hey,

I have a issue...
I watched few tutorials and maybe i know how to configure a ipsec vpn.
But... both sides have the same subnet ex. 172.16.1.0 /24

How can I resolved this issue ?

What do you mean they have the same local subnet?

What are the "WAN" IPs?

What is the IP for your Tunnel?

What are the IPs of all/any networks behind each router?

What is the actual problem you are experiencing?

for ex:

MT1
wan - 1.1.1.1
lan - 172.16.1.0 /24

MT2
wan - 2.2.2.2
lan 172.16.1.0 /24

Now how can I set site to site ipsec vpn tunel ? Lan adress can't be re-addressed.

for ex:

MT1
wan - 1.1.1.1
lan - 172.16.1.0 /24

MT2
wan - 2.2.2.2
lan 172.16.1.0 /24

Now how can I set site to site ipsec vpn tunel ? Lan adress can't be re-addressed.

LAN addresses can always be re-IPed. Anyone who says otherwise is simply lazy.

The only alternative is much more labor intensive on the setup and maintenance.

Of course it can. But in large organization this change is too big. too many to change: routing, acl, policies, etc.
So I asked for the other opportunities.

Of course it can. But in large organization this change is too big. too many to change: routing, acl, policies, etc.
So I asked for the other opportunities.

If it is a large organization then they would have paid attention to the IP addressing scheme from the beginning.


Solution:
Create 255 interfaces with manually assigned IPs in the 10.0.x.0/24 address space on each router

Create 255 src-nats for each device on the LAN giving it a 1-to-1 nat of a specific 10.0.x.x IP on each router

Create 255 dst-nats for each device pointing from the previously specified 10.0.x.x IP to a single host device on each router

Create a Tunnel between the routers 10.99.0.0/26 (example only)

Assign IP routes over the tunnel for each 10.0.x.0/24 address space.

Keep in mind that every time an IP address changes you will have to manually update both the src-nat and the dst-nat to ensure connectivity to the correct device remains on every router.

Good luck managing that...

I'm running an EOIP tunnel with IPsec between 2 routerboards on 192.168.100.0/24.
Site 1 LAN is 192.168.100.1, site 2 is 192.168.100.10.
I only have 10 devices so it's easy to keep track of addressing.

Site 1 is running dhcp, but most of my devices are static. Site 2 devices use the .10 router as their gateway.

Ping times between devices is under 100 ms for 2100 miles between routers.

hmm
this is a tut for cisco:
https://www.youtube.com/watch?v=ARTXlo2hFQ0

how can i do the same on mikrotik ? this resolved me problem.

On the road for a few days, will look at the video and let you know, maybe, I'm not an expert.

maybe proxy arp can help in that situation

Have not looked at the video, here are my rules with your IPs

site 1

/interface eoip> pr
Flags: X - disabled, R - running
0 R name="to site 2" mtu=auto actual-mtu=1424 l2mtu=65535
mac-address=(blanked) arp=enabled local-address=1.1.1.1
remote-address=2.2.2.2 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no ipsec-secret="monkey" allow-fast-path=no


/interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 LAN port 2 bridge1 0x80 10 none
1 to site 2 bridge1 0x80 10 none

site 2

/interface eoip> pr
Flags: X - disabled, R - running
0 R name="to site 1" mtu=auto actual-mtu=1424 l2mtu=65535
mac-address=(blanked) arp=enabled local-address=2.2.2.2
remote-address=1.1.1.1 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no ipsec-secret="monkey" allow-fast-path=no


/interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 LAN port 2 bridge1 0x80 10 none
1 to site 1 bridge1 0x80 10 none