It's not my first installation with Mikrotik routers. But this time i m facing very strange behavior. I made IPSEC vpns between two routers RB 2011UiAS-2HnD (firmware 3.22) and ROS 6.38.
I can use most of the protocols between them Like RDP, SMTP, SMB, ... except port 80, 443 and Winbox. If i m trying to do a Winbox from site A to site B using private address, all the windows of Winbox stays empty and I finished to be disconnected. If I try to use any web interface between the 2 sites using private addresses on chrome or Firefox or others, the page stays on connection untill i got a message saying that the website does not respond. If i m doing the same within the site everything is perfect and if i m using public address for winbox or public adresses with nat for the web interfaces, everything is doing fine.
It acts like if my router was filtering the services ports when passing thru the VPN even if i disable those service ports.
I hope that i can have some help on this behavior.
Best regards
Code: Select all
Peer router A:
address=202.x.78.X/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="xxxxxxxxxxxxxxxxxxxx"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
Peer Router b:
address=202.x.76.x/32 auth-method=pre-shared-key
secret="xxxxxxxxxxxxxxxxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024
lifetime=1d dpd-interval=2m dpd-maximum-failures=5
Policy Router A:
src-address=172.16.4.0/24 src-port=any dst-address=172.16.0.0/24
dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=202.x.76.x
sa-dst-address=202.x.78.x proposal=default priority=0
Policy Router B:
src-address=172.16.0.0/24 src-port=any dst-address=172.16.4.0/24
dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=202.x.78.x
sa-dst-address=202.x.76.x proposal=default priority=0 ph2-count=2
Route Router A:
1 A S ;;; Le VPN vers Normandie part du bridge
172.16.0.0/24 bridge-local 1
Route Router B:
2 A S ;;; Le VPN pour Poro BDM part du Bridge
172.16.4.0/24 bridge-local 1
Nat router A:
0 ;;; Source Nat VPN entre Poro BDM et Normandie
chain=srcnat action=accept src-address=172.16.4.0/24
dst-address=172.16.0.0/24 log=no log-prefix=""
Nat Router B:
0 ;;; Source Nat entre Normandie et Poro BDM
chain=srcnat action=accept src-address=172.16.0.0/24
dst-address=172.16.4.0/24 log=no log-prefix=""
Filters Router A:
1 ;;; Accepte trafic entre Poro BDM et Normandie
chain=forward action=accept src-address=172.16.4.0/24
dst-address=172.16.0.0/24 log=no log-prefix=""
2 ;;; Accepte trafic entre Normandie et Poro BDM
chain=forward action=accept src-address=172.16.0.0/24
dst-address=172.16.4.0/24 log=no log-prefix=""
Filters Router B:
1 ;;; Traffic entre Normandie et Poro BDM
chain=forward action=accept src-address=172.16.0.0/24
dst-address=172.16.4.0/24 log=no log-prefix=""
2 ;;; Traffic entre Poro BDM et Normandie
chain=forward action=accept src-address=172.16.4.0/24
dst-address=172.16.0.0/24 log=no log-prefix=""