Hub and Spoke IPSEC Configuration

RouterOS General
1

Hi guys
I have a couple of Mikrotik routers in small offices, connected via a IPSEC tunnel. I used the following video as a guide to get the tunnels up and running http://gregsowell.com/?p=787

Lets call those offices 192.168.1.0/24 (head office) and 192.168.2.0/24 (branch office 1)

I now have a second branch office that has a tunnel back into head office - lets call that one 192.168.3.0/24

192.168.1.0 and 192.168.2.0 can talk, and 192.168.1.0 and 192.168.3.0 can talk.

What I need is for the two branch offices, 192.168.2.0, and 192.168.3.0, to be able to talk as well, through the head office Mikrotik, without establishing a VPN connection directly between the two branch offices.

I have created policies at both branches, thinking it would send traffic to those remote subnets through the head office, but I think I’m off track somewhere here, and if I am on track I’m not sure where to go from here. Under IP > Firewall > NAT, I do have srcnat rules allowing traffic from all subnets to all subnets. Can somebody help?

Thanks
Mikrotik Setup.png

2

I think additional routing configuration is required on branch office routers.
Otherwise 192.168.3.1 router has no idea how to find 192.168.2.1 and forwards traffic to default gateway.

On 192.168.3.1 router set /ip route dst-address=192.168.2.0/24 and gateway local IP of head office, the same rule is necessary on 192.168.2.1 router too.

3

I was thinking something similiar too - when the route is added, Winbox says “192.168.1.1 unreachable”. The weird thing is that despite the tunnels I do have working, none of the routers can actually ping each other (preventing the static route from working) - for example 192.168.1.1 cannot ping 192.168.2.1 or 192.168.3.1, even though the whole of the 1.x network can ping the test of the 2.x and 3.x networks. What could be causing that? Thanks

4

I think I’ve managed to figure this out using IP Tunnels in conjunction with IPSEC tunnel, using this as a guide.
http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco

Thanks for the idea Sergejs - I still had to add routes in addition to following the above link.

5

I have the very same diagram for a hub-spoke configuration as above.

A head-office router with VPN tunnels to each “spoke” on different subnets.

I would like the different subnets to pass traffic to each other through the head office router.

I have VPN successfully passing traffic on each leg both ways, no problem there…

Can someone explain the rules needed in both the head office and spoke routers using the ip scheme in the diagram above??

In other words: I would like to ping a machine on 2.0 from 3.0 via the established VPNs between 1.0-2.0 and 1.0 to 3.0

Is this possible with the correct rules using only a single vpn tunnel from each leg to the head end?

Eventually I would like many “spokes” able to talk to each other through the head end.

6

Well,

after clicking around on some of these links…


Branch to Head VPN

Branch Lan to Head Lan SRC Network 24bit Nmask DST Network 16bit Nmask

Vice versa on the Head to Branch VPN side

Head Lan SRC 16bit nmask DST 24 bit nmask


Easy as 1 2 3

7

I have three remote sites set up, and the ipsec tunnels established. I have 2-way communication between the LAN ports of all the Mikrotik routers, over the tunnels. Only 1 of them is able to communicate all the way to the hub’s LAN. The first one I set up is working properly and I copied the config from that one to the others. I’ve changed all the pertinent details that should allow the others to work. Is there anything extra I need to do in the hub router to allow multiple tunnels to work properly?

8

Would setting the branch offices up with an L2TP tunnel back to the main office be an easy way to configure this? I may be wrong but thought I would throw that out there.