I followed the instructions of this link…
http://wiki.mikrotik.com/wiki/Routing_through_remote_network_over_IPsec
I can see that the IPSec tunnel connection seems to be established, but I can seem to pass traffic to and from the 2 different routers.
I’m completely new to IPSec tunnels, and so when I try to setup a static route, I don’t see a way to send the route.
Can someone assist?
Pure IPSec in Mikrotik does not let you route over the tunnels. What happens is that the IPSec policy see’s the source and dst address that you have selected, and then pushes it through the IPSec process to be sent to the other site. If you wanted to run routing, you need to run another interface and use IPSec to encrypt that traffic, like EoIP or L2TP.
Chances are you need a NAT rule that will not change the Src or Dst address for traffic that is supposed to go through the tunnel. It is also possible you have some firewall filter rules that are blocking the traffic at the remote site once the traffic comes out of the tunnel.
Understood, thank you for the explanation.
Do other routers ‘route’ IPSec tunnels for say site to site communication?
The reason I ask, I need to connect via an IPSec tunnel to an Edgewater networks Edmarc router. It’s basically SIP Proxy router.
It only supports IPsec tunnels for site to site.
Some do. Search for virtual tunnel interface (VTI). It’s a heavily requested feature for mikrotik. For the moment though it’s not supported unless you use another tunnel (GRE/IPIP/EOIP/L2TP) as feklar mentioned.
So let’s say I have 2 mikrotiks
R1- 98.98.98.98 on wan
192.168.1.1/24 on eth2
R2- 67.67.67.67 on the wan
192.168.2.1/24 on eth2
And say I see the link established (because I’ve gotten that far)
I have a laptop on each end.
192.168.1.11
and
192.168.2.22 respectively.
From each laptop I can ping the opposite gateway on eth2, but cannot ping the other laptop.
Is that due to the Mikrotik limitation or a configuration?
Sent from my iPhone using Tapatalk
My thought would be configuration (not that there haven’t been bugs but basic IPSec is pretty stable in my experience).
If you use plain IPSec in tunnel mode you need to ensure that your IPSec policies capture the right traffic (from your local to remote subnet) and your ‘NAT bypass’ rules are above your masquerade rules as mentioned by feklar. Then that method should work.
If you want a routable interface (until we get VTI) setup a GRE (or any other type but gre can be used with other vendors) tunnel over IPSec. Then you need to ensure you can ping the public IPs;. your GRE tunnel is connected and reachable and that you have appropriate static or dynamic routes defined to send your remote subnet traffic via the tunnel (your subnets Mik on each side would need a route using the GRE interface or remote IP of the GRE tunnel as gateway).
Plain IPSec site to site - http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel
Tunnel over IPSec - This is not my blog post but it looks like a good tutorial for a routable IPSec tunnel. https://major.io/2015/05/27/adventures-with-gre-and-ipsec-on-mikrotik-routers/
Tomas Kirnak has a good mum presentation on VPN http://mum.mikrotik.com/presentations/HR13/kirnak.pdf
I also found Greg Sowells tutorials to be helpful when learning VPNs on routeros.