Community discussions

MikroTik App
 
pashew
just joined
Topic Author
Posts: 6
Joined: Sat Jan 29, 2022 10:54 am

IPsec ping through Main Server

Sun Nov 20, 2022 10:57 am

Greetings,

I have three routers, A B and C.
A=192.168.10.0/24
B=192.168.11.0/24
C=192.168.12.0/24
A is the Main Site that has IPsec with B and C, everything is working fine and I can ping from A to B and from A to C.
But I Can not ping between B and C.
there is a way to ping between B and C by adding policies from both sides, but I want to ping between B and C through A.
there are many topics regarding this issue by using L2tp and OSPF.
is there any way to accomplish it by IPsec itself without using L2tp throw a firewall or route?

thanks in advance and have a nice day

Router A
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=192.168.40.172/32 name=peer2 profile=profile1
add address=192.168.40.171/32 name=peer1 profile=profile1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposal1
/ip ipsec identity
add peer=peer1
add peer=peer2
/ip ipsec policy
add dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.12.0/24 peer=peer2 proposal=proposal1 src-address=192.168.10.0/24 tunnel=yes
Router B
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=192.168.40.170/32 name=peer1 profile=profile1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposal1
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.10.0/24 peer=peer1 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes
Router C
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=192.168.40.170/32 name=peer1 profile=profile1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposal1
/port
set 0 name=serial0
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.10.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes
 
pashew
just joined
Topic Author
Posts: 6
Joined: Sat Jan 29, 2022 10:54 am

Re: IPsec ping through Main Server

Wed Nov 23, 2022 8:58 am

is there anyone who can help me?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec ping through Main Server

Wed Nov 23, 2022 10:26 am

there is a way to ping between B and C by adding policies from both sides, but I want to ping between B and C through A.
there are many topics regarding this issue by using L2tp and OSPF.
When you add B<->C policies to B,C, and A, the B<->C ping does go through A. So what is the actual concern?
 
pashew
just joined
Topic Author
Posts: 6
Joined: Sat Jan 29, 2022 10:54 am

Re: IPsec ping through Main Server

Wed Nov 23, 2022 11:28 am

there is a way to ping between B and C by adding policies from both sides, but I want to ping between B and C through A.
there are many topics regarding this issue by using L2tp and OSPF.
When you add B<->C policies to B,C, and A, the B<->C ping does go through A. So what is the actual concern?
when I want to ping from B to C, I want to be though A
the IPsec connection must be between A to B and A to C, there is no IPsec between B and C.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec ping through Main Server

Wed Nov 23, 2022 11:49 am

That's correct, there will be no direct Security Association ("tunnel") between B and C. The B<->C policy between A and B will deliver packets for C from B to A, and the B<->C policy between A and C will deliver them from A further to C.
 
pashew
just joined
Topic Author
Posts: 6
Joined: Sat Jan 29, 2022 10:54 am

Re: IPsec ping through Main Server

Wed Nov 23, 2022 12:13 pm

That's correct, there will be no direct Security Association ("tunnel") between B and C. The B<->C policy between A and B will deliver packets for C from B to A, and the B<->C policy between A and C will deliver them from A further to C.
thanks for your support, could you give me more details, please?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec ping through Main Server  [SOLVED]

Wed Nov 23, 2022 2:38 pm

On A, add two policies:
dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes
dst-address=192.168.12.0/24 peer=peer2 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes


On B, add one policy:
dst-address=192.168.12.0/24 peer=peer1 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes

On C, add one policy:
dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes
 
pashew
just joined
Topic Author
Posts: 6
Joined: Sat Jan 29, 2022 10:54 am

Re: IPsec ping through Main Server

Wed Nov 23, 2022 5:17 pm

On A, add two policies:
dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes
dst-address=192.168.12.0/24 peer=peer2 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes


On B, add one policy:
dst-address=192.168.12.0/24 peer=peer1 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes

On C, add one policy:
dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes
Dear sindy, many thanks for your support it's working.
it is amazing that you are supporting all people, thanks again.

Who is online

Users browsing this forum: rplant and 64 guests