Guys,
I need to connect several sites to my DC. Actually my DC is compeltely cisco based and having a WAN–LAN with L3 switching inside. So I have no way to use the existing WAN for VPN at this stage. I am planning to use a complete separate setup to hookup with my existing LAN.
The drawing has been attached as a reference. Now, After working on this way, I have successfully able to peer them. And i can ping one router’s lan IP from the other. But then I cant go further. Means, say I’m at siteA and pinging to DC’s mikrotik LAN ip… it gives reply. Then from DC’s miktorik if i ping Internet/any other subnet, it replies. [and existing routing is 100% tested]. Now when i ping from site A to DC’s IP, say even mikrotik’s LAN IP subnet’s gateway, I dont get any reply. Image attached also.
Can you help me out, where I am missing something???
Config also attached.
[The curerrent setup is in LAB environment, and we are intended to use a seperate dedicated fiber optic for inter district connectivity, NO internet.]
Note: DC’s miktorik’s WAN port is connected to dedicated fiber (secondary WAN link) and LAN port is connected to my L3 switch. The default gateway of DC’s miktotik has been given to LAN side as anything from mikrotik/site office will use that route to reach, as site office LAN will only a LAN, but will take resource from DC.
[I was also hoping for EoIP over IPsec, for one step ahead…]
/interface ethernet
set [ find default-name=ether1 ] name=eth0-Mgmt
set [ find default-name=ether2 ] name=eth1-WAN1
set [ find default-name=ether3 ] master-port=eth1-WAN1 name=eth2-WAN2
set [ find default-name=ether4 ] name=eth3-LAN1
set [ find default-name=ether5 ] name=eth4-LAN2
/port
set 0 name=serial0
/ip address
add address=10.100.203.10/24 interface=eth3-LAN1 network=10.100.203.0
add address=10.0.0.10/24 interface=eth1-WAN1 network=10.0.0.0
add address=10.250.250.43/24 interface=eth0-Mgmt network=10.250.250.0
add address=172.16.20.169/25 interface=eth3-LAN1 network=172.16.20.128
/ip dns
set servers=10.100.200.6,10.100.200.7
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=172.16.20.128/25
add chain=srcnat dst-address=192.168.1.0/24 src-address=10.100.203.0/24
add action=masquerade chain=srcnat out-interface=eth1-WAN1
/ip ipsec peer
add address=10.0.0.11/32 secret=test
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 sa-dst-address=10.0.0.11 sa-src-address=10.0.0.10 src-address=10.100.203.0/24 tunnel=yes
add dst-address=192.168.1.0/24 sa-dst-address=10.0.0.11 sa-src-address=10.0.0.10 src-address=172.16.20.128/25 tunnel=yes
/ip route
add distance=1 gateway=172.16.20.129
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Dhaka
/system identity
set name=VPN-DC
/system ntp client
set enabled=yes primary-ntp=10.100.200.13
/interface ethernet
set [ find default-name=ether1 ] name=eth0-Mgmt
set [ find default-name=ether2 ] name=eth1-WAN1
set [ find default-name=ether3 ] master-port=eth1-WAN1 name=eth2-WAN2
set [ find default-name=ether4 ] name=eth3-LAN1
set [ find default-name=ether5 ] name=eth4-LAN2
/port
set 0 name=serial0
/ip address
add address=192.168.1.1/24 interface=eth3-LAN1 network=192.168.1.0
add address=10.0.0.11/24 interface=eth1-WAN1 network=10.0.0.0
add address=10.250.250.44/24 interface=eth0-Mgmt network=10.250.250.0
/ip dns
set servers=10.100.200.6,10.100.200.7
/ip firewall nat
add chain=srcnat dst-address=172.16.20.128/25 src-address=192.168.1.0/24
add chain=srcnat dst-address=10.100.203.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=eth1-WAN1
/ip ipsec peer
add address=10.0.0.10/32 secret=test
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.100.203.0/24 sa-dst-address=10.0.0.10 sa-src-address=10.0.0.11 src-address=192.168.1.0/24 tunnel=yes
add dst-address=172.16.20.128/25 sa-dst-address=10.0.0.10 sa-src-address=10.0.0.11 src-address=192.168.1.0/24 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=eth1-WAN1
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Dhaka
/system identity
set name=VPN-site-A
/system ntp client
set enabled=yes primary-ntp=10.100.200.13