Routing through VPN

RouterOS General
1

Good day, gents.
I’m a little bit stuck with my mikrotik router’s config. I’ve readed a bunch of docs, but found nothing, so could you point me out where I’m wrong.

I’ve got something like this:
PC(192.168.0.2/24) <----> (192.168.0.1/24)BranchRouter(MT)(2.2.2.2/24) <–VPN–>(1.1.1.1/28)HQRouter(Juniper)(192.168.10.1/24) <–VPN–> (3.3.3.3/28) PartnersRouter(10.10.10.10/24).

So, to summurize:
HQRouter conected to both PartnersRouter and BranchRouter over VPN
BranchRouter conected to HQRouter over VPN
PartnersRouter conected to HQRouter over VPN

What do I need:
I need a PC in my branch office to be connected with a server on partners side over VPN through my HQ.

Branch office RB333 v3.25:

peer:
address=1.1.1.1/32:500 auth-method=pre-shared-key 
     secret="xxx" generate-policy=no 
     exchange-mode=main send-initial-contact=yes nat-traversal=no 
     proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des 
     dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd 
     dpd-maximum-failures=1




policy:
src-address=192.168.0.0/24:any dst-address=192.168.10.0/24:any 
     protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes 
     sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 
     proposal=P2 priority=2




ip firewall nat:
chain=srcnat action=accept src-address=192.168.0.0/24 
     dst-address=192.168.10.0/24




ip firewall mangle:
chain=prerouting action=mark-routing new-routing-mark=partner passthrough=yes 
     src-address=192.168.0.0/24 dst-address=10.10.10.10/24




ip route:
gateway=192.168.10.0 routing-mark=partner distance=1
gateway=192.168.0.0 distance=2

P.S. Sorry for my English

2

IPsec encryption doesn’t care about routing marks, it’s not a tunnel interface on RouterOS. You need to add policies for traffic from 192.168.0.0/24 to 10.10.10.0/24 with the right SA source and destination IP addresses.

Something along these lines:

src-address=192.168.0.0/24:any dst-address=10.10.10.0/24:any 
     protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes 
     sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 
     proposal=P2 priority=2

Then the Juniper router has to be set up to punt that traffic back out the VPN tunnel with the partner network, as well as forward return traffic back out to you.