I have interesting problem that has recently come to light.
I have a Mikrotik v3.30 (recently upgraded) PC utilizing an IPSEC tunnel to a remote SonicWall. I have NO control over the SonicWall. The tunnel is establishing fine. However, from what I understand, sonicwall utilizes an "address object group" to specify which IP's on the remote network are accessible through the tunnel. The interesting thing is, I can ONLY ping the last IP that is added to the sonicwall "address object group". In other words if the IP's 192.168.187.20, 192.168.187.21, and 192.168.187.47 are in an "address object group" on the SonicWall, I can ONLY ping 192.168.187.47. If 192.168.187.47 is removed from the group then I can ONLY ping 192.168.187.21. WTF!!!
Has anyone seen this? This was working FINE for months and NOTHING changed on my side. I upgraded to v3.30 hoping that it would resolve the problem after it had appeared.
我想这东西g to do with the SonicWall BUT the admin on the remote side insists otherwise.
Not that it matters (because the tunnel is establishing) but here's my config:
Code:Select all
/ip ipsec peer> print Flags: X - disabled 0 address=xxx.xxx.xxx.xxx/32:500 auth-method=pre-shared-key secret="D1AB6AD4D313456" generate-policy=no exchange-mode=main send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime= lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 \
Code:Select all
/ip ipsec proposal> print Flags: X - disabled 0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h pfs-group=modp102
Code:Select all
/ip ipsec policy> print Flags: X - disabled, D - dynamic, I - inactive 0 I src-address=192.168.1.11/32:any dst-address=192.168.187.20/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 1 src-address=192.168.1.11/32:any dst-address=192.168.187.21/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0 2 src-address=192.168.1.11/32:any dst-address=192.168.187.47/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0
Code:Select all
0 chain=srcnat action=accept src-address=192.168.1.11 dst-address=192.168.187.21 1 chain=srcnat action=accept src-address=192.168.1.11 dst-address=192.168.187.20 2 chain=srcnat action=accept src-address=192.168.1.11 dst-address=192.168.187.47THANKS AS ALWAYS!
