MikroTik

hello

i have the following problems

the vpn connection is estabilished, i can ping from side 1 to side 2 but i dont can ping from side 2 to side 1.
i must first ping from side 1 to side 2 then it works.
the next problem is on each side packets are missing.

any idea
thanks

This code is my standard VPN setup: It is a bit different than yours. Try it out, and see how it works for you.

Comment: This proposal works for most devices.
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TPVPN_Proposal pfs-group=\
none


Comment: Setup VPN Pool
/ip pool
add name=Default_VPN_Pool ranges=172.16.254.2-172.16.254.254

Comment: This sets up your L2TP Profile and pool
/ppp profile
add change-tcp-mss=yes dns-server=***Set your Local DNS Server here*** local-address=\
172.16.254.1 name=VPN-L2TP/IPSEC remote-address=Default_VPN_Pool

Sets up L2TP and IPsec
/interface l2tp-server server
set default-profile=VPN-L2TP/IPSEC enabled=yes ipsec-secret=\
***INSERT KEY Here*** use-ipsec=yes

Comment: This defines DHCP information for your VPN subnet.
/ip dhcp-server network
add address=172.16.254.0/24 dns-server=**Internal DNS** \
gateway=172.16.254.1 netmask=24

Comment: This creates a list of the internal subnets for your network, Essentially, your VPN subnet is a seperate network. This means that there is no need for NAT because all traffic is routed. This also allows us to write rules to cover multiple subnets in the filter list.
/ip firewall address-list
add address=**YourInternalSubnet** list=Internal_Subnets
add address=172.16.254.0/24 list=Internal_Subnets


Comment: Add Filter Rules
/ip firewall filter
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=ipsec-esp
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=ipsec-ah
add chain=input comment="Permit IPSec" in-interface=\
ether1 protocol=gre
add chain=input comment="Permit IPSec" dst-port=\
1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=forward comment=\
"Allow Traffic from Internal Subnets <--> Internal Subnets" dst-address-list=\
Internal_Subnetst src-address-list=Internal_Subnets
add action=accept chain=forward comment=\
"Allow Internal Subnets to Internet" out-interface=ether1 src-address-list=\
Internal_Subnets

Comment: Add users
/ppp secret
add name=test password=test1234 profile=VPN-L2TP/IPSEC service=l2tp

Thanks but i need a site to site config

I can help you with that. I just need to understand if it is a tunnel between two Mikrotiks or between a mikrotik and something else.

Hello

Yes i should be a tunnel between 2 RB 3011

Thanks

thanks i will try this

Hello. I had the same problem with two RB3011. In my case a fw rule on both RB was missing.
Allow Protocol 50 Input.

Gesendet von meinem HUAWEI NXT-L29 mit Tapatalk