Community discussions

MikroTik App
 
StepanRazin
just joined
Topic Author
Posts: 2
Joined: Mon Aug 01, 2022 6:16 pm

The router does not route traffic to the IPSec VPN tunnel

Mon Aug 01, 2022 10:19 pm

I maked a standard IPSec tunnel.
The tunnel is in the Established state.

The router sends packets from one subnet to another to the Internet, and not to the tunnel (I check through tracert). On the other hand too.

FastTrack and FastPath are disabled.

How is that in general? I thought that I made a mistake somewhere, double-checked everything, deleted the tunnel, re-created it. Likewise.
There are rules in masquerade in the NAT of both routers, they are higher than the standard ones.
chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""

In the second router it's the other way around:
chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""

Why he's sending packets to the internet without knowing anything about the tunnel?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: The router does not route traffic to the IPSec VPN tunnel

Tue Aug 02, 2022 8:08 am

Not enough information (see my automatic signature below), but in the typical case where the IPsec policy is a tunnel (not transport) one and says src-address=192.168.1.0/24 dst-address=192.168.10.0/24 on the first router, you have to prevent connections from 192.168.1.0/24 to 192.168.10.0/24 from getting src-nated (masqueraded) to an address outside the 192.168.1.0/24 range. I.e. your rules in chain srcnat should have action=accept rather than action=masquerade.
 
StepanRazin
just joined
Topic Author
Posts: 2
Joined: Mon Aug 01, 2022 6:16 pm

Re: The router does not route traffic to the IPSec VPN tunnel

Tue Aug 02, 2022 7:52 pm

Not enough information (see my automatic signature below), but in the typical case where the IPsec policy is a tunnel (not transport) one and says src-address=192.168.1.0/24 dst-address=192.168.10.0/24 on the first router, you have to prevent connections from 192.168.1.0/24 to 192.168.10.0/24 from getting src-nated (masqueraded) to an address outside the 192.168.1.0/24 range. I.e. your rules in chain srcnat should have action=accept rather than action=masquerade.
OMG! Thank you very much. I need to have some holidays. I can't figure out how I could make "masquerade" rule instead of "accept".

*facepalmed*

Who is online

Users browsing this forum: Google [Bot], JohnTRIVOLTA, marcelofares, patrikg and 79 guests