Code: Select all
/ip address
add address=192.168.90.1/24 interface=bridge network=192.168.90.0
/ip ipsec mode-config
add address-pool=vpn2 name=RW-cfg split-include=0.0.0.0/0
add address-pool=vpn2 name=RWsplit-cfg split-include=192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec policy group
add name=RWsplit
add name=RWsecure
/ip ipsec profile
add name=rw
/ip ipsec peer
add name=RoadWarrior passive=yes profile=rw
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg peer=RoadWarrior policy-template-group=\
RWsecure username=usr
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RWsplit-cfg peer=RoadWarrior policy-template-group=\
RWsplit username=usr2
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RWsplit-cfg peer=RoadWarrior policy-template-group=\
RWsplit username=usr3
/ip ipsec policy
add dst-address=192.168.90.0/24 group=RWsplit src-address=192.168.88.0/24 template=yes
add dst-address=192.168.90.0/24 group=RWsplit src-address=192.168.89.0/24 template=yes
add dst-address=192.168.90.0/24 group=RWsplit src-address=192.168.90.0/24 template=yes
add dst-address=192.168.90.0/24 group=RWsecure src-address=0.0.0.0/0 template=yes
/ip pool
add name=vpn2 ranges=192.168.90.2-192.168.90.254
I'm planning to use this setting for teleworkers that have a small mikrotik router configured straight away. In those the configuration would be similar to:
Code: Select all
> /ip ipsec export hide-sensitive
/ip ipsec peer
add address=my.server name=Home send-initial-contact=no
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=request-only my-id=fqdn:usr.mine peer=Home \
remote-id=fqdn:my.server username=usr
/ip route
add check-gateway=ping distance=1 gateway=192.168.90.1
add comment="to:my.server gateway" distance=1 dst-address=<myip>/32 gateway=<wan-gateway>
Code: Select all
> :ping 1.1.1.1 size=1422 count=1 do-not-fragment
SEQ HOST SIZE TTL TIME STATUS
0 1.1.1.1 1422 57 32ms
sent=1 received=1 packet-loss=0% min-rtt=32ms avg-rtt=32ms max-rtt=32ms
> :ping 1.1.1.1 size=1423 count=1 do-not-fragment
SEQ HOST SIZE TTL TIME STATUS
0 packet too large and cannot be fragmented
sent=1 received=0 packet-loss=100%
- In the router there is no interface that I can use to trim the MTU
- The clients just connect to the router...