IPSEC LAN to LAN

RouterOS General
1

I’m trying to setup a VPN between 2 remote sites using IPSEC LAN to LAN.
I’ve read all tutorials and guides available on the web and i managed to estabilish a connection but there is no communication between the 2 LANs. On one side i’m using a CCR router with an advanced firewall configuration. Beside the NAT rule to be placed on top of the list, should i create any filter rule to allow traffic between the 2 LANs or manually create an IP ROUTE, and if so what should i setup?

thanks in advance

2

If you want to post more details about the networks and the current configs we can chime in. Based on what you typed the possibilities are too numerous to begin troubleshooting.

Basics though:
Ensure you have routes on each side for each remote network
Ensure you have rules in place permitting the traffic


Assumptions:
VPN is setup and working, i.e. you can ping the remote tunnel interface from each device.

3

You are right!!

I have 2 internal network 192.168.1.0/24 and 192.168.6.0/24 with both routers internal interface at 192.168.x.1.
Both routers have a default route like 0.0.0.0/0 to public ip gateway.
Let’s say external IP address are 1.1.1.1 and 2.2.2.2…
How should the routes for VPN be? to their internal interface (.1), to exernal interface, to remote external interface or remote internal gateway?
What kind of rules should i setup to permit traffic?

Actually i can’t ping the remote internal interface , but they are connected on port 500 and i see Installed SAs , i’ve also enabled IPSEC logging and i see correct debug informations…

4

Noted.

Great, can each router ping the WAN interface of the remote router?

How is your tunnel configured? i.e.

This example is a tunnel interface with the tunnel IPs of 10.10.1.1 ↔ 10.10.1.2 ///// 10.10.1.0/30

 interface ipip
 add name="Tunnel1" mtu=1480 local-address=1.1.1.1 remote-address=2.2.2.2 comment="" disabled=no
 /ip address add address=10.10.1.1/30 / interface=ipip1



I’m at work so I cannot give you the specific syntax for Mikrotik. We don’t have any Mikrotik equipment here - mainly Cisco. When I get home I can put together a more detailed layout for you.

You first need to setup rules allowing the VPN itself to reach each end. If your tunnel endpoints cannot ping each other, then your VPN is not coming up. With that said it also depends on where you were pinging from… Can you ping the remote VPN interface source the local VPN interface?

Basic setup would be permitting local traffic to remote traffic.

See the previous response. We first need to make sure that your tunnel is up/up and you can ping the remote ends. Check what your source is of your pings.

5

Thanks for your detailed answer.
Actually in every tutorial i’ve seen the tunnel should be automatically created in the IPSEC policy. IPIP tunnel seems to me a different technique.

Just to give you an example:
https://www.youtube.com/watch?v=9Weu1Rogi54

6

Yes, that is another way to do it. I, personally, prefer to use tunnel interfaces - easier to wrap my head around especially when I have multiple VPNs.

When I get home I will work on a non-tunnel interface setup to give you more details.

7

Stupid me , it was a wrong netmask on one PC.
So disabling all filter rules i’m now able to ping PC2 from PC1 and vice versa.
The funny thing is that i can’t ping router’s internal interface from any router.
Now i need to figure out what filter rules i have to create to allow traffic if i re-enable filtering on the firewall

8

Hey, thanks you for the example.

One question, how configure IPSEC lan to lan with dynamic dns?

Can you help me.

Regards