Hi
i’ve got a site to site IPSEC VPN connection between Site A (Fortigate) and Site B (Mikrotik CHR).
Site A should break out to the internet through Site B, instead of using the local connection for web surfing.
I got it working, but I want to make sure there are no errors in the config, which for example, might enable exploitation by third parties.
Mikrotik config looks like this:
/ip firewall address-list
add address=10.25.128.0/24 list=net_SiteA-Clients
/ip ipsec policy
add dst-address=10.25.128.0/24 peer=SiteA proposal=SiteA src-address=0.0.0.0/0 tunnel=yes
/ip firewall filter
add action=accept chain=forward connection-state=new dst-address-list=!net_PrivateRanges in-interface-list=WAN ipsec-policy=in,ipsec log=yes log-prefix=inet out-interface-list=WAN src-address-list=\
net_SiteA-Clients
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=!net_PrivateRanges in-interface-list=WAN ipsec-policy=out,none out-interface-list=WAN src-address-list=net_SiteA-Clients to-addresses=<SiteB-PublicIP>
Specifically, I’m unsure about the ipsec-policy filter, whether I chose the optimal setting to secure everything as good as possible and also src and dst interface having WAN concerns me a bit in that context. The ipsec policy with src-address 0.0.0.0/0 also makes me wonder whether that might get me into problems later.
Thanks for any advice!