Site-to-Site VPN (3 MikroTik routers)

DarkNate · March 19, 2021, 7:45am

Link to Reddit thread: https://www.reddit.com/r/mikrotik/comments/m8c31m/sitetosite_vpn_3_mikrotik_routers/

So an ISP wants me to set up a secure site-to-site VPN between A, B, C and ensuring redundancy such that A can reach C if B is down and so on.

Their Diagram

Router A, B, C all have public IP of the same subnet/prefix

They want to set up site-to-site in order to for the internal network of A, B, C to be accessible by each and any of the sites. For example, those in A can access B, those in B can access C and C and access A etc.

So what would be the optimal solution for this? Which VPN protocol can ensure good performance along with redundancy? I’ve looked at MikroTik docs/guides/forums but most of them only talk about IPSec with two sites.

I would definitely need some implementation examples/help on this one.

gotsprings · March 19, 2021, 10:12am

If you use the typical IPSec one… You can add a 3rd site pretty easily.

accarda · March 19, 2021, 10:31am

You can also check this example http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1 that explains how to use IKE2 with 3 sites.

anav · March 19, 2021, 10:35am

Not knowing the complex subject, I can only ask…

Would it make sense to use MT proprietary Eoip tunneling and create a common network, or is that functionality only useful in a two site scenario??
https://help.mikrotik.com/docs/display/ROS/EoIP

DarkNate · March 20, 2021, 5:01am

Thread solved. IPIP tunnel + IPSec.

predescum · March 28, 2021, 8:55am

Hello i try to make a ipip tunel behind a router, which is the ipip port to fw ?