HEllo guys!!
I have a VPN between Mikrotik and VPN Cloud in GCP
Details:
On Premise:
IP public: x.x.x.x
LAN: 192.168.60.0/24
Peer IPsec = Stablished
Cloud:
IP public:x.x.x.x
VPC Cloud: 192.168.61.0/24
Peer IPSEC = Stablished
from my server in the cloud with network 192.168.61.0/24 i can ping to my on-premise network.
But form my on-premise network I Can´t ping to my Cloud Network
I dont need a Protocol BGP i use static rutes
But in my mikrotik i dont know what can do more
I USe the option Ipsec for do the peer connection
Thanks for the help
this is my actualy configuration about IPSEC an Firewall rules
/ip ipsec mode-config
add name=ProposalGCP responder=no src-address-list=VPN-IPSEC
/ip ipsec policy group
add name=ProposalGCP
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=profile1
/ip ipsec peer
add address=181.143.224.163/32 disabled=yes exchange-mode=ike2 local-address=
181.143.233.189 name=Peer-GCP-2 profile=profile1
add address=35.227.43.112/32 exchange-mode=ike2 local-address=181.143.233.189
name=Peer-GCP profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add enc-algorithms=aes-256-cbc,aes-128-cbc name=ProposalGCP
/ip ipsec identity
add peer=Peer-GCP policy-template-group=ProposalGCP
add disabled=yes mode-config=ProposalGCP peer=Peer-GCP-2
policy-template-group=ProposalGCP
/ip ipsec policy
set 0 proposal=ProposalGCP
add dst-address=192.168.61.0/24 peer=Peer-GCP proposal=ProposalGCP
sa-dst-address=35.227.43.112 sa-src-address=181.143.233.189 src-address=
192.168.60.0/24 tunnel=yes
/ip firewall address-list
add address=192.168.60.0/24 list=VPN-IPSEC
add address=192.168.61.0/24 list=VPN-IPSEC
/ip firewall filter
add action=accept chain=forward dst-address=192.168.61.0/24 src-address=
192.168.60.0/24
add action=accept chain=forward dst-address=192.168.60.0/24 src-address=
192.168.61.0/24
/ip firewall nat
add action=accept chain=srcnat comment=“Regla para GCP” dst-address=
192.168.61.0/24 log=yes src-address=192.168.60.0/24
Somebody help me
Try pinging through your Mikrotik router from a client on the LAN side to a host in your GCP subnet.
I’ve never been able to get a Mikrotik IPSEC peer to be able to talk to a remote subnet when building IPSEC tunnels but clients on the LAN side have communicated happily through those same tunnels. I’ve heard this is some kind of limitation with Linux based IPSEC tunnels. I’d be very happy to be corrected about this if someone thinks this should be possible.
Btw, although you can’t make IPSEC connections to VM’s on GCP I have successfully setup open vpn tunnels to them and skipped using the GCP VPN terminator all-together. I have a CHR on GCP setup just for this purpose.
It is possible, route the remote subnet to your local lan, It sounds counter intuitive, but the route won’t be used for routing anyway. It’s to make sure the router picks a source lan ip which is part of the ipsec policy (local subnet).
Ha! That’s gold.
Initially when I tried to follow your instruction I tried to route the remote subnet to the gateway address of the local subnet, which didn’t work. When I simply selected the interface of the local subnet instead it worked. I’m guessing the difference is that instead of trying to push packets through the local gateway this forces packets to originate from that interface as you described. That’s a real eye opener; thanks for the very helpful correction! 