Dear Members

I have configured IPSEC VPN between my branch office and HQ and able to reach branch through HQ LAN and vice versa. Now I have to transport internet from HQ for users at Branch office using this IPSEC VPN tunnel but I am not sure how to do this. Can anyone help me out with this ?

Regards
Muhammad

The short answer is "in the branch office, change the IPsec policy's dst-address to 0.0.0.0/0 instead of the current one, but before you do that, place a policy action=none src-address=lan.sub.net.ip/mask dst-address=lan.sub.net.ip/mask above the one with action=encrypt".

If you actually don't use just the plain IPsec but you encrypt some other tunnel using IPsec, it is a matter of normal routing, just set the default route in the branch office to the IP address of the HQ's router, but before doing that, create an individual route to HQ's public address so that the IPsec transport packets could still get there once the default route gets redirected to the tunnel.

Dear Group Member

Thanks for your quick response. Let me clarify the requirement a bit more. The branch network is 10.10.10.0/28 all the IP's in branch will be used for data transfer over IPSEC and only one IP 10.10.10.2 will have access to internet. Internet access to IP 10.10.10.2 will be given from HQ Internet network. I am not getting how I will route internet access form HQ internet backbone to branch user. Can you help on this

Follow the hint in my automatic signature for both devices as I don't know your exact setup and the response depends on it.

Attached please find network diagram and config.

You have posted the HQ configuration twice and the BO configuration not a single time, but that's not the most important point at the moment. The picture suggests that the IPsec tunnel only extends from the "HQ router" (which is under your administration) to the "service provider gateway VPN router". Is that true, and if so, is the latter one also under your administration?

The point is that if the actual IPsec peer of your HQ router was the router at Branch A, you could simply add one more policy before the existing one and its counterpart mirror policy at Branch A, so the result at HQ router would be

/ip ipsec policy
add dst-address=10.10.10.2/32 proposal=ISP sa-dst-address=2.2.2.2 sa-src-address=1.1.1.3 src-address=0.0.0.0/0 tunnel=yes
add dst-address=10.10.10.0/28 proposal=ISP sa-dst-address=2.2.2.2 sa-src-address=1.1.1.3 src-address=192.168.0.0/29 tunnel=yes


IPsec policies supersede the results of normal routing, so although the normal routing at Branch A machine would route packets sent by the 10.10.10.2 to any public IP out via the local WAN interface, the IPsec policy would intercept them and deliver them to the HQ via the tunnel instead, and the HQ router would do the src-nat before forwarding them to the destination via its WAN. So the responses would come to HQ's WAN IP, get "un-src-nated", be routed to whatever interface is a gateway to 10.10.10.2 in the HQ router's context, but the IPsec policy would intercept them and send them to the Branch A via the tunnel instead.

But if the actual remote end of the IPsec tunnel is not the Branch A machine itself but the "service provider gateway VPN router", this change has to be done there, not on the Branch A machine. That's why I ask who is the administrator of "service provider gateway VPN router". If you cannot affect the configuration there, but the Branch A machine is also a Mikrotik, you can set up an IPIP tunnel between Branch A machine and the HQ router and use normal routing and routing-mark at Branch A to route packets from 10.10.10.2 to 0.0.0.0/0 via the IPIP tunnel, and normal routing at the HQ router to route packets to 10.10.10.2 via the tunnel.

Last but most important, I can see no firewall rules at all in your HQ router export, and I can see that Winbox access is not restricted to any subnet list, which means the management interface of the machine is exposed to the world. That's not a good idea although you run the latest RouterOS. So from pure functional point of view, it is enough that you add chain=srcnat dst-address=10.10.10.0/28 action=accept and chain=srcnat action=src-nat to-addresses=1.1.1.3-1.1.1.4 out-interface=ether1 rules (in this exact order) to /ip firewall nat to allow access of devices in the local LAN subnets and in the Branch X LAN subnets to the internet, but from the point of view of security, I'd strongly recommend you to use also the default set of /ip firewall filter rules which you can find in the output of /system default-configuration print.

I only have access to HQ router and the VPN router at gateway is not under my control. Also there is no Mikrotik device installed at branch A and Branch B instead these are satellite modems for providing connectivity. Further yes firewall rules are still missing but I will implement it.

Regards
Muhammad

If also the branch office routers are out of your control, the decision whether and how to route connections to public IPs from the branches is fully in hands of the satellite service provider. So you would have to run some VPN client on the PC at 10.10.10.2 which would be connecting to a VPN server running at your HQ router, or insert something like RB931 (tiny and cheap and can be powered from USB port of the PC if needed) between the PC and the branch office router.

Hallo sindy,

Kindly assist me, is there a way of doing tunnel and use the public IP of a different site to access internet of either of the 2 public IPs.

u can get me on

whatsapp +254725449980
gmail adebrayo26@gmail.com

Thanks

is there a way of doing tunnel and use the public IP of a different site to access internet of either of the 2 public IPs

Not a big deal, but please create a new topic and edit your previous post with a link to it. I prefer that the forum topics are related to a single actual topic.