I'm setting up an IPSec VPN between a Mikrotik Router on my side and a Fortigate FG30 Firewall on the other organization's side. Essentially my company is opening a store inside their organization, and we are trying to route all of the store's traffic through the IPSec VPN to my network, so that all services including internet access pass through the VPN.
We have the IPSec VPN working LAN to LAN, where all devices on each side of the LANs can communicate accross the tunnel. My LAN IP range is 10.0.0.0/12. The store's LAN IP range is 10.90.0.0/24.
What doesn't work and what we desire to work is to pass all Internet traffic from the store over the tunnel and then out my public IP. The other organization doesn't want any of the Store's traffic to pass through it's local network. Here is my IPSec configuration:
Code: Select all
/ip ipsec peer profile
add dh-group=modp2048,modp1536 enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256 name=RRC nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm,3des name=RRC pfs-group=modp2048
/ip ipsec peer
add address=StorePublicIP comment="Store" local-address=MyPublicIP profile=RRC secret=****
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.90.0.0/24 level=unique proposal=RRC sa-dst-address=StorePublicIP sa-src-address=MyPublicIP src-address=0.0.0.0/0 tunnel=yes
My NAT configuration is as follows:
Code: Select all
add action=accept chain=srcnat comment="Store NAT Rule" dst-address=10.90.0.0/24 src-address=10.0.0.0/12
add action=masquerade chain=srcnat comment="Masquerade for Store" src-address=10.90.0.0/24
add action=masquerade chain=srcnat comment="Masquerade to public IP" log-prefix="NAT: " out-interface="Public Internet Bridge"
What do I need to do to accept Internet bound traffic from the IPSec tunnel and route it out my Public internet interface?
Thank you.