site to site vpn

pixelkop · May 10, 2016, 5:32pm

we have adsl broadband connection with static IP at both location. we configured adsl modem in bridge mode

site a:- head office

jan/02/1970 05:40:45 by RouterOS 6.15

software id = MUHY-Y8VG

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=
ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=
default
/interface pppoe-client
add ac-name=“” add-default-route=yes allow=pap,chap,mschap1,mschap2
default-route-distance=1 dial-on-demand=no disabled=no interface=
ether1-gateway keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=
disabled name=pppoe-out1 password=password profile=default service-name=
“” use-peer-dns=yes user=ysbankltd
/ip address
add address=192.168.1.254/24 comment=“default configuration” interface=
ether2-master-local network=192.168.1.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=
ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=pppoe-out1 to-addresses=0.0.0.0
add chain=srcnat dst-address=192.168.9.0/24 src-address=192.168.1.0/24
/ip ipsec peer
add address=117.218.20.89/32 dpd-interval=10s dpd-maximum-failures=2
enc-algorithm=3des hash-algorithm=md5 secret=Pixel@1345
/ip ipsec policy
add dst-address=192.168.9.0/24 sa-dst-address=117.218.20.89 sa-src-address=
117.218.156.13 src-address=192.168.1.0/24 tunnel=yes
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=117.218.156.1
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=HO
/system logging
add topics=ipsec

site b:- branch office

/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:5E:0C:2E:E8:29 name=
ether1-gateway
set [ find default-name=ether2 ] mac-address=4C:5E:0C:2E:E8:2A name=
ether2-master-local
set [ find default-name=ether3 ] mac-address=4C:5E:0C:2E:E8:2B master-port=
ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] mac-address=4C:5E:0C:2E:E8:2C master-port=
ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] mac-address=4C:5E:0C:2E:E8:2D master-port=
ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=
default
/interface pppoe-client
add ac-name=“” add-default-route=yes allow=pap,chap,mschap1,mschap2
default-route-distance=1 dial-on-demand=no disabled=no interface=
ether1-gateway keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=
disabled name=pppoe-out1 password=password profile=default service-name=
“” use-peer-dns=yes user=ya2328243428
/ip address
add address=192.168.9.254/24 comment=“default configuration” interface=
ether2-master-local network=192.168.9.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=
ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=pppoe-out1 to-addresses=0.0.0.0
add chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.9.0/24
/ip ipsec peer
add address=117.218.20.89/32 dpd-interval=10s dpd-maximum-failures=2
enc-algorithm=3des hash-algorithm=md5 secret=Pixel@1345
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=117.218.156.13 sa-src-address=
117.218.20.89 src-address=192.168.9.0/24 tunnel=yes
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=117.218.156.1
/ip upnp
set allow-disable-external-interface=no
/system identity
set name=Bajarbhogav
/system logging
add topics=ipsec

both static ip is ping from both side but 192.168.1.x not ping from 192.168.9.x help me

pixelkop · May 11, 2016, 1:19pm

i see connection in installed SA. but no ping from lan to lan…please help

ExRasta · May 14, 2016, 4:21am

It is a new configuration? I want to know if it suddenly stopped working or never worked.

pe1chl · May 14, 2016, 6:55am

Your NAT rules are in reverse sequence. You must move the exception rule for NAT above the generic masquerade rule!

pixelkop · May 15, 2016, 7:43am

nat rule moved above but still same issue. ARP enable on eth2 port is necessery ??? to talk both lan to each other.