Hi buddys! I know this is mabe a piece of cake to you, but i cant resolve this situation:
Office 1: LAN 192.168.1.0/24
Mikrotik is 192.168.1.254
GW (MPLS provider): 192.168.1.247
Office 2: LAN 192.168.2.0/24
Mikrotik is 192.168.2.254
GW (MPLS provider): 192.168.2.247
IPSEC: another mikrotik LAN 192.168.2.10 WAN 1.1.1.1 Tunnel lan point to connect is 10.0.127.2
in this place everythings its go allright
Office 3: LAN 192.168.3.0/24
Mikrotik is 192.168.3.254
GW (MPLS provider): 192.168.3.247
Office 4: LAN 192.168.4.0/24
Mikrotik is 192.168.4.254
GW (MPLS provider): 192.168.4.247
I need to connect SIPs at the office 1,3 and 4 to the IPSEC point but i dont know to route them, can you help me please!!
You haven’t provided details regarding the particular way you use the IPsec. If it is “something over IPsec” (where “something” may be L2TP, GRE, IPIP, …) then yes, the only thing you need to take care about are the routes between the PBX and the Mikrotiks in the offices. But since the MPLS boxes have IP addresses too, they are likely routers, and the question is what they do with packets for 10.0.127.2. I mean, for each device in the office, the Mikrotik is the default route; for the Mikrotik itself, the MPLS box is the default route; but the MPLS boxes must have been told where to send the packets for 192.168.1.0/24, 192.168.2.0/24 etc. So these boxes in Office 1, Office 3, Office 4 have to be told also that the next hop for 10.0.127.2 is 192.168.2.10.
If you use “plain IPsec” in tunneling mode itself, i.e. not to carry some other tunnelling protocol point-to-point, you may have to modify IPsec policies at both ends to handle not just 192.168.2.0/24 but all the subnets of Office 1 to Office 4, because in this mode, IPsec provides no interface as the local end of a tunnel; instead, it chooses packets to transport by matching their source and destination socket addresses and protocol after they have already been routed by the normal routing configuration.
One more point, people tend to see MPLS as a secure interconnection; it is unfortunately not and your traffic between the sites can be sniffed in the MPLS network. So if that bothers you, you should use IPsec to encrypt the traffic on the MPLS links. Depending on the volume and characteristics of the traffic between the sites and the model of your routers, the encryption may become a bottleneck.
What is your native language if that’s not a secret?
Well… it may work or may not. Sure you can use a dst-nat rule to forward port 5060 from 192.168.2.10 to 10.0.127.2, and a src-nat rule to translate the source address of everything coming from the customer’s network towards 192.168.0.0/22 to 192.168.2.10. The SIP signalling will work for sure, however Mikrotik’s SIP helper is not very good in handling the SDPs when the signalling and RTP addresses differ on the private side of the NAT. So the customer may have to force RTP from phones through the Asterisk so that both RTP and SIP would be coming from 10.0.127.2.
Or you may force media through your Asterisks and configure it to expect remote-side NAT, which would allow you to disable the SIP helper at 192.168.2.10, but I’m not sure whether this can be done for trunks or only for registering CPEs.
