I am trying to connect two sites so that I can access a VNC terminal on the lan of one of the sites from the other.
I have following the directions here: https://wiki.mikrotik.com/wiki/Manual:I ... Sec_Tunnel
I see that the tunnel is established, however I cannot ping across the tunnel.
Do I need to make a route?
-
-
Revelation
Member
- Posts: 336
- Joined:
Re: ipsec tunnel
Without seeing your config, taking a guess...
Ensure you have FW permit statements for each of the networks. (if this applies in your case)
Ensure you have routes on both routers pointing to the distant network via the tunnel.
Ensure your "interesting" traffic is permitted via IPSEC policy.
Ensure you have FW permit statements for each of the networks. (if this applies in your case)
Ensure you have routes on both routers pointing to the distant network via the tunnel.
Ensure your "interesting" traffic is permitted via IPSEC policy.
Re: ipsec tunnel
I followed all the stuff in that article. I thought it was routing as well but I am not sure what to set. Can you point me at an example of the routing for a site to site ipsec tunnel?
-
-
Revelation
Member
- Posts: 336
- Joined:
Re: ipsec tunnel
Open a terminal window and type: ip route printI followed all the stuff in that article. I thought it was routing as well but I am not sure what to set. Can you point me at an example of the routing for a site to site ipsec tunnel?
Post the output of that command. (I recommend that you change the public IP address info)
Re: ipsec tunnel
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xxx.xxx.xxx.70 1
1 ADC xxx.xxx.xxx.64/29 xxx.xxx.xxx.65 ether1-gateway 0
2 ADC 192.168.56.0/24 192.168.56.1 bridge-local 0
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 xxx.xxx.xxx.1 1
1 ADC xxx.xxx.xxx.0/24 xxx.xxx.xxx.23 ether1-gateway 0
2 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 xxx.xxx.xxx.70 1
1 ADC xxx.xxx.xxx.64/29 xxx.xxx.xxx.65 ether1-gateway 0
2 ADC 192.168.56.0/24 192.168.56.1 bridge-local 0
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 xxx.xxx.xxx.1 1
1 ADC xxx.xxx.xxx.0/24 xxx.xxx.xxx.23 ether1-gateway 0
2 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0
-
-
Revelation
Member
- Posts: 336
- Joined:
Re: ipsec tunnel
I don't see any routing for networks / IPs through a tunnel.
Re: ipsec tunnel
I have done a little more research and my understanding is that ipsec isn't routing. That its based on policy, it doesn't create virtual interfaces that are added to a route table.
https://www.manitonetworks.com/mikrotik ... ec-tunnels
https://www.manitonetworks.com/mikrotik ... ec-tunnels
-
-
Revelation
Member
- Posts: 336
- Joined:
Re: ipsec tunnel
Since you never posted configs as I asked, I have no clue how you have things setup. Enjoy...I have done a little more research and my understanding is that ipsec isn't routing. That its based on policy, it doesn't create virtual interfaces that are added to a route table.
https://www.manitonetworks.com/mikrotik ... ec-tunnels
Re: ipsec tunnel
I fixed this by ensuring the gateway ip was set correctly on the trouble node inside the rb750. Without the gateway the packets have no way of knowing where to go.