Good evening everyone.
I need your advice.
I have two locations.
The first office is on the 192.168.1.0/24 network.
The second office is on the 192.168.2.0/24 network.
I have activated a vpn between the two IPSEC offices and everything works.
The problem is that for site 1 I will have to extend the netmask and so it will
192.168.1.0/20
Unfortunately, with this netmask from site 2 I cannot access the PCs of site 1, it seems it is not possible to set the destination 192.168.1.0/20 on the Mikrotik.
Address of network that has /20 mask and includes 192.168.1.x is 192.168.0.0/20. But it also includes 192.168.2.0/24 that you have on other side and it’s likely to cause problems.
Clean solution is to avoid overlapping subnets. Your new /20 will span from 192.168.0.0 to 192.168.15.255. So either use that and renumber 192.168.2.0/24 to something else (like 192.168.20.0/24). Or keep 192.168.2.0/24 and use 192.168.16.0/20 (192.168.16-31.*) instead of 192.168.0.0/20. You’ll be changing config of current 192.168.1.x devices anyway (because of new mask), so it might not be too difficult. Or if you wouldn’t need to use /20 as whole and just more addresses in separate smaller subnets would be enough, you could add those as non-continuous ones, i.e. keep 192.168.1.0/24, skip 192.168.2.0/24, and add e.g. 192.168.3.0/24, 192.168.4.0/23, etc, or whatever would fit your needs (and then you’d add separate policies for those).
If you’re sure that renumbering is not an option on either side, it’s possible to keep overlapping subnets and create virtual ones for tunnel. So for real 192.168.0.0/20 there could be virtual 192.168.16.0/20, and for real 192.168.2.0/24 it could be 192.168.32.0/24. Tunnel would be for 192.168.16.0/20 ↔ 192.168.32.0/24 and there would have to be NAT (netmap, both srcnat and dstnat) on both routers. Then if e.g. real 192.168.2.100 would like to connect to real 192.168.1.200, it would be have to connect to 192.168.17.200, and real 192.168.1.200 would then see source as 192.168.32.100. So it would work, but you can imagine that it can bring some headaches too. Edit: Both virtual subnets could be /24, because only the actually overlapping part is the problem, but it doesn’t make it much better.
