Need help to configure two IPSec Tunnels in chain

RouterOS General
1

Hello,
I have latest MikroTik RouterOS and need help to setup two IPSec Tunnels in chain for communication.

Scenario:
SiteA <> SiteB <> SiteC
---- Tunnel1 ---- Tunnel2

SiteA - LAN: 192.168.1.0/24, ISP WAN: 1.1.1.1/30
SiteB - LAN: 192.168.2.0/24, ISP WAN: 2.2.2.1/30
SiteC - LAN: 192.168.3.0/24, ISP WAN: 3.3.3.1/30

SiteB is “central one/Headquarters” with latest stable MikroTik RouterOS.
Each Site has one local LAN subnet. IPSec tunnel from SiteA to SiteB (Tunnel1) is configured and working (over public Internet). Also between SiteB and SiteC (Tunnel2).
All IP>Routes are configured.

I need help to configure RouterOS on SiteB (HQ) to allow devices from SiteA to communicate to SiteC. So this packages (ICMP, TCP) should go through both IPSec Tunnels.

How to achieve this? How to configure IPSec>Policies in that case?
Also, if possible to have without implementation of NAT :slight_smile:

Ipsec site to site communication don't work.
2

If it’s plain IPSec (no tunnel inside like IPIP, GRE, …), just add additional policies. Between site A and B you need policies for .1 ↔ .2 (you already have this) and .1 ↔ .3 (new one). Between B and C it needs to be .2 ↔ .3 (existing) and .1 ↔ .3 (new). Also change level option from require to unique. That’s the start, then just make sure it’s not blocked by firewall somewhere.

3

Yeah, so creating new IPSec Policy, with .1 <> .3 , but which peer and proposal to choose? (tunnel1 and tunnel2 are different ipsec settings) etc. ?
Firewall is currently allowed all, just for test.

4

Everything else should be the same as the already existing policy has. That’s if you want it routed through SiteB. Now you have it configured for one remote subnet and you just need to add another. So everything else stays the same, peer, encryption, …

5

Yeah, ok, it works, but I do not know why and how :stuck_out_tongue:

new/additional IPsec policy:
src: 192.168.3.0/24
dest: 192.168.1.0/24
peer: SiteA-peer
proposial: SiteA-proposial
level: unique

6

Plain IPSec tunnels can be confusing at first. Let’s say you have:

/ip ipsec policy
add <other options> src-address=<local subnet> dst-address=<remote subnet> \
    sa-src-address=<local router address> sa-dst-address=<remote router address>

If you watch packets in firewall (in different chains), you’ll see that traffic from to is routed to internet. In postrouting, it will be going out via WAN interface. It looks completely wrong, right?

But before it really happens, IPSec policy kicks in, intercepts the packet, stops it from going further, encrypts it and sends it to (with source address set to ). You can see what happens step by step here: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6#Ipsec_Encryption.2FDecryption

Once you undestand this, everything should be clear.

7

Thank you, this is clear, however I am not clear about usage of “peer” and “proposial” for this particular policy SiteC>SiteA, over SiteC .., for what is peer / proposial used then here and how :confused: or this info is irelevantan. (but it is mandatory parameter in ipsec policy) …

8

Right, what I described was in older RouterOS and it’s still in ‘long term’ channel. Newer versions don’t require to put addresses of local and remote router in policy, but you select peer instead and addresses are taken from there. So on site A, if you want traffic for C sent to B, you select peer B for that policy.