I have two routers both using firmware 6.9. I am attempting to connect the two networks using tunneled IPsec (which I have done before).

I can get the either of the two routers to initiate a connection to the other and see the two (and eventually more) SA's appear when I ping LAN to LAN, but the traffic is simply not passing through. It feels like I have the IPsec set correctly as the tunnels come up like they should.

I have also placed a rule at the top of the NAT tab of the firewall that packets from one LAN subnet to the other are to be accepted (to be sure the packets don't make it down to masquerade).

What might I be missing?

After reading some of the other posts, I am going to downgrade to 6.7 on both sides and see if the config is good and the firmware is bad.

After reading some of the other posts, I am going to downgrade to 6.7 on both sides and see if the config is good and the firmware is bad.

Let me know. I have IPSec working on 6.9. I now run EOIP over IPSec though so I can use routing.

Backed both down to 6.7 - no change?

Post your export

Sent from my SCH-I545 using Tapatalk

I have attached the exports from each router. I changed the secrets and the public IP's, but they should match. I can flush the SA's on both sides and initiate traffic from either end and the tunnel and associated SA's seem to come right up. Every once in awhile (like right this second) the tunnel is acting normally.

Wondering if something is at odds depending on which end initiates the tunnel?

Thanks for any guidance.

M.

I have attached the exports from each router. I changed the secrets and the public IP's, but they should match. I can flush the SA's on both sides and initiate traffic from either end and the tunnel and associated SA's seem to come right up. Every once in awhile (like right this second) the tunnel is acting normally.

Wondering if something is at odds depending on which end initiates the tunnel?

Thanks for any guidance.

M.

Your hitting one of the really odd things with IPSec on routeros. On your ether1 you are dropping traffic by default... but you need to allow traffic from your private range on your external interface. Checkout your firewall... ... I would first just disable your firewall and see if it works.

Also any reason not to run IPIP/GRE/EOIP over IPSec? It gives you routing.

-Eric

Just two subnets - not really anything else going on.

Added the firewall rule and it seems to be working like a champ!

M.

Yeah. It's a really weird thing the way it looks like input on the external interface.

Glad it's working.

Sent from my SCH-I545 using Tapatalk