I'm having (probably trivial) problem of setting up a site-to-site VPN via IPSec. I want to join 192.168.10.0/25 AND 192.168.10.128/25 (each with their own DHCP and clients) into one 192.168.10.0/24. I have some static leases which I want to be available for everyone.
IPSec and generic firewall settings are ommited, since I've got tunnel running. Firewall NAT contains only SNAT rule and MASQUERADE one as a second priority.
Config site A
Code: Select all
/ip address
add address=192.168.10.128/24 interface=vlan1
/ip pool
add name=main_pool ranges=192.168.10.129-192.168.10.254
/ip dhcp-server
add address-pool=main_pool interface=vlan1 lease-time=1m name=main
/ip dhcp-server network
add address=192.168.10.128/24 dns-server=192.168.10.128 gateway=192.168.10.128
/ip ipsec policy
add dst-address=192.168.10.0/25 peer=peer1 proposal=proposal1 src-address=192.168.10.128/25 tunnel=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.0/25 log=yes src-address=192.168.10.128/25
Config site B
Code: Select all
/ip address
add address=192.168.10.1/24 interface=vlan1
/ip pool
add name=main_pool ranges=192.168.10.2-192.168.10.127
/ip dhcp-server
add address-pool=main_pool interface=vlan1 lease-time=1m name=main
/ip dhcp-server network
add address=192.168.10.1/25 dns-server=192.168.10.1 gateway=192.168.10.1
/ip ipsec policy
add dst-address=192.168.10.128/25 peer=peer1 proposal=proposal1 src-address=192.168.10.0/25 tunnel=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.128/25 log=yes src-address=192.168.10.0/25
Can it be a routing problem? I've ran tcpdump on one of the machines inside network while trying to ping it from the other router, and I can see packet arriving, but there's no reply – I guess because there's no route or SNAT is broken:
Code: Select all
dropped privs to pcap
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:14:19.093938 IP 192.168.10.128 > 192.168.10.13: ICMP echo request, id 57088, seq 0, length 36
01:14:20.155576 IP 192.168.10.128 > 192.168.10.13: ICMP echo request, id 57088, seq 256, length 36
01:14:21.197926 IP 192.168.10.128 > 192.168.10.13: ICMP echo request, id 57088, seq 512, length 36
01:14:22.280003 IP 192.168.10.128 > 192.168.10.13: ICMP echo request, id 57088, seq 768, length 36
01:14:23.336803 IP 192.168.10.128 > 192.168.10.13: ICMP echo request, id 57088, seq 1024, length 36