Hi,
we got IPsec tunnel between:
- MT wAP R-2nD (with mobile 3/4G internet)
- PaloAlto network Firewall/Router.
Some config from MT (in general default config + IPsec) :
- static route
/ip route add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=MAIN_PublicIP
- Firewall
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=lte1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state="" connection-state="" in-interface=lte1 src-address=192.168.1.0/24
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=lte1
- NAT
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.88.0/24
add action=accept chain=dstnat dst-address=192.168.88.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=lte1
For now all traffic (except 192.168.1.0/24) from BRANCH office workstations route outside to interface lte1.
But for control reasons we need, that all traffic from BRANCH workstations go through IPsec to MAIN office and outside to internet.
see attach, what additional config can help?
s2s_ipsec.png
