Hi everyone,
I have the following scenario:
An IPSEC VPN between a mikrotik CCR1009 and a Fortigate router.
Establishing the VPN is not a problem, but the issue i am encountering is routing a packet from a network behind the Mikrotik to a remote network behind the Fortigate.
Mikrotik -VPN-Fortigate-Router-remote subnet
I can route traffic back and forth between the subnets directly connected to the Mikrotik and the Fortigate, but i do not know how i can route the traffic from behind the mikrotik all the way to the remote network, since there is no interface or ip that i can use to route the packets over.
Do i need to add the remote network in the IPsec policy?
I cannot use IPIP or GRE tunnels since that will cause a really slow link.
Please advise.
so let me clarify. what you want to achieve here is that one subnet behind Mikrotik ise fortigate as a Next hop and vice versa?
Sent from my SM-N910C using Tapatalk
You need an IPSec Policy and the policy needs to be in tunnel mode. I believe you also have to create an IP > Firewall > NAT rule
Chain=srcnat, dst-address:<RemoteSubnet/24>, Action=Accept
Follow the red arrows in this diagram
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow#IPsec_encryption
You can see that the packet destined to the remote network follows the routing rules and it’s not until it’s about to go out the wan interface that the IPSec Policy kicks in. Because it goes past the post-routing phase, you need the srcnat rule otherwise the masquerade rule will apply and change the src-address of the packet. So the packet destined to the remote network then gets wrapped in an ESP packet (because tunnel mode is selected) and the newly wrapped packet gets dropped back into routing where it gets routed out the wan interface to the destination where it is unwrapped and dropped into the remote routers routing logic.
Hope that makes sense.
thank you for the answer.
So route from remote to the subnet behind firewall and add a policy for the remote network as well.
Will try it out