General • Re: No traffic across IPSEC tunnel to AWS

Finally got ICMP working, but I'm not wild about this solution. Apparently if I add another policy for the src and dst network prefixes, it works. I was hoping that wasn't necessary since I'm trying to use BGP to propagate prefixes in the first place. Can someone advise if this is necessary on ROS7, or if I can just use route-based VPN approach with BGP and have only an IPSEC policy for the BGP peers on either side?

[craigb@MikroTik] /ip/firewall> /ip/ipsec/policy/print
Flags: T - TEMPLATE; X - DISABLED, I - INVALID, A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * 0.0.0.0/0 0.0.0.0/0 all
;;; AWS-1
1 A AWS-1 yes 169.254.79.194/32 169.254.79.193/32 all encrypt unique 1
;;; AWS-2
2 X AWS-2 yes 169.254.112.70/32 169.254.112.69/32 all encrypt require 0
3 A AWS-1 yes 192.168.10.0/24 10.60.0.0/16 all encrypt unique 1

Statistics: Posted by craigbruenderman — Mon Mar 11, 2024 2:44 am

---