Community discussions

MikroTik App
 
damianG
just joined
Topic Author
Posts: 1
Joined: Thu Jul 15, 2021 4:07 pm

IPsec tunnels

Thu Jul 15, 2021 4:17 pm

Hello guys,
Im connecting below location with IPsec:
CHR - public IP, 172.10.10.1
RB - Dynamic IP, 172.10.11.0/24 (connected now one device, 172.10.11.10)
RoadWarriors - Dynamic IP, 172.10.20.0/24
I have got estabilished VPN connection from CHR to RB and CHR to RW.
I can ping every from CHR - RW, RB and device connected to RB.
RW and RB with device can ping only CHR.

Screenshot 1 - active peers at CHR
Screenshot 2 - ping from CHR
Screenshot 3 - ping from RW
Screenshot 4 - ping frob RB device
Screenshot 5 - ping from RB

What's missing in the configuration?
I'd like to forward ports from WAN to RB device later.
####CHR CONFIG####

/interface bridge
add arp=proxy-arp mtu=1500 name=Loopback
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=172.10.11.1 name=cfg2 split-dns=172.10.11.0/24 split-include=\
    172.10.10.0/24 system-dns=no
/ip ipsec policy group
add name=ipsec
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=phase_1 nat-traversal=no
/ip ipsec peer
add name=DynamicIP passive=yes profile=phase_1 send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=phase_2
/ip pool
add name=VPN ranges=172.10.20.10-172.10.20.50
/ip ipsec mode-config
add address-pool=VPN name=cfg1 split-include=172.10.10.0/24,172.10.11.0/24 \
    system-dns=no
/interface l2tp-server server
set authentication=mschap2 use-ipsec=yes
/ip address
add address=172.10.10.1 interface=Loopback network=172.10.10.1
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=172.10.10.0/24 log=yes \
    src-address=172.10.20.0/24
add action=accept chain=srcnat dst-address=172.10.11.0/24 log=yes \
    out-interface=Loopback src-address=172.10.20.0/24
add action=accept chain=srcnat dst-address=172.10.20.0/24 src-address=\
    172.10.10.0/24
add action=accept chain=srcnat dst-address=172.10.11.0/24 src-address=\
    172.10.10.0/24
add action=accept chain=srcnat dst-address=172.10.10.0/24 src-address=\
    172.10.11.0/24
add action=accept chain=srcnat dst-address=172.10.20.0/24 src-address=\
    172.10.11.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=172.10.20.0/24 src-address=\
    172.10.11.0/24
add action=notrack chain=prerouting dst-address=172.10.11.0/24 src-address=\
    172.10.20.0/24
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    cfg2 peer=DynamicIP username=arek
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    cfg1 peer=DynamicIP username=damian
/ip ipsec policy
set 0 proposal=phase_2
add dst-address=172.10.10.0/24 group=ipsec proposal=phase_2 src-address=\
    172.10.20.0/24 template=yes
add dst-address=172.10.11.0/24 group=ipsec proposal=phase_2 src-address=\
    172.10.20.0/24 template=yes
/ip route
add distance=1 dst-address=172.10.11.0/24 gateway=Loopback pref-src=\
    172.10.10.1
add distance=1 dst-address=172.10.20.0/24 gateway=Loopback pref-src=\
    172.10.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system package update
set channel=development

###RB CONFIG###

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    mikrotik supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n default-authentication=no \
    disabled=no security-profile=mikrotik ssid=microtic
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=phase_1 nat-traversal=no
/ip ipsec peer
add address=IP_ADDRESS/32 name=DynamicIP profile=phase_1 \
    send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=phase_2
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add list=LAN
/interface wireless connect-list
add interface=wlan1 security-profile=mikrotik ssid=microtic
/ip address
add address=172.10.11.1/24 interface=ether1 network=172.10.11.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add disabled=no interface=wlan1
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=srcnat dst-address=172.10.10.0/24 src-address=\
    172.10.11.0/24
add action=accept chain=srcnat dst-address=172.10.20.0/24 src-address=\
    172.10.11.0/24
add action=accept chain=srcnat dst-address=172.10.11.0/24 src-address=\
    172.10.10.0/24
add action=accept chain=srcnat dst-address=172.10.11.0/24 src-address=\
    172.10.20.0/24
add action=masquerade chain=srcnat out-interface=wlan1
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=172.10.10.0/24 \
    src-address=172.10.11.0/24
add action=notrack chain=prerouting disabled=yes dst-address=172.10.20.0/24 \
    src-address=172.10.11.0/24
add action=notrack chain=prerouting disabled=yes dst-address=172.10.11.0/24 \
    src-address=172.10.10.0/24
add action=notrack chain=prerouting disabled=yes dst-address=172.10.20.0/24 \
    src-address=172.10.10.0/24
add action=notrack chain=prerouting disabled=yes dst-address=172.10.11.0/24 \
    src-address=172.10.20.0/24
add action=notrack chain=prerouting disabled=yes dst-address=172.10.10.0/24 \
    src-address=172.10.20.0/24
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-override \
    mode-config=request-only peer=DynamicIP username=arek
/ip ipsec policy
set 0 proposal=phase_2
add dst-address=172.10.10.0/24 peer=DynamicIP proposal=phase_2 src-address=\
    172.10.11.0/24 tunnel=yes
add dst-address=172.10.20.0/24 peer=DynamicIP proposal=phase_2 src-address=\
    172.10.11.0/24 tunnel=yes
/ip route
add distance=1 dst-address=172.10.10.0/24 gateway=wlan1 pref-src=172.10.10.1
add distance=1 dst-address=172.10.20.0/24 gateway=wlan1 pref-src=172.10.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add prefix=ipsec topics=ipsec
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot] and 37 guests