IPSEC with multiple overlapping sites.

guppy · February 25, 2014, 8:25pm

Hi all,

I’m rather new here and it would be great to receive some feedback on my implementation scenario of MikroTik !

All the servers (A, B and C) should be able to reach Server-main. Server-Main should be able to initiate connections to all the servers in the three different sites. The MikroTik sites connect to the main site through an IPSEC-connection. These three sites have an overlapping subnet.
I’m not really sure whether I approach this problem in the correct way.. I think something like this would put me in the right direction. Maybe you guys have seen a similar set-up?

Server-A tries to reach the http-server on server-main:

http-request to 10.1.1.50, sent to mtk-a
mtk-a src-nat 1.1.1.1 and dst-nat to 1.1.1.2 (mtk-main)
mtk-main src-nat to 10.1.1.1 and dst-nat 10.1.1.50

Server-main tries to reply

http-reply to 10.1.1.1
mtk-main src-nat 1.1.1.2 and dst-nat to 1.1.1.1 (mtk-a)
mtk-a src-nat to 192.168.1.2 and dst-nat to 192.168.1.5

192.168.1.5<–>156.30.80.21<–>(IPSEC/mtk-a)1.1.1.1–1.1.1.2(IPSEC/mtk-main)212.216.118.20<–>10.1.1.50

I also searched the internet and found a similar set-up: http://wiki.openwrt.org/doc/howto/vpn.ipsec.overlappingsubnets.racoon , but I’m not really sure if the implementation is the same with mtk.

Thanks in advance for the help !
Kind regards

royalpublishing · February 26, 2014, 5:11pm

I wouldn’t think you would be able use the standard IPsec tunnel setup since Sites A,B,C are all using the same internal subnet address space of 192.168.1.0/24. You would only be able to create one IPsec tunnel because the other two would point to the same internal subnet so there would be no way for the router to differentiate the traffic on the remote sites. I think if you were able to change the subnet for each branch to something like 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24, it would drastically simplify your setup. Then all you would have to do is create a hub and spoke configuration on MTK-Main, add a few allow NAT/firewall statements, and you would be good to go. One other question, according to the diagram, it appears that there is an ISP router in front of each Mikrotik. Were you putting it there just to show each of the hops of the network or is the static IP really on the ISP router and for some reason your Mikrotik’s are getting internal DHCP addresses? If so you should put your static IP’s directly on your Mikrotik and get the other router out of the equation if at all possible.

efaden · February 26, 2014, 6:10pm

You may be able to hack it together, but you should fix your IP’s.

Sent from my SCH-I545 using Tapatalk