I have classic Network-Network IPSec tunnel (IP - IPSec - Policies) between Datacenter and Office.
The office network has grown and it has run out of IP addresses. I cannot increase the network mask because the neighboring ranges are occupied by subnets of other offices.
I installed a router on the office local network to divide the network into two subnets, creating an additional subnet to accommodate there computers of several departments.
Accordingly, from the created subnet 192.168.4.0/24, routing is successfully carried out to the transit subnet 192.168.2.0/24, and then to the Internet.
But how can I configure routing from the data center subnet 192.168.11.0/24 to the created subnet 192.168.4.0/24?
An attempt to specify the route to 192.168.4.0/24 through gateway 192.168.2.254 on 192.168.11.0 failed - the datacenter router reports “unreachable” for this route, although router pings gateway 192.168.2.254 when the Bridge-local interface is specified in the ping parameters.
Now I solved my problem through additional L2TP-connection from 192.168.4.0/22 to External IP of datacenter and set routes through this l2tp-connection.
But, were cant it possible to make it without additional l2tp-channel, just through mangles and IP-Routes ?
There is no need for l2tp. Technically speaking, there is even no need for the 192.168.4.254 router, if your switches a vlan capable.
To get the ipsec tunnel work for the 192.168.4.0/24 subnet, you just need to add policies an both ends of the tunnel.
A litte catch. If you try to ping for example from the router in the office to the router in the datacenter. This will not work because the source ip-address of the ping packet is most likely the wan ip-address and so the ipsec policies will not match. To fix this you can use the src. address field in the advaned ping settings. Or better you add a route for the remote subnet. As gateway you use the interface where the local subnet of the ipsec policies is attached. I think this should fix your problem. Also don’t forget to exclude all ipsec traffic from NAT.
If not, you should post your configuration of all routers. Use the export command for that in the terminal and post the output in a code block here.
Do you have 2 IPSEC policies? one for each network pair
DC End
/ip ipsec policy
dd dst-address=192.168.2.0/24 level=unique peer=AA-Test src-address=192.168.11.0/24 tunnel=yes
add dst-address=192.168.4.0/24 level=unique peer=AA-Test src-address=192.168.11.0/24 tunnel=yes
Other End
/ip ipsec policy
dd dst-address=192.168.11.0/24 level=unique peer=AA-Test src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.11.0/24 level=unique peer=AA-Test src-address=192.168.4.0/24 tunnel=yes
You may find it easier to use an IP-IP tunnel or EoIP tunnel and tick the box to secure with IPSEC.
Then you just give each ens of the tunnel an IP Address in a small subnet (e.g. 172.16.1.1/30 and 172.16.1.2/30) and then use normal routing rules like you were trying to route the traffic.