can't ping rb750 lan across gre/ipsec tunnel
Posted: Mon May 22, 2017 12:14 am
Problem:
I cannot ping a node inside the .56 network from the .88 network. ( 192.168.56.199 )
What works:
Ping from 192.168.56.1 to 192.168.88.10 (server in lan)
Ping from 192.168.56.1 to 192.168.88.1
Ping from 192.168.88.1 to 192.168.56.1
Ping 192.168.56.199 from 192.168.56.1
Background:
GRE/IPSec tunnel between two LANs 192.168.56.0/24 (site B) and 192.168.88.0/24 (site A)
.56 network is on a RB750 while .88 is on a hAP lite
config export of site A:
I cannot ping a node inside the .56 network from the .88 network. ( 192.168.56.199 )
What works:
Ping from 192.168.56.1 to 192.168.88.10 (server in lan)
Ping from 192.168.56.1 to 192.168.88.1
Ping from 192.168.88.1 to 192.168.56.1
Ping 192.168.56.199 from 192.168.56.1
Background:
GRE/IPSec tunnel between two LANs 192.168.56.0/24 (site B) and 192.168.88.0/24 (site A)
.56 network is on a RB750 while .88 is on a hAP lite
config export of site A:
Config export of site B:# may/21/2017 13:49:04 by RouterOS 6.39.1
# software id = 8MSW-PEQX
#
/interface bridge
add admin-mac=4C:5E:0C:F0:0E:49 auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
/interface gre
add allow-fast-path=no ipsec-secret=test !keepalive local-address=\
111.111.111.23 name=gre-tunnel1 remote-address=222.222.222.65
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity="" wpa-pre-shared-key="secret" \
wpa2-pre-shared-key="secret"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge \
security-profile=profile1 ssid=ssid wireless-protocol=802.11
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface l2tp-server server
set caller-id-type=ip-address
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
bridge-local network=192.168.88.0
add address=172.16.1.1/24 interface=gre-tunnel1 network=172.16.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.232 always-broadcast=yes client-id=1:0:1e:c9:5e17 \
mac-address=00:1E:C9:5E:DE:17 server=default
add address=192.168.88.147 always-broadcast=yes client-id=1:c0:18:85:5a:eb:2f \
mac-address=C0:18:85:5A:EB:2F server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.10 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=111.111.111.23 list=external-ip
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=yes \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input comment="Winbox remote access KB 11/3/2016" \
dst-port=8291 protocol=tcp
add action=accept chain=forward comment="default configuration" \
connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=\
ether1-gateway
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address-list=external-ip dst-port=3389 \
protocol=tcp to-addresses=192.168.88.10 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-address-list=external-ip \
dst-port=443 protocol=tcp to-addresses=192.168.88.10 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address-list=external-ip \
dst-port=80 protocol=tcp to-addresses=192.168.88.10 to-ports=80
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 dst-address=192.168.56.0/24 gateway=172.16.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name=
/system ntp client
set enabled=yes primary-ntp=199.102.46.76
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
17 \# may/21/2017 13:50:51 by RouterOS 6.39.1
# software id = 77KC-88XH
#
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
/interface gre
add allow-fast-path=no ipsec-secret=test !keepalive local-address=\
222.222.222.65 name=gre-tunnel1 remote-address=111.111.111.23
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.56.100-192.168.56.150
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
interface=ether2-master-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
/interface l2tp-server server
set caller-id-type=ip-address
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.56.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.56.0
add address=222.222.222.65/29 interface=ether1-gateway network=222.222.222.64
add address=172.16.1.2/24 interface=gre-tunnel1 network=172.16.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server network
add address=192.168.56.0/24 comment="default configuration" dns-server=\
192.168.56.1 gateway=192.168.56.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input
add action=accept chain=input comment="Winbox remote access" dst-port=8291 \
protocol=tcp
add action=accept chain=forward
add action=drop chain=input in-interface=ether1-gateway
add action=drop chain=forward
add action=drop chain=forward in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=222.222.222.70
add distance=1 dst-address=192.168.88.0/24 gateway=172.16.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name=
/system logging
add action=echo topics=ipsec
/system ntp client
set enabled=yes primary-ntp=199.233.236.226