Hey all,
I’m obviously very new to MikroTik, but I have experience with WatchGuard and Draytek firewalls.
At my org, we use WatchGuard on two of our main sites and Drayteks on remote sites. VPN S2S IKEv2 setup is pretty simple on both devices. I decided to try MikroTik RB5009UG+S+ and I configured the S2S connection, established fine etc.
Site A = Head office with WatchGuard, Site B = Remote office with MikroTik
I can ping Site B from Site A, but I can’t ping Site A from Site B.
I get that configuring VPN on MK routers is a bit different, but I believe I did all I needed to do as per this article.
Between WG and Draytek, all I had to do was to create tunnels between the correct networks, and all was good to go. With MikroTik, I am missing something.
I can get a specific IP working by adding it to the “Address List” as 10.2.7.50/24, but I can only ping that one IP address 10.2.7.50. I’m sure it’s something silly. If I am missing routes, how do I get it done? On Draytek, routes were created automatically/dynamically.
Below is my desensitised config. I have three tunnels there:
- WG1 (Site A)<>MT (Site B),
- WG2 (Site C)<>MT (Site B),
- Draytek (Site D)<>MT (Site B)
—many thanks in advance.
# 2023-11-23 17:51:18 by RouterOS 7.12.1
# software id = PCBW-V2SN
#
# model = RB5009UG+S+
# serial number = xxxxxx
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan10
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=TROOLI user=\
dsl@user
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] hash-algorithm=sha256
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
"Phase 2" prf-algorithm=sha256
add name="XXX P2"
/ip ipsec peer
add address=123.123.123.123/32 exchange-mode=ike2 local-address=\
234.234.234.234 name=XXX profile="XXX P2"
add address=123.111.222.123/32 exchange-mode=ike2 local-address=234.234.234.234 \
name=ZZZ profile="Phase 2"
add address=222.123.123.111/32 exchange-mode=ike2 local-address=234.234.234.234 \
name=CCC profile="Phase 2"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ASP-P1 pfs-group=\
ecp384
add name=Cym-P1
/ip pool
add name=dhcp_pool1 ranges=10.0.0.100-10.0.0.250
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether2-lan10 name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.0.0.1/24 interface=ether2-lan10 network=10.0.0.0
add address=10.0.1.1/24 interface=TROOLI network=10.0.1.0
add address=10.0.1.20/24 interface=TROOLI network=10.0.1.0
/ip firewall nat
add action=masquerade chain=srcnat
add action=accept chain=srcnat dst-address=10.2.7.0/24 log=yes out-interface=\
TROOLI src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=10.0.1.0/24 log=yes out-interface=\
TROOLI src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.16.0/24 log=yes \
out-interface=TROOLI src-address=10.0.0.0/24
/ip ipsec identity
add my-id=address:234.234.234.234 peer=ZZZ remote-id=\
address:123.111.222.123
add my-id=address:234.234.234.234 peer=CCC remote-id=\
fqdn:bv2.company.com
add my-id=address:234.234.234.234 peer=XXX
/ip ipsec policy
add dst-address=10.2.7.0/24 level=unique peer=pv5.company.com src-address=\
10.0.0.0/24 tunnel=yes
add dst-address=192.168.16.0/24 level=unique peer=bv2.company.com \
src-address=10.0.0.0/24 tunnel=yes
add dst-address=10.0.1.0/24 peer=XXX src-address=10.0.0.0/24 tunnel=yes