Comments
-
Great! Will try and post results here. Thank you, Bruce!
-
It's 12.5.6.B633773
-
What I can see from site B (XTM) is sslvpn:Waiting for key/certificate generation to complete. From site A -message retry timeout. I’m giving up at this point and go with mikrotik.
-
Yes, BOVPN expiration says never, internet is working, still no BOVPN. my guess something different between firmwares prevent phase 1 shared secret understanding.
-
I will check tomorrow feature key, but my guess it is expired
-
It is direct firebox to ISP connection I do not see at all any attempt of connection from IP of T70 to XTM When I filter by IKED I get: configuration setting has been processed successfully id="0201-2335" 2021-02-04 20:06:00 iked Starts processing a configuration setting id="0201-2334" 2021-02-04 20:06:00 iked Before G.C.…
-
Well, I installed XTM 33 but cannot get it to work. From T70 side I get error “ Error Messages for Gateway Endpoint #1(name "gateway-BF") Feb 04 18:28:13 2021 ERROR 0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.” Both endpoints are available. Additional log 158>Feb 4…
-
It’s xtm33 with 11.8.1
-
On the second thought -I have old XTM without subscription-will It help if I replace Mikrotik with it?
-
That’s my next step then. Thank you!
-
I’m not sure if I got you right but I have Any IPv4 bidirectional 172.26.5.9/24. Same with 172.27.5.0/24
-
This is the case I have on MikroTik side 172.26.5.1 GW:172.26.5.100 172.27.5.1 GW: 172.27.5.100 On FireBox side 172.16.5.1 GW: 172.16.5.100 I can reach from 172.16.5.1 to 172.26.5.1 and vice versa but cannot reach 172.27.5.1 from 172.26.5.1
-
Well, I have all three now and have no idea why some of them gone. Thank you! BTW WG support never found their absence examining my config.
-
I am not sure about default Dynamic Nat entries. I do not seem to have anything default there. I guess as soon as i use 0.0.0.0/0 for traffic and did not create any IP for VPN traffic in WG i had to add entries to Network>NAT>Dynamic NAT like REMOTE_IP_ADDRESS>External. Since i added it everything goes fine.
-
Hi, I sorted the thing out. I haven’t add Dynamic NAT for network segments I receive from remote location. Also Bruce_Briggs solution works with sites that I could not open earlier. Unfortunately MWhiteley solution doesn’t work but thank you very much for the explanation. Very helpful! Cheers
-
I didn’t change default settings. Killing these ANY rules doesn’t do anything. I put them as first rules now and this also doesn’t help. I will locate microtik configuration with initial problem an try it.
-
I can open any sites before firebox on remote location. It doesn’t look like MikroTik problem.
-
I added rule to allow any BOVPN traffic to any and reconfigured MikroTik from scratch. I can ping sites but cannot open web pages
-
Hi. Thank you for advices! Unfortunately I cannot now connect to any site regardless I can see all traffic allowed in Traffic monitor. It looks like it goes out but not coming back
-
I sorted out outgoing policy and routed traffic through http and https proxies policies. However still some sites cannot be opened. This is what I get trying to connect to Yandex.ru https://share.icloud.com/photos/0UIXKbcTrVJ0qvHyGqQ5MRoNA
-
Yes, all traffic from Mikrotik goes through BOVPN I do not see any deny messages. Traceroute shows complete path to destination site. Interesting, that I cannot find a rule in WG to allow any traffic from BOVPN but traffic still flows.
-
Well, I turned off geolocation but it didn’t help. Everything works fine from the location of T70 BTW Thanks
-
I found out that the correct way is to create HTTPS-proxy rule and allow only SSL/TLS check while denying all other requests.
-
It was indeed second NIC which gave the problem& Thank you, Bruce_Briggs
-
oh, no, it looks like the server itself is down)
-
sorry, i didn't get it. i have interface 172.16.5.XX and 192.168.0.XX and a rule that allows 443 and 80 ports to go from first to second
-
that did the trick but i still can connect to server only from same network, for others i get "Server isn't responding" and occasionally "tcp invalid connection state" in firebox
-
i see. thank you so much!
-
That's what i tried. first rule is "source - XXX.XXX.XXX.22 destination - SNAT1 ", second is "source - XXX.XXX.XXX.23 destination - SNAT2 ". SNAT1 is "External > 10.0.0.1" and SNAT2 is "External > 10.0.0.2". Didn't do the trick. Does it look right?
-
Right, but rules like "source - XXX.XXX.XXX.22 destination - SNAT1 " and "source - XXX.XXX.XXX.23 destination - SNAT2 " do not work on the same port as i discovered.