IPsec vpn Site-to-Site

RouterOS Beginner Basics
1

Hi !

I'm struggling to get site-to-site IPsec configured between two sites. Both the RB2011UiAS's are behind WAN routers (TP-Link(ADSL) and Ubiquity (WIFI)) in a DMZ configuration.

I followed the Mikrotik Manual, including the NAT'ing parts. It seems that the both the RBs are communicating and I can see the remote peer connections, but not getting any pings from either local networks through.
I'm not sure about the gateway config in the manual, it's points to publicIP.254. I assume that the below should be ok?

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.1.1 2.............(WAN router)
1 ADC 192.168.1.0/24 192.168.1.2 ether1-gateway 0
2 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0

Would appreciate any thoughts.
S

Small Home/Office setup
2

I’m not sure what thoughts you are looking to receive… You have not provided any information thus far that can help in determining your problem and a solution. I’m not going to start guessing at what your problem could be, maybe someone else will be more willing to play that game.
If you want to provide more information on your configuration then we can help…

3

You have a point :slight_smile:
Was hoping that I made an obvious mistake with the gateway.
On both routers two remote peers are established - initiator and responder.

OFFICE 1
========
RouterOS 6.35.4
public=999.999.999.999

/ip address
add address=192.168.77.1/24 interface=br-office network=192.168.77.0
add address=192.168.1.2/24 interface=ether1-gw network=192.168.1.0

/ip route
#adsl WAN router
add distance=2 gateway=192.168.1.1

ip ipsec peer
add address=888.888.888.888/32 secret=secret

/ip ipsec policy
add dst-address=192.168.88.0/24 sa-dst-address=888.888.888.888 sa-src-address=999.999.999.999 src-address=192.168.77.0/24 \
    tunnel=yes

/ip firewall nat
add chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.77.0/24
add action=masquerade chain=srcnat out-interface=ether1-gw

/ip firewall filter
add chain=forward connection-state=established,related dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add chain=forward connection-state=established,related dst-address=192.168.88.0/24 src-address=192.168.77.0/24


OFFICE 2
========
RouterOS 6.35.4
public=888.888.888.888

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1 network=192.168.88.0
add address=192.168.1.2/24 interface=ether1-gateway network=192.168.1.0

/ip route
#wifi WAN router
add distance=2 gateway=192.168.1.1

/ip ipsec peer
add address=999.999.999.999/32 secret=secret

/ip ipsec policy
add dst-address=192.168.77.0/24 sa-dst-address=999.999.999.999 sa-src-address=888.888.888.888 src-address=192.168.88.0/24 \
    tunnel=yes

/ip firewall nat
add chain=srcnat dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=192.168.88.0/24

/ip firewall filter
add chain=forward connection-state=established,related dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add chain=forward connection-state=established,related dst-address=192.168.88.0/24 src-address=192.168.77.0/24

Would appreciate any assistance.
S

4

Why do you allow only established,related traffic to be forwarded?
When you have that rule, you also need one or more rules for new traffic that you want to allow, below those, or else nothing will go through!

5

It is in the manual, if fasttrack is enabled, and I’m not sure if it is enabled. So I tried it with and without these rules … no luck with either. I removed it again.