MikroTik

Hello ,


I have a routerboard RB750 which i have clear the default configuration.So no bridges no firewall rules no nothing . In one of the 5 ports i have connected the internet feed from the metroethernet switch from my ISP and i have setup the public IP there. So i use this port to create a Site2Site IKEV2 ipsec with another site. In port 2 i have assign the network 192.168.10.1/24 . I have use this prefix for the phase2 of the ipsec to test ipsec connectivity

So the ipsec is up but im trying to ping the remote site with source the Interface2 but i cannot . Also the same thing happens if im trying the opposite. In the IPSEC SA i can see encrypted traffic as the counters are increasing .

Any ideas if i need something in the firewall or nat ?


Thanks

The firewall configuration is clear?
What about the route table?
Are you trying to ping the other end of the tunnel or the other end subnet?

If the answer for all the above is yes and you are trying to ping the subnet after the other end of the tunnel, you need to let your RB know what the route for the other subnet is.
You probably have a 0.0.0.0 rule that sends the traffic to your ISP, so you need to specify, that in order to go to the other subnet, the gateway is the IP of the other end of the tunnel.
ie. a.a.a.0/24 your local subnet
b.b.b.0/24 the other end subnet
x.x.x.y/32 this end of tunnel
x.x.x.z/32 the other end of the tunnel

then you have to tell the RB that in order packets from a.a.a.0/24 to reach subnet b.b.b.0/24, the gateway is x.x.x.z/32.
Similar configuration on the other end. for subnet a.a.a.0/24 the gateway should be x.x.x.y/32.

Hello ,


Firewall config is Clear . I have only a rule in input chain with any any accept .
Routing Table has only the automatic routes for the ISP and the prefix for the subnet i enter to one of the RB ports.

This network is direct connected to the router so is there a need for static routes ?

Hello ,


Firewall config is Clear . I have only a rule in input chain with any any accept .
Routing Table has only the automatic routes for the ISP and the prefix for the subnet i enter to one of the RB ports.

This network is direct connected to the router so is there a need for static routes ?

You still need the routers know the existence of the other-end subnet.
I may not have completely understood your configuration, but please try with the static routes and give me a feedback.

merlinios, have you created src nat and filter rules?
You must create the following rules:
Filter Rules:
ip firewall filter
add chain=input action=accept src-address=REMOTE-PUBLIC-IP dst-address=LOCAL-PUBLIC-IP log=no log-prefix=""
add chain=forward action=accept src-address=LOCAL-PRIVATE-NETWORK dst-address=REMOTE-PRIVATE-NETWORK log=no log-prefix=""
add chain=forward action=accept src-address=REMOTE-PRIVATE-NETWORK dst-address=LOCAL-PRIVATE-NETWORK log=no log-prefix=""

NAT Rules:
ip firewall nat
add chain=srcnat action=accept src-address=LOCAL-PRIVATE-NETWORK dst-address=REMOTE-PRIVATE-NETWORK log=no log-prefix=""
add chain=srcnat action=accept src-address=LOCAL-PUBLIC-IP dst-address=REMOTE-PUBLIC-IP log=no log-prefix=""

What about the route table?

No routes required. The policy handles this. Packets get routed out the wan with the 0.0.0.0/0 rule, then the policy kicks in and sees the packet matching the ipsec policy. It encrypts the packet and drops it back into the routing logic, where it goes out the wan again but encapsulated. Follow the red lines in the packet flow diagram: https://wiki.mikrotik.com/wiki/Manual:P ... encryption

The src-nat passarelli mentions needs to go above the masquerade rule. So when a local-lan-ip packet goes to remote-lan-ip, it's src stays as the local-lan-ip (and thus will match the ipsec policy).

RB750 doesn't support AES hardware acceleration. If you do more than 5mbps through IPSec, you'll max out the CPU and the router will start dropping a lot of packets, and it'll be hard to connect to it. In every RB750 I've tried, ether5 is faulty.

Hi.
I think with this nat rule before masquerade rule is enough because firewall is open.

The src-nat passarelli mentions needs to go above the masquerade rule. So when a local-lan-ip packet goes to remote-lan-ip, it's src stays as the local-lan-ip (and thus will match the ipsec policy).

Hello all,

It works now. As Van9018 says , no routes required. For some reason i recreate the whole ipsec config and it start working like a charm. Thanks all for the info and your help .