Hi
first of all, I’m coming from the Fortigate world and so I am a newcomer to MikroTiks.
Recently a VPN scenario with Hub and Spoke topology (all branch offices are connected to the headquarter and they all communicate with each other through the headquarter) gave me headaches with the MikroTiks.
With Fortigates, you just build your site to site VPN tunnels and witch each tunnel you get a new virtual VPN interface (still tunnel mode, not transport mode!).
Then, you create your static routes (or use OSPF or whatever) and create firewall policies for what you want to allow.
So, basically:
Fortigate 1 <—> Fortigate2 <—> Fortigate 3
-
Forti1 and Forti3 have a S2S connection to Forti2
-
But Forti1 has NO direct connection to Forti3
-
Forti1 has routes to the nets of Forti2 and Forti3
-
Forti 2 has routes to the nets of Forti1 and Forti3
-
Forti 3 has routes to the nets of Forti1 and Forti2
Firewall policies to allow traffic from/to the according nets are created on all three Fortigates
And thats it. If I send traffic from Forti1 to Forti3, it gets sent to Forti2 which forwards (routes) it to Forti3.
That’s without any L2TP, GRE or IPIP tunnel afaik.
With MikroTiks, I don’t know how to achieve that. What would be the best way? I don’t really like L2TP or GRE, especially as I was able to achieve this goal without using those protocols until now.
Is Fortinet doing some weird stuff, not following standards? Is this a lack of IPSEC implementation/features in MikroTiks? Where is the flaw? Was I doing it wrong all the time?
Thanks!