Hello,
it is possible to create IPsec tunnel (Office1---Office2) under these conditions:
Office1 (passive side) static public IP
Office2 (active side) static private IP
?
Since you won't know office2's IP, you can't create a static policy so you'll have IPsec generate the policy dynamically for you.How does Office 2 get out to the public internet? Is there NAT involved somewhere
Through NAT
or do both offices share infrastructure and private IP space at some point?
No
As long as both routers can communicate directly with one-another, IPSec shouldn't care if one IP is public and the other is private.
You can show Mikrotik configuration for IPsec tunnel "privateIP-to-publicIP"?
Main problem - what should I enter in the IPsec policy field "SA Dst. Address" on Office1 Mikrotik?
Create policy template instead of an ordinary policy, then specify that template in the peer configuration. Also enable 'generate policy' option in the peer config.Main problem - what should I enter in the IPsec policy field "SA Dst. Address" on Office1 Mikrotik?
Generate policy creates a policy as was requested by the initiator (client). Policy groups and policy templates allow you to check/restrict the policy to be created."generate policy" on Office1 Mikrotik generate only policy for traffic from Office2 to Office1, and i can ping from Office2 to Office1.
But, for traffic from Office1 to Office2 i need create policy manually. There is main problem - what should I enter in the IPsec policy field "SA Dst. Address" on Office1 Mikrotik?
Please share your current ipsec configuration. I'll try to check if there're any apparent mistakes.You should specify the correct policy in your "Office 2", and similar (inverted) policy will be created in your "Office 1" automatically.
"generate policy" generate only "similar" ("not inverted") policy.
how can i add "inverted" policy?
/ip ipsec exportFrom what I already see- you need to enable NAT traversal on both devices, otherwise this setting remains ineffective.
You've got it wrong. The use of NAT-T is something that both VPN endpoints should negotiate. If it is disabled on one of your VPN endpoints, then neither use it.No need Nat Traversal on passive side.
The 'sa-src-address' parameter should be the real external IP address of your Office1.IPsec config from Office2 Mikrotik:
/ip ipsec export
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1
/ip ipsec peer
add address=[office1ip]/32 auth-method=pre-shared-key-xauth enc-algorithm=aes-128 secret=xxxxxxxx xauth-login=test233 \
xauth-password=xxxxxxxx
/ip ipsec policy
add dst-address=[office1localnet]/24 sa-dst-address=[office1ip] sa-src-address=0.0.0.0 src-address=[office2localnet]/24 tunnel=yes
You must have known it better.You are wrong