Hi ,
I am in the middle of performing a Multi-site IPSec Tunnel between our Headquarter(HQ) and all of our international branch offices using Mikrotik Router Boards in all of my Sites.
1Headquarter and 4 Remote Sites(where i intend to configure the HQ as a HUB and the 4 Sites as Spoke following the HUB and Spoke scenario)
As for now I have implemented a successful IPSec Tunnel between HQ with Site 1 and HQ with Site 2. and it’s working like a charm.
well, now when i try to ping site 2 from site 1 and vice versa, the packets won’t reach the destination however i have created static routes in bothSite 1 and Site 2 routers in order to get them communicate with each other through the HUB Router in the HQ.
Regardless of the technical configurations that have been done on my local and remote sites, I kindly recommend you clarify the concept of the Multi-site IPSec Tunnel maybe I am misunderstanding the concept behind it.
do you think I should configure a Mesh IPSec topology between all of my routers individually as follow?
HQ to Site1 / HQ to Site2 / HQ to Site3 / HQ to Site4
Site1 to Site2 / Site1 to Site 3/ Site1 to Site4
and so on …
Thank you all in advance for your support,
You need to add the not routed subnets on the ipsec proposals.
For example in a 2 site and 1 HQ setup
HQ has 192.168.100.0/24
Site 1 has 192.168.101.0/24
Site 2 has 192.168.101.0/24
On HQ you define 2x peers for the sites + 2x ipsec proposals per peer to connect HQ-site1, HQ-site2, HQ-site3
Peer Site 1 proposals
192.168.100.0/24 ↔ 192.168.101.0/24 for HQ ↔ Site 1
192.168.102.0/24 ↔ 192.168.101.0/24 for Site 2 ↔ Site 2
Peer Site 2 proposals
192.168.100.0/24 ↔ 192.168.102.0/24 for HQ ↔ Site 2
192.168.101.0/24 ↔ 192.168.102.0/24 for Site 1 ↔ Site 2
On Site 1 you define 1 peer (HQ!)
and 2x proposal for this peer
192.168.101.0/24 ↔ 192.168.100.0/24 (connection/route to HQ)
192.168.101.0/24 ↔ 192.168.102.0/24 (connection/route to Site 2)
On Site 2 you define 1 peer (HQ!)
and 2x proposal for this peer
192.168.102.0/24 ↔ 192.168.100.0/24 (connection/route to HQ)
192.168.102.0/24 ↔ 192.168.101.0/24 (connection/route to Site 1)
In basic you just need to add the missing ipsec subnet proposals to you running situation!
It works fine with ipsec tunneling an multiple sites.
But this is a lot of work if you need to make more sites connected to each other.
Also you do not ‘see’ this setup in the routing tables.
My advise is to make tunnel interfaces (IPIP or GRE) between HQ and sites.
Then you can make a routing plan for routing trafic van Sites to HQ and Sites to Sites.
http://wiki.mikrotik.com/wiki/Manual:Interface/IPIP
http://wiki.mikrotik.com/wiki/Manual:Interface/Gre
This setup is in the end more flexible in changing all kinds of routes. Also this gives you the option to work with OSPF for dynamic routing.
Please study on the dfferences between IPIP and GRE! For sure for the difference in handling L2 packets MTU sizing.
http://packetlife.net/blog/2012/feb/27/gre-vs-ipip-tunneling/
If everything works you can finalize this setup with encryption with IPsec transport rules.
http://www.youtube.com/watch?v=2PtK8HgkRvM
Also there is a performance difference in handling GRE+ipsec and IPIP+ipsec. Just test it to be sure to take the right option.