Hello,
I create route based vpn between ssg-5 and mikrotik router-board 443
VPN come up, but I can not access any IP in other side.
my internal IP is 172.x.x.x/24 but I NAT IP to 10.210.0.0/24
my config is:
device->
set interface "tunnel.1" zone "VPN"
set ike gateway "vpn-gw" address 85.254.216.240 Main outgoing-interface "ethernet0/0" preshare "xxx" proposal "pre-g2-3des-sha"
set vpn "vpn" gateway "vpn-gw" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "vpn" monitor
set vpn "vpn" id 0x2 bind interface tunnel.1
set vpn "vpn" proxy-id local-ip 10.210.0.0/24 remote-ip 10.0.0.0/8 "ANY"
set policy id 15 from "Trust" to "VPN" "172.0.0.0/24" "10.0.0.0/8" "ANY" permit log
set policy id 16 from "VPN" to "Trust" "10.0.0.0/8" "MIP(10.210.0.0/24)" "ANY" permit log
set policy id 18 from "Trust" to "VPN" "MIP(10.210.0.0/24)" "10.0.0.0/8" "ANY" permit log
device-> get route | i tun
12 10.210.0.0/24 tun.1 0.0.0.0 C 0 0 Root
13 10.210.0.1/32 tun.1 0.0.0.0 H 0 0 Root
8 10.0.0.0/8 tun.1 0.0.0.0 S 10 1 Root
device-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 85.254.216.240 500 esp:3des/sha1 d2b30d65 2326 unlim A/D -1 0
00000002> 85.254.216.240 500 esp:3des/sha1 080cfaf6 2326 unlim A/D -1 0
when i try to traceroute any IP I get:
C:\>tracert 10.8.8.3
Tracing route to 10.8.8.3 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.23.113.1
2 25 ms 40 ms 12 ms 80.x.x.1 - my default gw
3 80.x.x.1 reports: Destination net unreachable.
Trace complete.
from other side:
traceroute to 10.210.0.101 (10.210.0.101), 30 hops max, 40 byte packets
1 10.8.8.1 0.108 ms 0.107 ms 0.121 ms - mikrotik
2 10.210.0.1 26.475 ms 28.009 ms 19.922 ms - ssg-5
3 * * *
I changed Preference for route but it did not help.
what is wrong in this configuration?