Community discussions

MikroTik App
 
allyadmin
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2023 2:23 pm

Internet Access via Site-to-Site IPSec VPN

Fri Jan 13, 2023 4:44 pm

Hello Experts,

I have configured a site-to-site IPSec VPN Tunnel between Fortigate and Mikrotik. It works and I can connect to devices on either side of the tunnel.
Site A = Fortigate (WAN IP = 197.154.204.14 : LAN = 172.16.231.0/24 : GW = 172.16.231.1)
Site B = Mikrotik (WAN IP = 64.57.122.212 : LAN = 192.168.204.0/22 : GW = 192.168.204.1)

I am rather new to Mikrotik so i need help.
How do i configure the Mikrotik so that the computers/devices on the Site B LAN get internet services from the ISP on Site A.
i.e. the devices on Site B traverse the tunnel for all internet browsing, etc

Thanks
 
allyadmin
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2023 2:23 pm

Re: Internet Access via Site-to-Site IPSec VPN

Tue Jan 17, 2023 12:35 pm

Anyone with some suggestions please help
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Internet Access via Site-to-Site IPSec VPN

Tue Jan 17, 2023 2:23 pm

/routing table add fib name=useIPSEC
/ip route
add dst-address=0.0.0.0/0 gwy=ISPEC gateway table=useIPSEC
/routing rule add src-address=192.168.204.0/22 action=lookup table=useIPSEC

note1: if you never want MT users to reach internet locally (in case ipsec connection is not working for example),
then change action to action=lookup-only-in-table

note2: if you have other subnets on MT that the local subnet needs to reach then you will need additional routing rules before the one indicated.
 
allyadmin
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2023 2:23 pm

Re: Internet Access via Site-to-Site IPSec VPN

Tue Jan 17, 2023 5:55 pm

Thanks for the input.
It does not work. I get an error on the second command.
/ip route
add dst-address=0.0.0.0/0 gwy=ISPEC gateway table=useIPSEC
expected end of command (line 1 column 27)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Internet Access via Site-to-Site IPSec VPN

Tue Jan 17, 2023 8:11 pm

Without your config, all you have is your opinion of what the issue is....
/export file=anynameyouwish ( minus router Serial # and any public WANIP information )

I probably dont understand ipsec policy and routing properly to advise. :-( Seems more complicated than WG, which makes me wonder why ipsec LOL......
 
allyadmin
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2023 2:23 pm

Re: Internet Access via Site-to-Site IPSec VPN

Wed Jan 18, 2023 12:11 am

Thanks,

I have added my config file. Maybe someone on the forum has done this before and can guide.
I have hidden my public-ip's and other stuff in the config file.
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Internet Access via Site-to-Site IPSec VPN

Wed Jan 18, 2023 12:43 am

That is not going to work. A Site-to-Site IPsec VPN is what it says it is: a tunnel between two sites, in this case networks 192.168.204.0/24 and 172.16.232.0/22.
You cannot route arbitrary traffic over that.
One solution would be to use a proxy server located at the remote site, with an IP inside the remote subnet, that forwards your requests to internet.
Or else, you need to establish a transparent tunnel, e.g. GRE/IPsec, which allows you to route any traffic. That is easy to do on MikroTik but I often hear it is difficult or impossible on other routers, which have moved to using VTI. MikroTik does not support that (yet).
 
RiFF
newbie
Posts: 35
Joined: Sun Apr 29, 2018 9:35 pm

Re: Internet Access via Site-to-Site IPSec VPN  [SOLVED]

Wed Jan 18, 2023 1:24 am

I don't have access to Fortigate right now, but if you want to push all traffic from SiteB (Mikrotik) to SiteA through an IPsec tunnel, you can do it e.g. with the following configuration (IPsec policy based VPN solution). You don't need to add any additional entry in your route table. To make sure it works properly, you can additionally disable the default NAT rule

/ip ipsec policy
add action=none comment="exlude local traffic from IPsec" dst-address=192.168.204.0/24 src-address=192.168.204.0/24
add dst-address=0.0.0.0/0 level=unique peer=peer-tunnel2-LEO-HQ proposal=proposal1 src-address=192.168.204.0/24 tunnel=yes
 
allyadmin
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2023 2:23 pm

Re: Internet Access via Site-to-Site IPSec VPN

Wed Jan 18, 2023 8:57 am

Thanks RiFF,

I tried your suggestion and even disabled the default NAT rule.
Traffic dies at the Miktrotik. No internet access on Site B.
Added new config file as per your suggestion
You do not have the required permissions to view the files attached to this post.
 
RiFF
newbie
Posts: 35
Joined: Sun Apr 29, 2018 9:35 pm

Re: Internet Access via Site-to-Site IPSec VPN

Wed Jan 18, 2023 10:26 am

Ok, but we don't know how looks situation on Site A .
1) Is the IPsec tunnel running at this moment (tab Active Peer in MT) ? If yes, then Phase 2 are established for 192.168.204.0/24?
2) Did you modify local subnet in IPsec policy in the Fortigate (you have to change from 172.16.231.0/24 to 0.0.0.0/0) ?
3) Did you add a rule in the Fortigate firewall policy to allow traffic to LAN/Internet from 192.168.204.0/24?
4) Did you add NAT rule in the Fortigate allowing access to Internet for 192.168.204.0 /24 (if you have NAT rule (PAT / masquerade ) which allow any subnet then this entry is not required)
 
allyadmin
just joined
Topic Author
Posts: 7
Joined: Fri Jan 13, 2023 2:23 pm

Re: Internet Access via Site-to-Site IPSec VPN

Wed Jan 18, 2023 12:52 pm

LOL, i was so focused on the Mikrotik i forgot about the Fortigate.
I modified the local Subnet on FGT to 0.0.0.0/0 and internet traffic is now flowing fine from Site B to Site A
Not seeing any other problems but still monitoring
 
MuchoSauce
just joined
Posts: 1
Joined: Tue Feb 28, 2023 11:46 pm

Re: Internet Access via Site-to-Site IPSec VPN

Wed Mar 01, 2023 12:03 am

Hello, I’m experiencing the same issue, and the local subnet to 0.0.0.0 what are you refering to and for Which rule : From Mikrotik to LAN Fgt o From LAN Fgt to Mikrotik ?

Many thanks !
 
RiFF
newbie
Posts: 35
Joined: Sun Apr 29, 2018 9:35 pm

Re: Internet Access via Site-to-Site IPSec VPN

Wed Mar 01, 2023 1:02 pm

Short guide - Mikrotik (Branch) <-> Fortigate (HQ)

All Branch-to-HQ traffic to reach the Internet via Fortigate

IPsec Policy on the MT side
local subnet(s) (e.g. 192.168.10.0/24) -> remote subnet (0.0.0.0/0)

IPsec Policy on the Fortigate side
local subnet (0.0.0.0/0) -> remote subnet(s) ( 192.168.10.0/24)


don't forget exclude local traffic from IPsec (on MT) and built required Firewall Policy / NAT on Fortigate for branch

Who is online

Users browsing this forum: No registered users and 41 guests