Site to Site tunnel... how ?

Hi all. I am trying to connect 2 rotuers RB450R, but I have no clue how to do it.

Today my network it´s like this image attached.

Google´d and found that this can be done with PPTP & EoIP or L2TP & IPSec, but the few articles that I found about, I´ve applyed into my network without sucess.

If these two option are ok or if there is another new one, for me is fine, what I want is the user in the side A ping the computar on side B without the need to dial any pppoE or any other kind of dial… I want one solution 100% in the router so for the user will be transparent …

Thanks.

You can does with a tunnel like pptp.

In routerA add a static route
Dst-adderess 192.168.60.0/24 gateway pptp-out

In routerB add a static route
Dst-address 192.168.50.0/24 gatewat ppptp-out

What would be the pptp-out ? the ip of the gatway of the other router ?

in the vpn server you hace a pptp-user, and in the client is pptp-out.

I would not suggest pptp in this situation.

You have 2 real choices, eoip or ipip. eoip is proprietary to Mikrotik and IPIP is standards compliant and will work with other devices like cisco. (I know there are other options, but I am considering this a good basic starting point for newbies).

SImply create the eoip tunnel, and then make /30 IP addressing at each end of the tunnel, and then make static routes for each remote lan to point to the tunnel IP as gateway.

Once you have the tunnel up and traffic passing nicely through it, you can go to the next stage to make it encrypted with IP Sec.

Greg Sowell has some very nice videos on this.

I hope that helps,

Alex

I would skip the IPIP Tunnel( it’s insecure on it’s own, and you don’t need it to do IPSec) and just do IPSec. The following configuration should get you close. You may have to change somethings especially if you have custom firewall chains.

Generate Keys

Site 1 Router:

/ip ipsec key generate-key name=Site-1 key-size=2048
/ip ipsec key export-pub-key key=Site-1 file-name=Site-1-Pub

Site 2 Router:

/ip ipsec key generate-key name=Site-2 key-size=2048
/ip ipsec key export-pub-key key=Site-2 file-name=Site-2-Pub

Copy both of the exported public keys to the other router

Site 1 Router:

/ip ipsec key import file-name=Site-2-Pub name=Site-2

Site 2 Router:

/ip ipsec key import file-name=Site-1-Pub name=Site-1

IPSec Setup

Site 1 Router:

/ip ipsec proposal add name=MyOrganization auth-algorithms=sha1\
 enc-algorithms=aes-256 lifetime=00:30:00 pfs-group=modp2048
/ip ipsec peer add address=2.2.2.2 auth-method=rsa-key key=Site-1\
 remote-key=Site-2 send-initial-contact=yes proposal-check=obey\
 hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1h
/ip ipsec policy add src-address=192.168.50.0/24 dst-address=192.168.60.0/24\
 action=encrypt ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2\
 proposal=MyOrganization

/ip firewall mangle add action=mark-packet chain=prerouting\
 new-packet-mark=IPSec protocol=ipsec-esp place-before=0

/ip firewall filter add chain=input protocol=ipsec-esp action=accept place-before=0
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept place-before=0
/ip firewall filter add chain=forward src-address=192.168.60.0/24\
 dst-address=192.168.50.0/24 packet-mark=IPSec place-before=0
 
/ip firewall nat add chain=srcnat dst-address=192.168.60.0/24 action=accept place-before=0

Site 2 Router:

/ip ipsec proposal add name=MyOrganization auth-algorithms=sha1\
 enc-algorithms=aes-256 lifetime=00:30:00 pfs-group=modp2048
/ip ipsec peer add address=1.1.1.1 auth-method=rsa-key key=Site-2\
 remote-key=Site-1 send-initial-contact=yes proposal-check=obey\
 hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1h
/ip ipsec policy add src-address=192.168.60.0/24 dst-address=192.168.50.0/24\
 action=encrypt ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1\
 proposal=MyOrganization

/ip firewall mangle add action=mark-packet chain=prerouting\
  new-packet-mark=IPSec protocol=ipsec-esp place-before=0

/ip firewall filter add chain=input protocol=ipsec-esp action=accept place-before=0
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept place-before=0
/ip firewall filter add chain=forward src-address=192.168.50.0/24\
 dst-address=192.168.60.0/24 packet-mark=IPSec place-before=0
 
/ip firewall nat add chain=srcnat dst-address=192.168.60.0/24 action=accept place-before=0

Just create two GRE tunnels. No idea why everyone is trying to make it so complicated.

First Router:

/interface gre
add disabled=no dscp=0 l2mtu=65535 local-address=1.1.1.1 mtu=1476 name=\
    tunnel1 remote-address=2.2.2.2

/ip address
add address=172.22.1.1/32 disabled=no interface=tunnel1 network=172.22.1.1

/ip route
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=172.22.1.2 \
    scope=30 target-scope=10

Second Router

/interface gre
add disabled=no dscp=0 l2mtu=65535 local-address=2.2.2.2 mtu=1476 name=\
    tunnel1 remote-address=1.1.1.1

/ip address
add address=172.22.1.2/32 disabled=no interface=tunnel1 network=172.22.1.2

/ip route
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=172.22.1.1 \
    scope=30 target-scope=10

Something to that effect. Personally, I wouldn’t encrypt it unless you really need to.

I cant see why an ipip tunnel is anymore difficult than a GRE tunnel or EoIP Tunnel.

Regarding the second option of using IPSec alone, that situation I find often confuses people more, as opposed to simply encrypting the tunnel with only one set of IPsec policy and then using simple routing tables to route traffic, future traffic additions dont require new IPsec policy, just a new route.

As for encrypting traffic that passes over the internet, I personally would never recommend to a client that something shouldn’t be encrypted.

Its all horses for courses I suppose. Just find one that works for you, and then go with it.

I rather like this option, and we are trying it out now: http://mum.mikrotik.com/presentations/HR13/kirnak.pdf

What do you guys think of it?