Hi,
I've this situation:
PC --- IPSec Router1 (MT 3.11) --- [Wireless LAN] --- IPSec Router2 (MT 3.11) --- INTERNET
I want to create IPSec tunnel between IPSec Router1 and IPSec Router2 to encrypt all data from PC that goes to internet (but not to internal LAN). Note that the IPSec tunnels would pass through internal LAN and not through INTERNET. I have been trying to make it work but with no success, I would appreciate some help on that.
Both configurations of IPSec Router 1 and IPSec Router 2 are the following ones:
IPSec Router1
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
ADDRESS NETWORK BROADCAST INTERFACE
0 10.10.1.2/24 10.10.1.0 10.10.1.255 ether1
1 10.10.2.1/24 10.10.2.0 10.10.2.255 ether2
[admin@MikroTik] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.10.1.1/32:any dst-address=10.10.0.0/16:any protocol=all action=none level=require ipsec-protocols=esp tunnel=no sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default manual-sa=none priority=0
1 src-address=10.10.1.1/32:any dst-address=0.0.0.0/0:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.10.2.1 sa-dst-address=10.10.5.2 proposal=default manual-sa=none priority=0
[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled
0 address=10.10.5.2/32:3000 auth-method=pre-shared-key secret="123" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
IPSec Router2
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
ADDRESS NETWORK BROADCAST INTERFACE
0 10.10.5.2/24 10.10.5.0 10.10.5.255 ether1
1 Public IP/24 X.X.X.X X.X.X.X ether2
[admin@MikroTik] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.10.0.0/16:any dst-address=10.10.1.1/32:any protocol=all action=none level=require ipsec-protocols=esp tunnel=no sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default manual-sa=none priority=0
1 src-address=0.0.0.0/0:any dst-address=10.10.1.1/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.10.5.2 sa-dst-address=10.10.2.1 proposal=default manual-sa=none priority=0
[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled
0 address=10.10.2.1/32:3000 auth-method=pre-shared-key secret="123" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether2
Thanks in advance,