I've followed the example given here, my understanding is that this will allow packets to flow between the two LANs. I believe I have done this correctly, under Remote Peers in the IPsec window in winbox I have two entries showing my WAN IP's for the two sites. I'm not very familiar with IPsec at all but basically I want to be able to connect to the remote LAN subnet from each side.. not really sure how to go about this?!

Policies and encryption options must match. At least one side must be an initiator.

Don't forget Firewall rules! For filter rules, add rule in INPUT chain. Allow UDP 500 (for IKEv2). Add another rule, allow ESP.

On both sides, you need to use Tunnel mode. Do not use NAT-T if both sides are not behind a NAT device. If either side is behind a NAT, then use NAT-T and allow UDP 4500 in Filter/INPUT chain (and not the aforementioned firewall rules).

Or post your config, errors and log entries relating to IPSec.

Thanks for your reply, in the example from the manual they put a prerouting rule the RAW firewall: Hopefully I have the LAN's around the correct way (src is Local, dst is remote)?

I have added the rules you mentioned before my drop rule for my WAN VLAN interface in filter rules.

I have gone through and checked my settings several times (although I still may have missed something). It appears both sites are initiators.
Both sites are setup as in the example, where they have a WAN address in the router, so I don't want to do NAT?

also not sure about static routes, since the remote LANs are going through IPsec, which doesn't have an interface for it..?

Oddly I can ping from one router (hAP Lite) to the remote LAN (RB750), but not from the remote router..?

I can post any logs that may help

My advise: forget about direct IPsec tunnels and use this: https://wiki.mikrotik.com/wiki/Manual:Interface/Gre
(note you can set the ipsec-secret and have IPsec below the GRE tunnel so it still is secure)

Much simpler and easier to understand, no tricks with NAT required, easily extendible to more than 2 offices.

I really just want reasonably secure routing between two subnets over a semi-private wireless WAN, GRE would be recommended? Was thinking I'd do a road warrior setup separately

@ pe1chl - Any idea is GRE is less or more processor intensive than EOIP?

GRE is a better solution than EoIP.
IPIP can be used as well (less overhead but a little less widely used and not IPv6-capable)

Does GRE have any security advantages over IPIP?
I had EOIP working for almost a year and then it quit after an upgrade, gave up trying to fix it.
Greg Sowell has an IPIP example using IPsec so I'm going to try that next.

The manual says IPIP can be used with IPv6.
"IP/IPv6 over IPv6 tunnel functionality is added in v5RC6 and is configurable from menu: /interface ipipv6 IPv6 version uses the same properties as IPv4 version."

I'm not using 6 so it doesn't matter to me.

So you guys hit a favorite topic of mine! Tunnels! I swear I'm part miner or something

GRE and IPIP are both standardized tunneling mechanisms. EoIP is a GRE tunnel with Ethernet encapsulated in addition to the IP layer. When you look at all of these it's really about MTU size. IPIP will offer the largest MTU size, GRE the second largest and EoIP the smallest MTU size of the 3. GRE is basically IPIP with an additional header of it's own that can vary from 4 to 16 bytes. It includes values like version, protocol, checksum, key and sequence number. IPIP can only encapsulate IP (v4/v6) while GRE can in theory encapsulate any protocol with a valid Ether type.

I prefer GRE myself, likely because I come from a Cisco background and that's what you learn to use almost always, although IOS supports IPIP, IPv6IPv4 and IPv6IPv6 as well.

When I build a site-to-site VPN my go-to option is IPv6 IPSec in transport mode with GRE underneath. I can dual-stack the GRE with RFC1918 IPv4 and global unicast IPv6. This allows me to transmit unicast and multicast information between sites instead of the policy based VPNs, L2TP/IPSec. If I don't have global unicast IPv6 on both sides and one-side has private IPv4 I'm likely to build an IPSec tunnel mode connection and layer GRE underneath it still to allow clean multicast support.

For my simple setup of a home office to home office does the MTU advantage of IPIP over GRE make much difference?
My understanding is that a larger MTU gives more bandwidth due to greater % of data passing by not needing so much overhead due to few packet required.

I just noticed that Greg's example has 2 different network addresses, I'm using 192.168.100.0/24 on both ends so I don't think I can make his work.

What do you suggest for static IPv4 sites?
thanks

For my simple setup of a home office to home office does the MTU advantage of IPIP over GRE make much difference?
My understanding is that a larger MTU gives more bandwidth due to greater % of data passing by not needing so much overhead due to few packet required.

I just noticed that Greg's example has 2 different network addresses, I'm using 192.168.100.0/24 on both ends so I don't think I can make his work.

What do you suggest for static IPv4 sites?
thanks

It's possible to setup a site-to-site VPN between 2 locations with the same IP addressing, 192.168.100.0/24 in your case. That said, configuration complexity jumps a notch. There is a technique called double NAT that can solve your issue. Essentially what you do is either masquerade everything from each site to a single IP, like the IP of the tunnel on each side or you declare a network for each side that isn't in use on either side and NAT to that network.

You can use either IPIP or GRE, whatever floats your boat. Like I said I fall back to GRE myself because it's just what I'm familiar with. As far as the MTU difference, it won't be a lot and to be honest with either you're not going to notice a change in performance with today's hardware. In theory the bigger the packet the more performance you get when the frames differ in size by the change in MTU. Between hardware and the math of # of packets needed to be sent with a difference of a few MTU from the GRE header you're likely not going to ever notice a difference. It's far more pronounced when you look at something like normal 1500 Ethernet and jumbo-frames (9k MTU) on say a storage network for an ESXi environment. There the 6 times larger MTU can provide a reliably performance improvement.

It's far more detrimental to break ICMPv6 (in IPv6) or incorrectly set MTU than the actual MTU size of the frames at a difference of a few bytes to be honest.

Diving into this project now, thanks for the info, if you do that with an "idle mind" I can't imagine what happens when you drop the clutch at 4,000 rpm.

lol, no worries. i'm usually more idle

good luck!

For my simple setup of a home office to home office does the MTU advantage of IPIP over GRE make much difference?
My understanding is that a larger MTU gives more bandwidth due to greater % of data passing by not needing so much overhead due to few packet required.

The MTU is not an issue when it is properly adjusted, but when this is not done each packet has to be split in two fragments by the router and
this makes considerable difference in performance.

I just noticed that Greg's example has 2 different network addresses, I'm using 192.168.100.0/24 on both ends so I don't think I can make his work.

That is a *really bad* idea! Renumber one of the networks.

I was able to get an IPsec tunnel of some sort working (I can access SMB shares on remote LAN ) as similar to the example in the first post, although it feels very duct taped together. It is working for the the current purpose, although I may wipe it and try for something different at some stage. This will GRE or IPIP I guess since my understanding from these posts is that they are similar, and both support multicast unlike L2TP/IPSec

outside the IPsec config, I added these rules:
/ip firewall nat
add action=accept chain=srcnat comment="IPSec VPN" disabled=no dst-address=\
REMOTE-LAN-NETWORK/24 src-address=LOCAL-LAN-NETWORK/24
/ip firewall filter
add action=accept chain=input comment=IPSec-ESP disabled=no dst-port=500 \
protocol=udp src-port=500
add action=accept chain=input comment=IPSec-ESP disabled=no protocol=\
ipsec-esp
add action=accept chain=output comment=IPSec-ESP disabled=no protocol=\
ipsec-esp
/ip firewall raw
add action=notrack chain=prerouting src-address=LOCAL-LAN/24 dst-address=REMOTE-LAN/24

I also added a route to the remote LAN with the local bridge interface as the Gateway (possibly redundant). I got really confused looking at this packet flow example

It looks like you renumbered one side is that correct? If so you can get by without a bunch of the NAT and firewall statements. Outside of that, kudo's for getting it working.

[quote]That is a *really bad* idea! Renumber one of the networks.[/quote]

but it worked for almost a year.

Yesterday was my anniversary so I paid more attention to my wife than my routers, it's better for my mental and physical health that way.

Smart play, wife > routers. Moving on to the renumbering. If the networks aren't connected and separated by NAT of global unicast (public) addressing you'd never know the difference. If you want to do the site-to-site VPN, either one side needs to be renumbered or we get to play with lots of NAT.

My earlier post was just asking for clarification, based on your post it looks like you renumbered one of them.

My advise: forget about direct IPsec tunnels and use this: https://wiki.mikrotik.com/wiki/Manual:Interface/Gre
(note you can set the ipsec-secret and have IPsec below the GRE tunnel so it still is secure)

Much simpler and easier to understand, no tricks with NAT required, easily extendible to more than 2 offices.

This is the advice to follow it seems, definitely. I'll be implementing one now, although not sure about GRE Vs EoIP. I'd just go with EoIP I guess since I don't plan to use non Mikrotik gear

EoIP is best used only for stopgap measures until a better network design has been made, or during migrations (moving servers to another site one by one, for example).
It is all to common to be confronted with security and performance problems.
When you want to connect two networks it is better to use routing.

Yup always use IPIP or GRE over EoIP unless you need to stretch a layer 2 broadcast domain.

EoIP is GRE with an Ethernet header at 14 bytes encapsulated inside. I have a post I can link with screenshots showing this.

Hello everybody! I have got 2 LAN networks, IPSec and GRE tunnel is working fine.
But there is a problem. There is a laptop in the another LAN and i can not access to it, but i can ping it.
I can access the other side from this laptop by the way. So i can access my 951G, and behind my PC, ssh, ftp.....and so on.
The firewall rules are the same both of the side. I am trying to figure out what could be the problem but i am lost.

Hello everybody! I have got 2 LAN networks, IPSec and GRE tunnel is working fine.
But there is a problem. There is a laptop in the another LAN and i can not access to it, but i can ping it.
I can access the other side from this laptop by the way. So i can access my 951G, and behind my PC, ssh, ftp.....and so on.
The firewall rules are the same both of the side. I am trying to figure out what could be the problem but i am lost.

Post a drawing and the relevant configurations. It's also likely a local firewall on the laptop is blocking anything other than ICMP.

Hello. One of my site has dynamic public IP with PPPoE connection. I found the script for this problem and it is worked very well when my IP changed.
But the problem is the same. I have an another connection with PPPoE connection but with fix public IP address. I set up the IPSec connection with the same way than with dynamic one.
It is works like a charm, i can reach anything from any site. I will give it a try again with dynamic one, maybe i misconfigured something.