Community discussions

MUM Europe 2020
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Site to Site Tunnels

Thu Jan 02, 2020 4:24 pm

I have two MT devices that I have deployed and am attempting to get site to site connectivity via VPN tunnel.

I see that I have established a tunnel between the devices, but I cannot ping the LAN side of either MT.

The basic config overview for each device is like this :
Site A
WAN : 1.1.1.1
LAN Bridge : 172.16.52.1/24, 192.168.168.52/24
No DHCP (handled by another device)

EoIP Tunnel (w IPSec):
Local IP : 1.1.1.1
Remote IP : 2.2.2.2

Site B
WAN : 2.2.2.2
LAN Bridge : 172.16.51.1/24; 192.168.168.51/24
DHCP : 172.16.51.10-.20
DNS : 172.16.51.1, 192.168.168.51, 8.8.8.8

EoIP Tunnel (w IPSec)
Local IP : 2.2.2.2
Remote IP : 1.1.1.1

Both sites share the same network space 192.168.168.0/24 (edit: corrected 3rd octet); Site B has all devices statically assigned (not my decision). I am attempting to make it so it appears to be a flat network, joined by the EoIP tunnel. Is this setup feasible? I've obviously missed a step somewhere..
Last edited by terminal205 on Fri Jan 03, 2020 11:14 am, edited 1 time in total.
- Self-proclaimed Google Guru
 
Sob
Forum Guru
Forum Guru
Posts: 5031
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site Tunnels

Thu Jan 02, 2020 6:59 pm

You can bridge two networks with EoIP, but those two DHCP servers won't like it very much, it will be like having two DHCP servers in same network. Well, not like it, for real. What's your plan with that?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: Site to Site Tunnels

Thu Jan 02, 2020 7:20 pm

Ultimately I'm hoping to migrate the two networks away from this flat-network scheme so each with be on their own subnet, connected via Layer3 VPN tunnel instead of the Layer2 style EoIP tunnel.
I can disable the DHCP server on site B and add a DNS relay to point back to the DHCP server at Site A; however I still have to be able to pass traffic first..
- Self-proclaimed Google Guru
 
Sob
Forum Guru
Forum Guru
Posts: 5031
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site Tunnels

Thu Jan 02, 2020 7:35 pm

And what exactly you did so far? Because first post didn't make it very clear, you write about one common subnet (192.168.138.0/24), but then list three completely different subnets (172.16.52.0/24, 172.16.51.0/24, 192.168.168.0/24).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: Site to Site Tunnels

Fri Jan 03, 2020 11:13 am

And what exactly you did so far? Because first post didn't make it very clear, you write about one common subnet (192.168.138.0/24), but then list three completely different subnets (172.16.52.0/24, 172.16.51.0/24, 192.168.168.0/24).
My mistake. The 192.168.138.0/24 is a typo. Both networks are 192.168.168.0/24

I have corrected this in my post.
- Self-proclaimed Google Guru
 
Sob
Forum Guru
Forum Guru
Posts: 5031
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site Tunnels

Fri Jan 03, 2020 11:02 pm

And the other two?

Anyway, if you want one common L2 subnet, you create EoIP tunnel between routers and bridge local ends (EoIP interfaces) with LAN interfaces on both routers, that's it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
algisr
newbie
Posts: 27
Joined: Sat Apr 28, 2018 11:30 am

Re: Site to Site Tunnels

Fri Jan 03, 2020 11:24 pm

Did you follow example and added EoIP interface to the Bridge with LAN interface? https://wiki.mikrotik.com/wiki/Manual:Interface/EoIP
Anyways...
L2 – EoIP.
L3 – varriety of other VPN solutions: IPsec, L2TP, PPTP, SSTP, OVPN.

If you want L3 Create either Pure IPsec (needs some knowledge) or use one MikroTik as VPN Server (Using any intergrated Server) and other as VPN Client. Connect client to the Server. Then add static routes on each MikroTik that remote subnet is reachable via VPN remote IP address. I think basic example can be found here (just void using PPTP it's not secure): https://systemzone.net/mikrotik-vpn-con ... site-pptp/
 
pankajchauhan399
just joined
Posts: 3
Joined: Wed Aug 03, 2016 9:30 am

Re: Site to Site Tunnels

Mon Jan 13, 2020 3:34 pm

Dear Friends
I need help to connect my vpn users to connect local network of Site2.
this time as i have shared image of network, i am able to connect from site1 to site 2 locally by site to site vpn via internet.
my vpn user also can able to access Site1 local network, but vpn user can not access site 2 local network. please help me to connect vpn users to site 2 local network.

my email id: pankajchauhan399@gmail.com
You do not have the required permissions to view the files attached to this post.
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: Site to Site Tunnels

Mon Jan 13, 2020 3:55 pm

Did you follow example and added EoIP interface to the Bridge with LAN interface? https://wiki.mikrotik.com/wiki/Manual:Interface/EoIP
Anyways...
L2 – EoIP.
L3 – varriety of other VPN solutions: IPsec, L2TP, PPTP, SSTP, OVPN.

If you want L3 Create either Pure IPsec (needs some knowledge) or use one MikroTik as VPN Server (Using any intergrated Server) and other as VPN Client. Connect client to the Server. Then add static routes on each MikroTik that remote subnet is reachable via VPN remote IP address. I think basic example can be found here (just void using PPTP it's not secure): https://systemzone.net/mikrotik-vpn-con ... site-pptp/
I did try setting up the EoIP. I was able to get the two MT to connect to each other, but I was unable to get traffic to pass between the two LANs
- Self-proclaimed Google Guru
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: Site to Site Tunnels

Mon Jan 13, 2020 8:33 pm

I dont know what im doing wrong.
I follow the steps exactly. But I cannot pass packets past the mikrotik devices at each site. I can see the tunnels established. The logging shows the tunnels established, keep alives are sent and acknowledged, but i can't ping the other device's local bridge
- Self-proclaimed Google Guru
 
Sob
Forum Guru
Forum Guru
Posts: 5031
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site Tunnels

Wed Jan 15, 2020 9:57 pm

We don't know either, and so far you're the only one who can see your configs.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: Site to Site Tunnels

Fri Jan 24, 2020 3:45 pm

So I think I've made some progress.

Not quite the same approach, but it seems to be accomplishing the same thing...
I created enabled PPTP Server and created PPTP Client on both Mikrotiks.

They have connected. Progress!
I can PING... one way... but not the other way... :(

Router 1
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no src-address-list="Mode List"
add address=192.168.168.51 address-prefix-length=24 name=cfg1 split-include=192.168.168.0/24 system-dns=yes
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-128 hash-algorithm=sha1 \
    lifetime=8h name=default nat-traversal=yes proposal-check=strict
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-128 hash-algorithm=sha1 lifetime=8h name=profile1 \
    nat-traversal=yes proposal-check=strict
/ip ipsec peer
add address=75.19.28.173/32 disabled=no exchange-mode=aggressive local-address=104.11.154.141 name=tunnel passive=yes \
    profile=default send-initial-contact=yes
add address=75.19.28.173/32 disabled=no exchange-mode=main local-address=104.11.154.141 name=tunnel2 passive=yes \
    profile=profile1 send-initial-contact=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc lifetime=1h name=default \
    pfs-group=modp1024
/ip ipsec identity
add auth-method=pre-shared-key disabled=no generate-policy=port-strict peer=tunnel
add auth-method=pre-shared-key disabled=no generate-policy=port-override mode-config=cfg1 my-id=address:104.11.154.141 \
    peer=tunnel2
/ip ipsec policy
set 0 disabled=no dst-address=75.19.28.173/32 group=default proposal=default protocol=all src-address=\
    104.11.154.141/32 template=yes
add action=encrypt disabled=yes dst-address=192.168.168.52/32 dst-port=any ipsec-protocols=esp level=require peer=\
    tunnel proposal=default protocol=all sa-dst-address=75.19.28.173 sa-src-address=104.11.154.141 src-address=\
    192.168.168.51/32 src-port=any tunnel=yes
add action=encrypt disabled=yes dst-address=172.16.52.0/24 dst-port=4500 ipsec-protocols=esp level=require proposal=\
    default protocol=all sa-dst-address=:: sa-src-address=:: src-address=172.16.51.0/24 src-port=4500 tunnel=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no

Interfaces : 
11 DRS name="<pptp-brookriver>" type="pptp-in" mtu=1450 actual-mtu=1450 last-link-up-time=jan/24/2020 04:53:12 
       link-downs=0
13  RS name="pptp-outbound-tunnel1" type="pptp-out" mtu=1450 actual-mtu=1450 last-link-down-time=jan/24/2020 04:50:43 
       last-link-up-time=jan/24/2020 04:50:43 link-downs=3734 



PPP Setup
/ppp profile
set *0 address-list="" bridge=local !bridge-horizon bridge-path-cost=10 !bridge-port-priority change-tcp-mss=no \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list local-address=192.168.168.51 name=\
    default on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    remote-address=192.168.168.52 !session-timeout use-compression=default use-encryption=required use-mpls=default \
    use-upnp=default !wins-server
set *FFFFFFFE address-list="" bridge=local !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=no \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list local-address=192.168.168.51 name=\
    default-encryption on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    remote-address=192.168.168.52 !session-timeout use-compression=default use-encryption=yes use-mpls=default \
    use-upnp=default !wins-server
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.168.51 name=brookriver profile=\
    default remote-address=192.168.168.52 routes="" service=pptp
Router 2

/ip ipsec mode-config
set [ find default=yes ] src-address-list="Mode List"
add address=192.168.168.51 name=cfg1 split-include=192.168.168.0/24
/ip ipsec peer
add address=75.19.28.173/32 exchange-mode=aggressive local-address=104.11.154.141 name=tunnel passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-128 lifetime=8h proposal-check=\
    strict
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-128 lifetime=8h name=profile1 proposal-check=strict
/ip ipsec peer
add address=75.19.28.173/32 local-address=104.11.154.141 name=tunnel2 passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1h
/ip ipsec identity
add generate-policy=port-strict peer=tunnel
add generate-policy=port-override mode-config=cfg1 my-id=address:104.11.154.141 peer=tunnel2
/ip ipsec policy
set 0 dst-address=75.19.28.173/32 src-address=104.11.154.141/32
add disabled=yes dst-address=192.168.168.52/32 peer=tunnel sa-dst-address=75.19.28.173 sa-src-address=104.11.154.141 \
    src-address=192.168.168.51/32 tunnel=yes
add disabled=yes dst-address=172.16.52.0/24 dst-port=4500 src-address=172.16.51.0/24 src-port=4500 tunnel=yes


interfaces
/interface pptp-client
add connect-to="" disabled=no keepalive-timeout=20 name=pptp-outbound-tunnel1 user=parkland

PPP setup

/ppp profile
set *0 address-list="" bridge=local !bridge-horizon bridge-path-cost=10 !bridge-port-priority change-tcp-mss=no \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list local-address=192.168.168.51 name=\
    default on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    remote-address=192.168.168.52 !session-timeout use-compression=default use-encryption=required use-mpls=default \
    use-upnp=default !wins-server
set *FFFFFFFE address-list="" bridge=local !bridge-horizon !bridge-path-cost !bridge-port-priority change-tcp-mss=no \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list local-address=192.168.168.51 name=\
    default-encryption on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
    remote-address=192.168.168.52 !session-timeout use-compression=default use-encryption=yes use-mpls=default \
    use-upnp=default !wins-server
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.168.51 name=brookriver profile=\
    default remote-address=192.168.168.52 routes="" service=pptp
- Self-proclaimed Google Guru
 
Sob
Forum Guru
Forum Guru
Posts: 5031
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site Tunnels

Sat Jan 25, 2020 1:21 am

I don't really undestand what you're doing. Your original request to connect two networks with EoIP is simple. Let's say you have current LAN as bridge "bridge1-lan" with some ethernet ports, wifi or whatever. Add tunnel with IPSec:
/interface eoip
add allow-fast-path=no ipsec-secret=<secret> local-address=<local WAN address> name=eoip-tunnel1 remote-address=<remote WAN address> tunnel-id=0
Add it as bridge port to LAN:
/interface bridge port
add bridge=bridge1-lan interface=eoip-tunnel1
Add address if it's not there already:
/ip address
add address=192.168.168.X/24 interface=bridge1-lan
And if you don't accept them already, you need to allow these packets (you can limit all to src-address=<remote WAN address> if you want):
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input ipsec-policy=in,ipsec protocol=gre
And that's it. Same on both routers, only swap tunnel's local-address and remote-address.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: Google [Bot], mbovenka and 47 guests