Hi,
I’m real noob in using RouterOS. Been reading many tutorials and manuals and I seem to be clueless at the routing with VPN. I am trying to setup an IPSec VPN tunnel so as to secure communication between my private LAN and a destination host. Any device within my private LAN should be able to initiate connection to the destination host. However, if the destination host wants to connect to my network (directed to my public IP address), I want to forward that connection to just one particular server - 192.168.1.65.
My setup:
Private LAN : 192.168.1.1/24
Public IP : 50.X.X.X
Destination Host IP : 173.X.X.X (using CISCO ASA)
I got the basic setup working fine and my internal LAN is able to access the internet.
My attempt at the IPSec configuration is as follows:
/interface ipip
add comment=“” disabled=no local-address=50.X.X.X mtu=1460 name=ipip1
remote-address=173.X.X.X
/ip address
add address=192.168.1.1/24 broadcast=192.168.1.255 comment=“” disabled=no
interface=ipip1 network=192.168.1.0
/ip ipsec peer
add address=173.X.X.X/32 auth-method=pre-shared-key comment=“”
dh-group=modp1024 disabled=no dpd-interval=disable-dpd
enc-algorithm=3des exchange-mode=main generate-policy=no
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no port=500
proposal-check=obey secret=SECRETKEY send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment=“” disabled=no dst-address=173.X.X.X/32 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=ipsec protocol=all
sa-dst-address=173.X.X.X sa-src-address=50.X.X.X
src-address=50.X.X.X/32:any tunnel=yes
/ip ipsec proposal
set default auth-algorithms=md5 comment=“” disabled=no enc-algorithms=3des
lifetime=60m name=ipsec pfs-group=none
What to do next? How to configure such that my devices can initiate connection to the host and for the host to initiate connection to just one particular server? Would it be ip firewall nat, masquerade or ip route?
Any help greatly appreciated.
Thanks.