Hello ,
I have created Site to Site IpSec Tunnel
(like shown in the guide - https://wiki.mikrotik.com/wiki/Manual:IP/IPsec )
everything is working
now I want to add to to Office1 another netwrok 10.1.203.0/24 that will be on ether3
how can I do this?
I have done the same setting (like I did for the first network ) on both side but I don’t get any replay
why?
can it been done even?
what do I need to change in order to make it work?
Thanks ,
You will have to add this network to the policies.
When you want to do this kind of thing it is not advisable to use that method of IPsec tunnel.
Instead make a GRE/IPsec tunnel or IPIP/IPsec tunnel and put a /30 network on it.
Then route the traffic either manually using static routes or use BGP or OSPF do do it automatically.
I have add this network to the policy
the same as the first one
doesn’t work
how could it be??
Thanks ,
No idea. I have posted a solution, when you don’t like it someone else will have to chime in to help you.
my problem is that I don’t understand your solution
I have a server in office1 and a server in office 2
i don’t think it make any sence to make tunnels for every network I have in the main office…
isn’t the all idea of IPSEC? to make 1 secure tunnel ?
The sense of IPsec is to establish a secure connection between two sites.
What is sent through that secure connection is a different story.
“plain” IPSec is definitely great for just connecting two networks. Everything more is making it really complicated as you already experienced.
So pe1chl gave you a very wise hint to use a GRE or IPIP tunnel through IPsec. With those tunnels, you have much more possibilities in routing traffic back and forth. As many newtorks as you want. Through one tunnel. This tunnel is then encrypted by IPSec.
-Chris
Do you know where I can find an example for this?
I want to be able to go from my store server to all the networks in the office
when I use IPSEC I can only get access to 10.0.2.0/24
what I need to do ??
A very easy-to-understand guide can be found here.
That is all. More networks and sites can be added easily from now. You don’t need tricky policies or NAT avoidance rules,
you can have easy firewall rules on the tunnel interface if you like.
not working , now I can’t ping to none of the netwroks
I have waited ~5 min
then reboot both units
nothing…
all I can ping is to the gre tunnel on both side…
from 192.168.1.90 ping to 192.168.100.2 - working
from 10.0.0.1 ping to 192.168.100.1 - working
this is all
I don’t need to change something in the route or something ?
or in the firewall?
Thanks ,
Are your BGP peers connected?
Yes
I can see it
enabled , established
strange ha?
1 question
which network shuld I need to right in each end?
now I have all 4 networks in both ends
do I need to wirte in each end the networks on the other side OR the one on my side?
Thanks ,
In BGP networks you should only put the networks at each end that are locally connected to that router.
So in your case you put things like 10.0.2.0/24 there.
In BGP Peers you should see the number of networks that the remote end has in the Prefix Count column.
In the IP->Routes you should see the routes that are added for the remote networks with distance 200.
When it still does not work you should check the IP->Firewall rules for blockings in the forward table that
you may need to modify (only required when you had already made changes there, it should be fine with
the default entries). Similar for IP->Firewall->NAT when you have put something other than defaults there.
I have no firewall \ NAT rules.
I have look again and saw this:
in “Main Office Server” I can see in IP-Route the Store netwrok - 192.169.1.0 reachable
in “Store Server” I can see it added the 3 networks but they are all unreachable
so I guess this is the prblem…
any idea why?
where can I search the problem ?
Thanks ,
You probably made a mistake when entering the information I gave you, e.g. did not set “nexthop choice: force self”.
on bith side I have “force self”
Please show your configuration.