Hello,
it is possible to create IPsec tunnel (Office1—Office2) under these conditions:
Office1 (passive side) static public IP
Office2 (active side) static private IP
?
Create a L2TP tunnel between the two (public IP = server side) and use the L2TP IPs to set up the IPSEC tunnel
my question about pure IPsec in tunnel mode, not about L2TP/IPIP/etc
How does Office 2 get out to the public internet? Is there NAT involved somewhere or do both offices share infrastructure and private IP space at some point?
As long as both routers can communicate directly with one-another, IPSec shouldn’t care if one IP is public and the other is private. If you’re utilizing NAT/DHCP in the chain, you’ll have to configure your tunnel for aggressive mode.
How does Office 2 get out to the public internet? Is there NAT involved somewhere
Through NAT
or do both offices share infrastructure and private IP space at some point?
No
As long as both routers can communicate directly with one-another, IPSec shouldn’t care if one IP is public and the other is private.
You can show Mikrotik configuration for IPsec tunnel “privateIP-to-publicIP”?
Main problem - what should I enter in the IPsec policy field “SA Dst. Address” on Office1 Mikrotik?
Since you won’t know office2’s IP, you can’t create a static policy so you’ll have IPsec generate the policy dynamically for you.
On the main office1 side you’ll create a peer of 0.0.0.0/0 and tick the “generate policy” option. You’d do the same only specify the office1 ip on the other (office2) end.
I haven’t played around with this type of scenario, so you MAY have to utilize the L2TP setup noib suggested and create your IPsec tunnel within that.
Create policy template instead of an ordinary policy, then specify that template in the peer configuration. Also enable ‘generate policy’ option in the peer config.
“generate policy” on Office1 Mikrotik generate only policy for traffic from Office2 to Office1, and i can ping from Office2 to Office1.
But, for traffic from Office1 to Office2 i need create policy manually. There is main problem - what should I enter in the IPsec policy field “SA Dst. Address” on Office1 Mikrotik?
Generate policy creates a policy as was requested by the initiator (client). Policy groups and policy templates allow you to check/restrict the policy to be created.
You can not use static policy on the responder, since the initiator’s IP is not known in advance. That’s exactly the case ‘generate policy’ option exists for. You should specify the correct policy in your “Office 2”, and similar (inverted) policy will be created in your “Office 1” automatically.
You should specify the correct policy in your “Office 2”, and similar (inverted) policy will be created in your “Office 1” automatically.
“generate policy” generate only “similar” (“not inverted”) policy.
how can i add “inverted” policy?
Please share your current ipsec configuration. I’ll try to check if there’re any apparent mistakes.
And, by the way, the use of policy groups/templates appears to be mandatory since early 6.x for generate policy to work correctly. At least I remember myself having some troubles with generate policy in 6.7 or 6.8 that disappear as soon as I defined the correct policy group.
I use v6.24/6.25
That’s hardly half the info we need. Can you please do it like this: type the following in the terminal window, then copy and paste the output here:
/ip ipsec exportFrom what I already see- you need to enable NAT traversal on both devices, otherwise this setting remains ineffective.
>>From what I already see- you need to enable NAT traversal on both devices, otherwise this setting remains ineffective
No need Nat Traversal on passive side.
IPsec config from Office2 Mikrotik:
/ip ipsec export
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1
/ip ipsec peer
add address=[office1ip]/32 auth-method=pre-shared-key-xauth enc-algorithm=aes-128 secret=xxxxxxxx xauth-login=test233
xauth-password=xxxxxxxx
/ip ipsec policy
add dst-address=[office1localnet]/24 sa-dst-address=[office1ip] sa-src-address=0.0.0.0 src-address=[office2localnet]/24 tunnel=yes
You’ve got it wrong. The use of NAT-T is something that both VPN endpoints should negotiate. If it is disabled on one of your VPN endpoints, then neither use it.
The ‘sa-src-address’ parameter should be the real external IP address of your Office1.
Try changing the above mentioned settings. If tunnel doesn’t start working, please share the ipsec configuration from your Office1 router as well, please.
The use of NAT-T is something that both VPN endpoints should negotiate. If it is disabled on one of your VPN endpoints, then neither use it.
You are wrong
The ‘sa-src-address’ parameter should be the real external IP address of your Office1.
You are wrong
You must have known it better.
Why are you asking for the help, while all IPsec tunnels I’ve ever built are just working fine then?
I’m quitting this conversation.
Sorry and good luck!
Hi colleagues!
I have the same question.
I’ve been trying to configure it (start used the code exactly from that headline) with Road Warrior setup Ikev2 RSA auth (on http://wiki.mikrotik.com/wiki/Manual:IP … 2_RSA_auth)
I need just IPSEC tunnel between my 2 mikrotiks.
Is it possible to configure 1 Mikrotik with private IP as a client and 2 Mikrotik with public IP as a server?
Please help me!
Thanks in advance.
Hi There,
Im trying to do this setup too.
I came across Greg Sowell’s page (http://gregsowell.com/?p=1290) and it has been so helpful. Unfortunately, when I try his instructions for for the part on 1 end is a private IP, I manage to established the tunnel but unable to ping each other. I’m still figuring out what I missed.
Any luck from your end?
Thank you,