IPsec and then IPIP tunnels between multiple sites

Hi All,

I need help to connect multiple locations via the Internet. Each location connects to the Internet via an RB2011 router.

Network topology is the following:
Site A (the main site):
WAN: fixed IP (71.75.32.12)
LAN1: 192.168.0.0/24
LAN2: 192.168.100.0/24

Site B:
WAN: dynamic IP
LAN: 192.168.1.0/24

Site C:
WAN: dynamic IP
LAN: 192.168.2.0/24

etc.


Each site needs to connect to Site A. There’s no need for a direct connection between other sites (i.e. site B doesn’t need to have a direct link to site C).
I also noticed that L2TP connection is blocked by ISP on some of the sites. At the same time, IPsec seem to work there. So I decided to use IPsec to establish a direct link between each of the sites and the site A. And then to use IPIP tunnel to set up the routing (instead of having to configure multiple IPsec policies).


So far I experimented with two sites only. On the main site (Site A) I have setup an IPsec peer with an address of 0.0.0.0/0 and ‘generate policy = port-strict’. This should accept connections from any IP and create corresponding policies on Site A automatically.

On Site B, I have setup a peer and a policy like this:

/ip ipsec peer
add address=71.75.32.12/32 secret=12345
/ip ipsec policy
add dst-address=1.1.1.1/24 sa-dst-address=71.75.32.12 sa-src-address=0.0.0.0 src-address=1.1.1.2/24 tunnel=yes

I’m not sure whether I can use ‘sa-src-address=0.0.0.0’. But as I don’t have a dedicated WAN IP on Site B, I thought this should work (and it probably does).

The 1.1.1.1 and 1.1.1.2 should be my VPN addresses I will setup the IPIP tunnel upon.

The IPIP tunnel on Site A is:

/interface ipip add !keepalive name=ipip-tunnel1 remote-address=1.1.1.1

And on Site B it is:

/interface ipip add !keepalive name=ipip-tunnel1 remote-address=1.1.1.2

I’m not sure which IPs I need to assign to the IPIP interfaces on both sites. My assumption was that it should be something from an unused range, so for the testing I set them to 2.2.2.1 for Site A and 2.2.2.2 for Site B.


But the tunnel doesn’t work - I cannot ping remote 2.2.2.x addresses.
If I change IPIP tunnel configuration to use actual WAN IPs of the routers (without IPsec) - the tunnel works as expected.

What am I doing wrong?

Is there a better way to achieve the goal?

Perhaps, a picture could help.
Here’s what I want to achieve:

Is this doable, or am I totally wrong?

If L2TP alone is blocked, but IPSec isn’t, then the right solution should be L2TP/IPsec, i.e. L2TP inside IPsec. This way ISP can’t see what it is and won’t block it. So you should need just the standard Road Warrior setup and won’t have to invent anything complicated.