IPsec tunel between 3 routerboard

anzori123 · December 17, 2013, 6:11am

I have two IPsec tunels.

From Head office router to 1 brench office mikrotik routers.
From Head office router to 2 brench office mikrotik routers.

each tunel HEAD OFFICE->BRENCH OFFICE works normaly
but BRENCH OFFICE->BRENCH OFFICE do not work.
Brench offices do not ping and connect each other.

What must we do for connecting brench office 1 to brench office 2 ???

efaden · December 17, 2013, 8:33pm

Post your config… but IPSec isn’t routable. You most likely will need to use a tunnel over IPSec (e.g. EOIP, IPIP, GRE, etc).

THG · December 17, 2013, 11:05pm

If it is not due to a missing firewall rule for IPsec UDP port 500 and IPsec-ESP/IPsec-AH, then it must be a missing NAT bypass rule.

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_Bypass

petterg · December 18, 2013, 1:49am

The easiest way to get what you want is to make a 3rd ipsec from brench1 to brench2. This also gives the fastest connection.

If you need the network to scale better you’ll need to add brench2 subnet on head-side of head-brench1-policy and brench1 subnet on head-side of head-brench2-policy - either by using several policies on same peer, or by scaling the subnets.

example: head: 10.0.0.1/24, brench1: 10.0.1.1/24, brench2: 10.0.2.1/24
head policy for brench1peer: src 10.0.0.0/24, dst 10.0.1.0/24, action encrypt
head policy for brench1peer: src 10.0.2.0/24, dst 10.0.1.0/24, action encrypt
head policy for brench2peer: src 10.0.0.0/24, dst 10.0.2.0/24, action encrypt
head policy for brench2peer: src 10.0.1.0/24, dst 10.0.2.0/24, action encrypt
brench1 policy: src 10.0.1.0/24, dst 10.0.0.0/24, action encrypt
brench1 policy: src 10.0.1.0/24, dst 10.0.2.0/24, action encrypt
brench2 policy: src 10.0.2.0/24, dst 10.0.0.0/24, action encrypt
brench2 policy: src 10.0.2.0/24, dst 10.0.1.0/24, action encrypt

— OR ----

head policy for peer 0.0.0.0: src 10.0.0.1, dst 10.0.0.0/24, action none
brench1 policy for peer 0.0.0.0: src 10.0.1.1, dst 10.0.1.0/24, action none
brench2 policy for peer 0.0.0.0: src 10.0.2.1, dst 10.0.2.0/24, action none
head policy for brench1peer: src 10.0.0.0/22, dst 10.0.1.0/24, action encrypt
head policy for brench2peer: src 10.0.0.0/22, dst 10.0.2.0/24, action encrypt
brench1 policy: src 10.0.1.0/24, dst 10.0.0.0/22, action encrypt
brench2 policy: src 10.0.2.0/24, dst 10.0.0.0/22, action encrypt

That later scales better.