Hi,
I have just configured a new CCR-1009 at our main site and we have three remote sites all running RB2011’s.
I have configured an L2TP tunnel from each remote site back to the main site and added the routes:
Main Site
/ip route
add distance=1 dst-address=10.3.0.0/16 gateway=172.16.1.253
add distance=1 dst-address=10.6.0.0/16 gateway=172.16.1.252
add distance=1 dst-address=192.168.5.0/24 gateway=172.16.1.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=172.16.1.0/24
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=192.168.50.0/24
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=10.1.20.0/24
192.168.5.99 Remote Router
/ip route
add distance=1 dst-address=10.1.0.0/16 gateway=HCHQ
add distance=1 dst-address=10.1.20.0/24 gateway=HCHQ
add distance=1 dst-address=192.168.1.0/24 gateway=HCHQ
add distance=1 dst-address=192.168.50.0/24 gateway=HCHQ
/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.0.0/16
add action=accept chain=srcnat dst-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.50.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none
If I ping from the main site on one of our workstations (either 192.168.1.99 or 10.1.20.3) to the remote site’s test workstation (192.168.5.125) the ping fails. I have tested multiple remote IP’s to check it is not the workstation.
From the main site I can ping all of the VPN remote interfaces in the 172.16.1.0/24 range successfully.
Am I missing something?
I’ve attached a network diagram for further reference.
networkdiagram.pdf (34.6 KB)