Multi-site IPSec VPN - Confusion

Hi ,

I am in the middle of performing a Multi-site IPSec Tunnel between our Headquarter(HQ) and all of our international branch offices using Mikrotik Router Boards in all of my Sites.

1Headquarter and 4 Remote Sites(where i intend to configure the HQ as a HUB and the 4 Sites as Spoke following the HUB and Spoke scenario)

As for now I have implemented a successful IPSec Tunnel between HQ with Site 1 and HQ with Site 2. and it’s working like a charm.

well, now when i try to ping site 2 from site 1 and vice versa, the packets won’t reach the destination however i have created static routes in bothSite 1 and Site 2 routers in order to get them communicate with each other through the HUB Router in the HQ.

Regardless of the technical configurations that have been done on my local and remote sites, I kindly recommend you clarify the concept of the Multi-site IPSec Tunnel maybe I am misunderstanding the concept behind it.

do you think I should configure a Mesh IPSec topology between all of my routers individually as follow?

HQ to Site1 / HQ to Site2 / HQ to Site3 / HQ to Site4

Site1 to Site2 / Site1 to Site 3/ Site1 to Site4

and so on …

Thank you all in advance for your support,

As I see it, you’ll need to setup IPSec policies in each site to reach the other’s sites IP ranges through an IPSec tunnel that goes by your HQ.

Setting routes is not enough, as IPSec won’t encript/tunnel traffic if it doesn’t match it’s policies.

Do you really need to access any site from any other site?

Yes i prefer to have it mesh for different reasons, i tried to configure the ip address range on ipsec policy as follow on all sites but ir didnt work

Never use IPSec in tunnel mode if you need a meshed multi-site setup.
Use a different tunneling protocol with IPSec in transport mode.

Then use OSPF to take care of routing.

which tunneling mode do you recommend ? Actually The IPSec is just working fine between our branches and it’s a secure connection as well.
do you recommend a GRE Tunnel Over IPSec ?

L2TP/IPSec would be the best.

Its not that it will not work with tunnel mode, but as you add sites; and if you want to keep a mesh, or if you want to do a partial mesh; keeping track of IPSec policies, and making sure all routers have proper policies becomes a nightmare.

There is a presentation about L2TP/IPSec in my sig, if you want more info on it.

Thank you for sharing this presentation.
I have a question regarding this implementation,
Is it a hub and spoke topology ? so if I have Site A , B and C
If site A needs to communicate with Site C it need to go through Site B right ?
do you think this is more convenient than a Full Mesh implementation for a small environments (4 to 5 Sites) as it’s going to use more bandwidth and load traversing Site B as well as it’s gonna slow down packets transfer from site to site.
please correct me if i am wrong.

Thank You.

Hi, Please Disregard the above post. I got the answer while reading your PDF document.
Thanks.

You can easily adapt it to be a full mesh, or a partial mesh, OSPF will take care of it.

Where can i find the presentation?

I am also keen to see this presentation.

I am trying to decide what protocols and set up is best for a site to site VPN using RB 3011 Ui AS-RM units at each end.

The more I read about VPNs the more I realize I do not know.

please provide your topology… i need a simple practice to study this vpn multi-site (l2tp/ipsec, maybe)
thank you in advance…

I would use tunnels (for example IPIP or GRE) and a routing protocol on top.