I have 2 locations, "Home" and "parents" both using a mikrotik RB4011iGS+
On both sides I have configured a IPSEC tunnel. After experimenting with several options, a IPSEC tunnel gave me the most stable and fastest results.
I can ping from one side to the other gateway and I can reach all devices connected to the other sides router.
I have created an addresslist for a few devices on the Home location which I would like to fully route through the Parents locations internet connection, so that those devices connect to the internet using the "Parents" WAN IP-address.
I have been looking on the this forums and in in the microtik documentation. I understand I have to do policy based routing, since the IPSEC tunnel does not have an Interface, but sofar after trying for 2 days I have been unsuccessful in getting this working.
I would rather NOT change to GRE or L2TP, since this works great.
Home:
WAN IP: 213.71.XXX.YYY
local subnet 192.168.207.0/24
Gateway: 192.168.207.1
Relavant configuration:
Code: Select all
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=IPSEC-S2S
/ip ipsec peer
add address=86.93.XXX.YYY/32 name=IPSEC-S2S profile=IPSEC-S2S
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc name=l2tp-proposal pfs-group=ecp256
add enc-algorithms=aes-128-cbc name=IPSEC-S2S pfs-group=none
/ip address
add address=192.168.207.1/24 comment="to switch" interface=ether2 network=192.168.207.0
/ip firewall address-list
add address=192.168.207.13 comment="TEST 1" list=via_ipsec
add address=192.168.207.10 comment="TEST 2" list=via_ipsec
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec-out connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="mark ipsec-in connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin-nat dst-address=192.168.207.0/24 src-address=192.168.207.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="force dns via mikrotik" dst-port=53 protocol=tcp to-addresses=192.168.207.1 to-ports=53
add action=dst-nat chain=dstnat comment="force dns via mikrotik" dst-port=53 protocol=udp to-addresses=192.168.207.1 to-ports=53
/ip ipsec identity
add comment="IPSEC-S2S tunnel" peer=IPSEC-S2S secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=IPSEC-S2S proposal=IPSEC-S2S sa-dst-address=86.93.XXX.YYY sa-src-address=212.71.XXX.YYY src-address=192.168.207.0/24 tunnel=yes
Parents:
WAN IP: 86.93.XXX.YYY
local subnet 192.168.1.0/24
Gateway: 192.168.1.1
Configuration:
Code: Select all
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=IPSEC-S2S
/ip ipsec peer
add address=212.71.XXX.YYY/32 name=IPSEC-S2S profile=IPSEC-S2S send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc name=l2tp-proposal pfs-group=none
add enc-algorithms=aes-128-cbc name=IPSEC-S2S pfs-group=none
/ip address
add address=192.168.1.1/24 comment="to switch" interface=ether2 network=192.168.1.0
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin-NAT dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Force specified DNS server" dst-port=53 protocol=tcp to-addresses=192.168.1.1 to-ports=53
add action=dst-nat chain=dstnat comment="Force specified DNS server" dst-port=53 protocol=udp to-addresses=192.168.1.1 to-ports=53
/ip ipsec identity
add comment="IPSEC-S2S tunnel" peer=IPSEC-S2S secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip ipsec policy
add dst-address=192.168.207.0/24 peer=IPSEC-S2S sa-dst-address=212.71.XXX.YYY sa-src-address=86.93.XXX.YYY src-address=192.168.1.0/24 tunnel=yes