid natting issues, the on-site network matches the encryption domain (172.29.97.0/28), the VPN tunnel should have direct access to the connected machines.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
To confirm the connection, I have my company notebook which is connected to the company network (172.19.6.210).
I have a second notebook connected to the MT router (172.29.97.13).
From the company notebook, i try to ping the other PC (ping 172.29.97.13).
The MT recognizes the incoming connection (icmp) as "SC",
The MT's firewall accepts incoming ipsec policy packets (is triggered).source 172.19.6.210 dest 172.29.97.13 -> reply source 172.29.97.13 reply dest 172.19.6.210
Wireshark recognizes the ping (icmp) request AND response.
The MT's firewall accepts outgoing ipsec policy packets (is triggered).
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Furthermore
The active peer between site and firewall has the same amount of packets in Tx and Rx. So there is definitely data flowing. State ist established, dynamic address is 0.0.0.0.
The firewall filters "accept in ipsec policy" and "accept out ipsec policy" have the same amount of packets. This entries seem to be triggered.
The log shows,
forward: in:ether1 out:bridge, src-mac ***, proto ICMP (type 8, code 0), 172.19.6.210->172.29.97.13, len 60
The ipsec's SAs register "Current Bytes" in both directions.forward: in:bridge out:ether1, src-mac ***, proto ICMP (type 0, code 0), 172.29.97.13->172.19.6.210, len 60
BUT ... the packages get somewhere lost. The initiating PC does not get any response. The ping times out.
I cannot really ping the other direction, because the company is pretty strict with firewall rules.
Anyways, without the proper tunnel, I guess I would not be able to recognize the ping on the MT / other computer at all?
I feel like I am sooo close to solving this issue, but I am exhausted and have no further idea what to do ... Please help!
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
My config looks like this:
Code: Select all
/ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEE TUN SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T X* ::/0 ::/0 all
1 A K yes 172.29.97.0/28 172.19.4.0/22 all encrypt require 2
2 A K yes 172.29.97.0/28 172.20.82.0/23 all encrypt require 1
Code: Select all
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address-list=LAN_VPN dst-address-list=LAN_VPN log=yes log-prefix=""
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
Code: Select all
/ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 LAN_VPN 172.29.97.0/28 sep/30/2021 14:12:34
1 LAN_VPN 172.20.82.0/23 sep/30/2021 14:12:50
2 LAN_VPN 172.19.4.0/22 sep/30/2021 14:13:08
Code: Select all
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=yes log-prefix="" ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=yes log-prefix="" ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""