Hi guys,
I’ve been brute forcing my way in learning Mikrotik. Work has a Mikrotik that was setup by an old IT provider (my wife owns the company) - I’ve moved my house over to a Mikrotik Hex and everything is good so far.
I got the ipsec tunnel setup (Youtube video) - PH2 state says ‘established’ so I think it’s working.
WORK
WAN: 24.x.x.170
LAN: 192.168.2.0/24
HOME
WAN: 23.x.x.31
LAN: 192.168.50.0/24
My setup looks like this:
Config as follows (with hide sensitive)
# jan/09/1970 00:20:32 by RouterOS 6.49.2
# software id = **ELIDED**
#
# model = RouterBOARD 750G r3
# serial number = **ELIDED**
/interface bridge
add name=VPN-bridge protocol-mode=none
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
add enc-algorithm=aes-256 name=VPN-2-SPL
/ip ipsec peer
add address=24.**ELIDED**.170/32 exchange-mode=ike2 name=IPSEC-2-SPL profile=\
VPN-2-SPL
/ip ipsec proposal
add name=IKEv2-Proposal pfs-group=modp2048
/ip pool
add name=dhcp_pool1 ranges=192.168.50.1,192.168.50.100-192.168.50.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether5 name=dhcp1
/interface bridge port
add interface=ether1
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.88.11/24 interface=ether2 network=192.168.88.0
add address=192.168.50.2/24 interface=ether5 network=192.168.50.0
add address=23.**ELIDED**.131/29 comment=WAN interface=ether1 network=23.**ELIDED**.128
/ip dhcp-server lease
**ELIDED ALL**
/ip dhcp-server network
add address=192.168.50.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.50.2
/ip firewall nat
add action=masquerade chain=srcnat comment="MAIN NAT RULES" out-interface=\
ether1 src-address-list=""
add action=dst-nat chain=dstnat comment="VPN FOR BACKUPS" dst-port=5555 \
in-interface=ether1 protocol=tcp to-addresses=192.168.50.60
add action=dst-nat chain=dstnat comment="XDCC DL" dst-port=4000-4050 \
in-interface=ether1 protocol=tcp to-addresses=192.168.50.60
add action=dst-nat chain=dstnat comment=SFTP dst-port=1337 in-interface=\
ether1 protocol=tcp to-addresses=192.168.50.50
/ip ipsec identity
add peer=IPSEC-2-SPL
/ip ipsec policy
add dst-address=192.168.2.0/24 peer=IPSEC-2-SPL proposal=IKEv2-Proposal \
src-address=192.168.50.0/24 tunnel=yes
/ip route
add distance=1 gateway=23.91.85.129
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.2.1
add distance=1 dst-address=192.168.2.0/24 gateway=VPN-bridge pref-src=\
192.168.50.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
I’ve been Googling and I think that’s all the required info to make a good newbie ‘i need help post’. I’m sure my config is a mess and I’m doing something wrong.
any help would be awesome as this is my first attempt at an IPSEC tunnel.
Thanks in advance 