i have a new mikrotik D53G-5HacD2HnD.
the main purpuse for this device would be to have an ipsec connection with a juniper device and serve 2 clients on mikrotik lan side.
ipsec connection itself seens up (confirmed on juniper side too), but there is no traffic on it. i tried pinging from both side, with connected devices, no luck.
since this is my first mikrotik device, i guess i'm missing something, but searching since a week with no luck.
the device itself has lte network, with a public ip, confirmed by the provider no filtering on there side.
on juniper side no problem, with other devices ipsec working without a problem.
can you check the config to see what is the issue ?
Thanks
Code: Select all
#jun/01/2023 15:35:08 by RouterOS 7.8
# software id = 88C6-S5EV
#
# model = D53G-5HacD2HnD
# serial number =
/interface bridge
add arp=proxy-arp name=lan-br
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface lte apn
add apn=******* ip-type=ipv4
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=****** band=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
set [ find default=yes ] connection-mark=no-mark
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=******
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=***********
/ip ipsec peer
add address=*********.226/32 exchange-mode=ike2 name=****** profile=******
add address=*********.65/32 exchange-mode=ike2 name=********** passive=yes profile=***********
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=****** pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=*********** pfs-group=modp2048
/ip pool
add name=lan-dhcp-pool ranges=10.88.1.20-10.88.1.200
/ip dhcp-server
add address-pool=lan-dhcp-pool interface=lan-br name=lan-dhcp
/interface bridge port
add bridge=lan-br interface=ether1
add bridge=lan-br interface=ether2
add bridge=lan-br interface=ether3
add bridge=lan-br interface=ether4
add bridge=lan-br interface=ether5
add bridge=lan-br interface=wlan1
add bridge=lan-br interface=wlan2
/ip address
add address=10.88.1.1/24 interface=ether1 network=10.88.1.0
/ip dhcp-server network
add address=10.88.1.0/24 gateway=10.88.1.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward connection-state=established,related dst-address=172.17.0.0/16 src-address=10.88.1.0/24
add action=accept chain=forward dst-address=172.22.0.0/16 src-address=10.88.1.0/24
add action=accept chain=forward connection-state=established,related dst-address=10.88.1.0/24 src-address=172.17.0.0/16
add action=accept chain=input dst-address=10.88.1.0/24 src-address=172.22.0.0/16
add action=accept chain=input src-address=172.17.0.0/16
add action=accept chain=input src-address=172.22.0.0/16
add action=accept chain=input log=yes src-address=10.88.1.0/24
add action=accept chain=input src-address=*********.70
add action=accept chain=input src-address=*********.65
add action=accept chain=input src-address=*********.226
add action=accept chain=input src-address=*********.247
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid log=yes log-prefix="[drop]"
/ip firewall nat
add action=accept chain=srcnat disabled=yes log=yes log-prefix=SNAT1 src-address=172.17.0.0/16
add action=masquerade chain=srcnat ipsec-policy=out,none log-prefix=MASQ
/ip ipsec identity
add notrack-chain=output peer=******
add notrack-chain=output peer=**********
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.17.0.0/16 level=unique peer=****** proposal=****** src-address=10.88.1.0/24 tunnel=yes
add dst-address=172.22.0.0/16 level=unique peer=********** proposal=*********** src-address=10.88.1.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=172.17.0.0/16 gateway=*************pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10 vrf-interface=lte1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/******
/system ntp client
set enabled=yes
/system ntp client servers
add address=**.pool.ntp.org