Hello everyone,
i'm trying to setup a Site to Site IPSEC VPN between 2 Mikrotik routers. RB2011 on my side at home and a RB3011 at work. Both are on 6.40.4 and both have pubblic IPs. At home with PPOE and at work the address set in the interface.
192.168.1.0/24 is office subnet and 192.168.0.0/24 is home subnet.
I can establish a tunnel between them, i see th SA Installed but i can't ping the remote ends.
If i do a traceroute i see the packet being routed trough the nat masquerade to work ISP
Nat by-pass rule has been set before 0.
This happens on both sides, so i just report one, wich is also the less complicated setup.
[admin@work] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 1.1.1.2 1
1 ADC 1.1.1.1/30 1.1.1.1 ether1 0
2 ADC 192.168.1.0/24 192.168.1.99 ether2 0
[admin@work] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.0.0/24 log=yes
log-prefix="prima di masquerade"
1 chain=srcnat action=masquerade out-interface=ether1
2 chain=dstnat action=dst-nat to-addresses=192.168.1.100 to-ports=80 protocol=tcp dst-address=1.1.1.1
src-port="" dst-port=8888 log=no log-prefix="Nat 8888"
3 chain=dstnat action=dst-nat to-addresses=192.168.1.100 to-ports=80 protocol=tcp dst-address=1.1.1.1
src-port="" dst-port=80 log=no log-prefix="porta 80 nat"
4 chain=dstnat action=dst-nat to-addresses=192.168.1.220 to-ports=443 protocol=tcp in-interface=ether1
src-port="" dst-port=444 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.1.221 to-ports=8080 protocol=tcp in-interface=ether1
src-port="" dst-port=8080 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.1.220 to-ports=10001 protocol=tcp in-interface=ether1
src-port="" dst-port=10001 log=no log-prefix=""
7 chain=dstnat action=dst-nat to-addresses=192.168.1.220 to-ports=5588 protocol=tcp in-interface=ether1
src-port="" dst-port=5588 log=no log-prefix=""
8 chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=443 protocol=tcp in-interface=ether1
src-port="" dst-port=10443 log=no log-prefix=""
9 chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=5632 protocol=tcp in-interface=ether1
src-port="" dst-port=5632 log=no log-prefix=""
[admin@work] >
[admin@work] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=tcp in-interface=ether1 dst-port=8291 log=no log-prefix="Winbox"
1 chain=input action=accept protocol=udp in-interface=ether1 dst-port=500 log=no log-prefix="500 UDP"
2 chain=input action=accept protocol=udp in-interface=ether1 dst-port=4500 log=yes log-prefix="4500 UDP"
11 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=yes log-prefix="test"
12 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
13 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
15 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
16 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
17 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
18 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
19 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
20 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[admin@work] > ip ipsec peer
add comment disable edit enable export find move print remove set
[admin@work] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R address=2.2.2.2/32 passive=yes auth-method=pre-shared-key secret="Test1234" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
[admin@work] >
[admin@work] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 A src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=deunanph2 ph2-count=1
[admin@work] >
[admin@work] > ip ipsec remote-peers prin
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 R established 2.2.2.2 59m8s
[admin@work] > ping 192.168.0.1
SEQ HOST SIZE TTL TIME STATUS
0 10.255.30.1 56 253 18ms host unreachable
1 192.168.0.1 timeout
2 192.168.0.1 timeout
3 192.168.0.1 timeout
4 192.168.0.1 timeout
5 192.168.0.1 timeout
sent=6 received=0 packet-loss=100%
and then repeat lines with 10.55 and 192.168
I really not understand where i made the error.
Thanks in advance for the help.