microtik-ASA s2s Ipsec vpn

aee · May 22, 2010, 8:14pm

Hi all,

I have quick question:
I am configuring s2s ipsec vpn to connect single local host(MK) to 6 remote hosts(asa).
So,

do i have to create 6 policies in MK?
Can I disable pfs in MK or is it enable by default?
and also how to configure nat bypass in MK.
For ex.

MK local host : a.a.a.a
asa remote hosts : b.b.b.b, c.c.c.c, d.d.d.d, e.e.e.e, f.f.f.f, g.g.g.g

So is this going to be right?:
/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=a.a.a.a/32 dst-address=b.b.b.b/32
src-address=a.a.a.a/32 dst-address=c.c.c.c/32
src-address=a.a.a.a/32 dst-address=d.d.d.d/32
src-address=a.a.a.a/32 dst-address=e.e.e.e/32
src-address=a.a.a.a/32 dst-address=f.f.f.f/32
src-address=a.a.a.a/32 dst-address=g.g.g.g/32

OR

/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=a.a.a.a/32 dst-address=b.b.b.b/32

/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=a.a.a.a/32 dst-address=c.c.c.c/32
.
.
. and so on.
???

I’ll appreciate if anyone share similar working scenario or Example…Thanks.

mcb · July 5, 2010, 7:08am

What are those 6 hosts? What is asa and are there only 1 wrkstn or more and behind NAT?

fewi · July 5, 2010, 5:04pm

do i have to create 6 policies in MK?

Can I disable pfs in MK or is it enable by default?

and also how to configure nat bypass in MK.

Yes
I don’t know what the default is, but you would set “pfs-group=none” under “/ip ipsec proposals”
Your second example. One accept rule at the top of the srcnat chain for each VPN tunnel - unless you can summarize the space into fewer statements. If the hub is 172.16/16 and the spokes are each in 10/8 space with that space present nowhere at the hub you can just accept (NAT zero, or identity NAT) 172.16/16 to 10/8.