Community discussions

MikroTik App
 
sparky
just joined
Topic Author
Posts: 14
Joined: Thu Jan 22, 2015 12:49 am

Struggling with a site-to-site VPN setup

Mon Apr 26, 2021 12:24 pm

Hi everyone-

I have a main office with a public /24 and a branch office behind a cable modem/router with NAT and a public IP. I'm trying to do a site-to-site VPN so that I can use a public IP from the /24 at the branch office and tunnel *all* traffic behind a RB4011 at the branch to/via the main office. Here's my setup hopefully a little more clearly:

Main office:
CCR1016 with a public/static WAN IP
A public /24 block statically routed to the WAN IP

Branch location:
A cable modem/router combo with NAT and a dynamic WAN IP that I don't have control over.
My RB4011 with a private WAN IP (192.168.x.x) from the cable modem/router.

I followed https://mum.mikrotik.com/presentations/ ... 420263.pdf and got the IPSec/IKE2 site-to-site VPN up and running, but the configuration (IPSec/IKEv2 + IPIP) seems overly complicated and I have been unsuccessful in adapting the config to tunnel all traffic from my branch connection through the main office (currently only traffic destined for the main office subnet goes over the VPN).

Should I abandon IPSec/IKE2 and try a less complicated method? Is there a straightforward guide for what I'm trying to do that someone could point me to or even just better search keywords that anyone can suggest?
 
sparky
just joined
Topic Author
Posts: 14
Joined: Thu Jan 22, 2015 12:49 am

Re: Struggling with a site-to-site VPN setup

Tue Apr 27, 2021 2:21 pm

I made quite a bit of progress on this. IPSec from the branch to the main office is working well, but coming back the other way it gets stuck on the cable modem. Specifically, on the main office RB4011, the IPSec > Installed SAs tab in winbox shows the cable ISP WAN IP at the branch office as "Dst. Address" for the entries going that direction. That is one hop short of where I need to be (past the NAT of the combo cable modem/router that I can't alter).

The IKEv2/IPSec tunnel itself obviously makes it through the cable modem/router NAT to be established in the first place, so why is it dumping my traffic one hop short? The Installed SA Dst. Addresses are dynamically created and I can't figure out how to change them. Any thoughts?

Who is online

Users browsing this forum: Bing [Bot], mszru, tesme33 and 42 guests