Guys,
I need to connect several sites to my DC. But the DC is a fully established one with cisco environment, L3 switch, router firewall, etc. Now, I can not use Internet to connect my branches, rather i have to use another dedicated fiber optic link to connect my branches with DC.
What I did is:
DC having a mikrotik with LAN port to existing LAN and WAN to new fiber link. also LAN port has been selected for 0/0 gateway as remote sites require to reach any vlans and internet from remote via the DC.
Now, when I do the peering and then do a ping from remote side to DC’s mikrotik’s lan ip, it works, but then it does not work if i ping to even the gateway of the lan ip. Si’m sure, somewhere I’m missing something. Attached are the things that i’m using now.
Please help…
config of DC is:
/interface ethernet
set [ find default-name=ether1 ] name=eth0-Mgmt
set [ find default-name=ether2 ] name=eth1-WAN1
set [ find default-name=ether3 ] master-port=eth1-WAN1 name=eth2-WAN2
set [ find default-name=ether4 ] name=eth3-LAN1
set [ find default-name=ether5 ] name=eth4-LAN2
/port
set 0 name=serial0
/ip address
add address=10.100.203.10/24 interface=eth3-LAN1 network=10.100.203.0
add address=10.0.0.10/24 interface=eth1-WAN1 network=10.0.0.0
add address=10.250.250.43/24 interface=eth0-Mgmt network=10.250.250.0
add address=172.16.20.169/25 interface=eth3-LAN1 network=172.16.20.128
/ip dns
set servers=10.100.200.6,10.100.200.7
/ip firewall nat
add chain=srcnat dst-address=192.168.1.0/24 src-address=172.16.20.128/25
add chain=srcnat dst-address=192.168.1.0/24 src-address=10.100.203.0/24
add action=masquerade chain=srcnat out-interface=eth1-WAN1
/ip ipsec peer
add address=10.0.0.11/32 secret=test
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 sa-dst-address=10.0.0.11 sa-src-address=10.0.0.10 src-address=10.100.203.0/24 tunnel=yes
add dst-address=192.168.1.0/24 sa-dst-address=10.0.0.11 sa-src-address=10.0.0.10 src-address=172.16.20.128/25 tunnel=yes
/ip route
add distance=1 gateway=172.16.20.129
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Dhaka
/system identity
set name=VPN-CXB
/system ntp client
set enabled=yes primary-ntp=10.100.200.13
config of site A is:
/interface ethernet
set [ find default-name=ether1 ] name=eth0-Mgmt
set [ find default-name=ether2 ] name=eth1-WAN1
set [ find default-name=ether3 ] master-port=eth1-WAN1 name=eth2-WAN2
set [ find default-name=ether4 ] name=eth3-LAN1
set [ find default-name=ether5 ] name=eth4-LAN2
/port
set 0 name=serial0
/ip address
add address=192.168.1.1/24 interface=eth3-LAN1 network=192.168.1.0
add address=10.0.0.11/24 interface=eth1-WAN1 network=10.0.0.0
add address=10.250.250.44/24 interface=eth0-Mgmt network=10.250.250.0
/ip dns
set servers=10.100.200.6,10.100.200.7
/ip firewall nat
add chain=srcnat dst-address=172.16.20.128/25 src-address=192.168.1.0/24
add chain=srcnat dst-address=10.100.203.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=eth1-WAN1
/ip ipsec peer
add address=10.0.0.10/32 secret=test
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.100.203.0/24 sa-dst-address=10.0.0.10 sa-src-address=10.0.0.11 src-address=192.168.1.0/24 tunnel=yes
add dst-address=172.16.20.128/25 sa-dst-address=10.0.0.10 sa-src-address=10.0.0.11 src-address=192.168.1.0/24 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=eth1-WAN1
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Dhaka
/system identity
set name=VPN-Site-A
/system ntp client
set enabled=yes primary-ntp=10.100.200.13
Drawing3.jpg