LAN-to-LAN IPSEC tunnel, one side with dynamic IPs

mkolus · January 18, 2016, 3:41pm

Hello!

I need a LAN to LAN (or Site to Site) IPSEC tunnel. One side has a dynamic ip address.. Let’s call the “static” side “A”, and the dynamic side “B”.

I’ve managed, using mode config, to create a tunnel from “Router B” to “LAN A”, but what i need is “LAN B to LAN A” and vice-versa. Hosts on both LANs must be able to access the hosts on the other LAN.

Is this even possible?

TIA.

ZeroByte · January 18, 2016, 4:03pm

You should probably use L2TP or some “negotiated” protocol like that instead of raw IPSec, because IPSec wants static endpoints at both sides. Let the static side be the server, and the dynamic side be the client that “dials in” to the server.

Then you can associate the routed LAN’s IP range on the secret (user ID) for the client site. (use the ‘Routes’ field to set this)

mrz · January 18, 2016, 4:08pm

ModeConf is a lot better approach than L2TP/Ipsec.
You should be able to access remote subnets as long as client device requests to create policies to them.
See the road warrior configuration example in the manual. It shows everything you need to set up.

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf

ZeroByte · January 18, 2016, 4:22pm

Nice. I’m going to read through the article some more. If your “inside” topology is more complicated, is there any way to dynamically specify the split tunnel routes?

mkolus · January 18, 2016, 5:01pm

I’ve read this to get to the setup i have right now. I’m able to access the remote subnet from the router, but what i need is that both subnets access each other.

Subnet B (remote, dynamic ip) has 192.168.159.0/24, Subnet A (local, fixed ip) has 192.168.2.0/24.
I’ve included 192.168.2.0/24 in the “split include” parameter on Router A, but i also need “Router A” to create a policy from 192.168.2.0/24 to 192.168.159.0/24.

ZeroByte · January 18, 2016, 5:46pm

I think this is the portion of the Wiki article that’s germane to what you want:

/ip ipsec policy group
add name=RoadWarrior

/ip ipsec policy
add dst-address=192.168.77.0/24 group=RoadWarrior src-address=10.5.8.0/24 \
    template=yes
add dst-address=10.5.8.0/24  group=RoadWarrior src-address=192.168.77.0/24 \
    template=yes
add dst-address=192.168.77.0/24 group=RoadWarrior src-address=192.168.55.0/24 \
    template=yes

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#IpSec_Server_Config

Basically, you’d need to add a row to your road warrior policy which specifies the dst-address=192.168.159.0/24 src=192.168.2.0/24 and another row with the src=192.168.159.0/24 and the dst=192.168.159.0/24

And then use a static IP for the RW-pool address of site B (instead of letting it choose from an IP pool) - e.g. 192.168.77.159 - and use that IP address as the next hop IP for a static route to 192.168.159.0/24 in the Site A router.

jaytcsd · January 19, 2016, 7:03am

@MRZ - Does mode conf have an advantage over EOIP?

I have 2 sites connected by EOIP, could not get 192.168.100.0/24 site to see the other site with 192.168.200.0/24, so I changed the 200 network to 100. It’s working fine.

thanks